When the VOIP Security Alliance announced its existence on Monday, the group said that it was focusing on the kinds of threats we already see on the Internet. Things such as spam aimed at VOIP systems, denial-of-service attacks, perhaps exploits aimed at telephony equipment or at routers that move calls from place to place. Its a nice idea in one way. It is ahead of the threat.
But it begs some larger questions. Two of these are first, how is the packetized traffic used by VOIP somehow different from other traffic? And second, what on earth is your mission-critical voice traffic doing on the Internet anyway?
While VOIPSA makes some good points about the need to protect voice traffic, in reality such protection depends on exactly the same good network design as that for data traffic. Yes, you must make sure that your firewalls and routers are designed to handle voice traffic and the signaling that goes with it, but the problem is not fundamentally different. And yes, voice traffic is much more sensitive to jitter and latency than are other types of data traffic, but once again, these issues are related to good network design and proper configuration. They arent security issues that are somehow unique to VOIP.
Yes, you will have to have your network properly designed if you plan to add VOIP to your data network. You will need to implement QOS (quality of service) protocols on the switches, routers or other infrastructure through which your voice traffic must pass. And you must make sure that you implement firewalls that dont introduce too much latency and that are also able to pass the H.323 or SIP (Session Initiation Protocol) signaling information that your VOIP system will need. And yes, you must use a firewall. But again, this is all part of proper design that youd use for any sensitive traffic, not just VOIP.
The statements given by the VOIPSA members when they announced the organization make references to the problems that might be caused by Internet-based attacks against a corporate network that carries both data and voice traffic. And that brings up the second issue. Why in the world would you be exposing yourself to that risk in the first place?
The open Internet is a wonderful thing. Its absolutely vital as a business tool, and its critical for commerce as we know it. But that doesnt mean this is the place you should put your mission-critical voice traffic. Its not designed for that. Leaving aside the security issues, you have no control over the quality of the connection youre going to be depending on. You have no way to enforce quality requirements. You cant do anything about congestion, packet loss or delays, and you cant do anything about latency.
Yes, plenty of voice traffic goes over the Internet every day, and a lot of it does very well. But that doesnt mean you can depend on it, because you cant. Likewise, you cant depend on the Internet to meet your security needs. And you shouldnt. If you need a long-haul backbone to connect major offices, you also need a dedicated network with guaranteed bandwidth and the service-level agreements to make sure it stays that way. And while you should routinely encrypt such traffic anyway, you arent likely to be running across the hackers, worms, viruses and other evidence of barbarism that you find on the Internet.
And in those cases where you have no choice but to use the Internet, you use the same security practices you would use for other sensitive data, including a good solid firewall at each end and a well-designed VPN (virtual private network) tunnel in between. And yes, there will still be risks to people who use Vonage and other private VOIP services, but those shouldnt be part of your corporate solution in any case.
None of this is to suggest that VOIPSA is a bad idea. Its not. As was said in a recent interview, it gets the problem on everyones radar, at least. And thats important. VOIP security isnt really any different from the security on your data network, but its also no less important. If the organization accomplishes that, it will have accomplished a lot.