Modems that transmit data over public phone networks still pose a considerable threat to security, and vulnerable data networks can give hackers a new avenue to access vulnerable voice networks. Defending against the new generation of "converged threats" that traverse voice and data networks is a hidden cost of deploying VOIP technology and can change the calculus of moving to converged networks, said Andy Zmolek, security senior designer at Avaya Inc. on Wednesday.
So-called "converged networks" that carry voice and data traffic using VOIP technology can bring tremendous benefits to companies that embrace the technology. However, companies need to plan their transition to converged networks carefully and weigh the added security risks in advance to avoid added costs from hacking or costly security add-ons after the fact, said Zmolek, who was speaking in an online session at Ziff Davis Medias Security Virtual Tradeshow (Ziff Davis Media is the parent of eWEEK.com).
VOIP might mean that voice information is traveling over the same pipes as other data, but that doesnt mean that traditional data protection products are adequate to protecting voice assets, Zmolek said.
"If you just treat voice like another application on the data network and you miss the new perimeter it creates, then youve only addressed half the problem," he said.
While they might not be cutting-edge technology, modems attached to critical servers or desktop systems that can be accessed over phone lines still pose a real risk to enterprise networks.
"How many of you think about access to your telephone network? How much attention is paid to your telephone perimeter?" Zmolek asked attendees to the online session, "Facing the Dark Side of Convergence."
Threats from phone hacking include unauthorized use of company bandwidth, subscription fraud and toll fraud, in which attackers use a companys voice system to run up expensive toll calls, sometimes totaling $75,000 or $100,000 over a weekend in bogus charges, he said.
Voice systems can also hold critical data such as passwords and Social Security numbers submitted through interactive voice response systems, he said.
Converged networks increase the number of ways outside attackers can access data on voice systems, by creating bridges between vulnerable data servers and voice infrastructure, and vice versa, he said.
"The weaknesses of one world become a means for threatening the other. A voice exploit can be used to target the data network, and vulnerabilities on the data network are now a problem for the voice world," he said.
Organizations that soberly consider the security risks before they make the transition to converged networks can often address most or all of the security threats with little additional cost to deploy the technology, he said.
Private branch exchange and voice gateway devices usually have security features built in that can restrict the types of services they offer. In addition, technology vendors like SecureLogix Corp. sell voice management and security products that monitor and control access to and from voice gateway devices, much like how Internet firewalls filter data traffic, he said.
Ultimately, protecting voice and data traffic involves many of the same steps: hardening critical servers and perimeter defenses, implementing identity and access management technology, and using encryption to protect data from digital eavesdropping, he said.
Still, organizations that plan on switching to VOIP and converged networks just to save money, but arent considering additional applications of the technology or the added exposure that converged networks bring may end up with an unpleasant surprise, as the cost of securing the new VOIP network and preserving quality of service change the calculus of VOIP deployments, he said.
"[Security] doesnt need to change the value proposition … but if the cost of [phone system] adds, moves and changes is the underlying value proposition, thats trivial and I dont think justifies the investment," Zmolek said.