VoIP security safeguards -- they may be there already

Protecting your VoIP system may be easier than you think, especially since many of the necessary tools are already there.

Wanna be clued in on a little secret? VoIP security isn't all that difficult after all.

Actually, a lot of the necessary tools and tricks to lock down and secure a voice network are there already, they just have to be used correctly.

"It's not an add-on," Kevin Flynn, senior manager of unified communications for Cisco, said about VoIP security. "It's built into the network already or in the VoIP products themselves."

According to Flynn, pretty much every facet of VoIP security should already be part of the data network, so finding ways to apply them to VoIP should be a breeze.

"These are things a company ought to be doing anyway," he said. "They ought to be doing antivirus in the network, access control and IDS. It's stuff they already own."

Yankee Group vice president Zeus Kerravala agreed. He said some of the biggest security issues affecting VoIP now are not necessarily VoIP specific, but broader networking issues. He said many more voice-specific concerns stem from vendor hype than from actual issues.

"You can take care of a lot of [VoIP security issues] with QoS and by minimizing the amount of malicious traffic on the network," Kerravala said. "But you should be doing that already anyway."

Flynn said many enterprises that are new to the VoIP arena fall prey to some myths and misconceptions when they begin thinking about VoIP security. And though a lot of it is hype, he said, security and security best practices are still an important part of a VoIP deployment. He noted, however, that companies need to "respect security, not be afraid of it."

One common fear, according to Flynn, is that putting voice traffic over the data network will expose the voice system to the security problems that can often plague the network. A secure infrastructure, he said, allows for a secure VoIP infrastructure as well.

"What they should do is protect the infrastructure itself," he said. "You can't have a secure voice system over an insecure data infrastructure. If they put VoIP traffic on the data network, data problems are going to affect VoIP traffic – you have to segment. Your biggest problem is going to be bad stuff on the data network getting into the voice network."

Another key, Flynn said, is segmentation. Separate voice and data traffic. "Separation is next to godliness," he said. VoIP security 101 is segmenting traffic into VLANs. One way is to block PC port access to the voice VLAN.

A secure VoIP deployment starts protecting at four levels: the infrastructure, call management, endpoints and applications. The systems need to be designed so that they can be managed and understood as a whole.

"Look at all four levels," Flynn said. "Look at what's there already. Separate the traffic, architect it appropriately and protect the infrastructure. If you miss one, the bad guys will find your weakness."

And the bad guys will be out there. According to a recent report from the SANS Institute, VoIP systems will be among the most popular targets for security attacks come 2007. Mary Allan, telecom technology manager at a Fortune 500 company, said she knows that VoIP security is necessary, but added that her organization has yet to develop a watertight VoIP security plan. Allan admits that her company has its share of VoIP-related security concerns, but it has yet to delve deeply into them.

Nevertheless, she said, her company is taking some measures to ensure VoIP safety.

"Our primary concern is keeping the hardware away from the Internet as much as possible," Allan said. "We do that by assigning private subnets and managing devices -- antivirus, security -- internally.

"Having said that, we also have a lot of work to do, especially with IP endpoints and extended topologies," she continued. "I would advise any company to make [VoIP] security one of [its] leading initiatives when considering an IP [telephony] solution, rather than making it an afterthought -- or worse, a reactive measurement taken when there's been a breach."

Additional concerns, Allan said, come from the difference in hardware when a company switches from TDM to an IP telephony world.

For more on VoIP security
Check out another recent story on VoIP security

Read Zeus Kerravala's recent VoIP security column
"In the traditional world, TDM systems were really secure from a hardware perspective, and our biggest risk was toll fraud," she said. "In the IPT world, the boxes have needs -- i.e., patching -- that voice people haven't faced before. That puts us at a distinct disadvantage for managing the hardware, and we have to rely on other groups in the company to help us -- either by training or actual management. That presents a whole set of issues regarding control, standards, compliance by the vendor to corporate standards, and testing patches before deploying -- just to name a few."

Although Allan's Fortune 500 company has yet to institute any formal VoIP security policies or best practices, it has strong security policies in place for the existing network, she said. The company is piggy-backing on that until the IP telephony architecture is more widely deployed, at which time it'll include a standard specific to voice.

Still, Allan recommends that companies get VoIP security on their radar screens now. She said many companies are unaware of the threats that can be introduced through IP endpoints and need to safeguard the voice network now, before it's too late.

"I think it's too far down the list of considerations, based on the fact that most people wouldn't care if their phone was tapped into," she said. "The lack of understanding related to how IP endpoints can become another point of entry for a virus or worm contributes to that. Taking a pessimistic approach, the assumption is that hackers are already working hard on how to use IPT to get inside a network. Security in general for telecommunications has always seemed to be an afterthought, but we're now part of a much bigger community with more at stake."

Allan said she would advise telecom and voice teams to meet with folks on the security side to develop a VoIP security action plan. VoIP security differs from standard network security, she said, so a new set of best practices may be needed. Flynn agreed, advising companies to take into account the knowledge and expertise of all of IT, including voice operations, the networking group, the security team and the folks on the business side.

"The security team needs to know what we're doing and needs to understand how VoIP is a different beast on the same pipe to make the best decisions on what to do," Allan said. "I don't know that the standard security best practices are all a 100% fit into VoIP, and that's a challenge for me personally to work on."

Read more on Voice networking and VoIP