A diverse group of equipment and software vendors, security companies, and researchers has banded together to form a new organization aimed at keeping voice over IP threats from hurting the growth of the technology.
The VOIP Security Alliance is intended to help companies with discussion lists, white papers and research efforts. The organization plans to produce tools, procedures and best practices for public use.
“We found that our customers who were in the enterprise or security space were asking us the same questions,” said David Endler, chairman of the VOIP Security Alliance and director of Digital Vaccine for TippingPoint, a division of 3Com Corp. Endler said the questions revolved around threats from the open Internet, best practices and testing procedures. TippingPoint took a lead in forming the organization, he added.
“TippingPoint is providing secretariat services,” Endler said, “but this is not just a TippingPoint group.” Endler said that until the formation Monday of the VOIP Security Alliance, there was no central repository for answering the fundamental questions about VOIP security.
“One of the things that the VOIP Security Alliance targets is actual threats in VOIP,” Endler said. “Now they are most of the same threats that affect traditional data networks.” But as VOIP matures, Endler said that new threats will emerge.
“Think of it as an ecosystem,” Endler said, explaining that complex VOIP networks contain provisioning systems, authentication servers, encryption and a number of other services. He said that any of the systems added as a part of a VOIP network open new avenues of vulnerability. “Theres a misconception that adding these extra components doesnt place any extra requirement on the network, but it does,” Endler said.
Endler predicted that as VOIP becomes more widely adopted, exploits of its security weaknesses will start to appear. “Youll see VOIP as the next stage in things like spam,” Endler said, “In order for VOIP to succeed, it must be secure.”
Jon Arnold, an analyst and VOIP program leader at Frost & Sullivan Ltd., said that much of the sudden interest in VOIP security came from a recent National Institute of Standards and Technology report that stressed the need for federal agencies planning to use VOIP to do so securely. “In our security-conscious era, these are easy targets,” Arnold said, “Everybody knows what viruses and spam are about. The tone of that report is in line with that thinking. If anything bad can happen, it probably will.”
Arnold said the formation of the VOIP Security Alliance is a little ahead of the reality, which he thinks is a good thing. “Its a very timely thing to have,” Arnold said. “Theyre being proactive about it. Better not to wait for systems to crash, companies to get ruined, lawsuits.
“The question is whether the technology can be managed properly,” Arnold said. “While we have technology to control it, bringing up this issue makes it an everyday item. At least its on the radar. Better we should deal with this now rather than ignoring it.”
Arnold pointed out that the effort is still very much out in front of the problem. For example, there have been no exploits of VOIP to date, he said. “The scale of deployment is really small. Its not a big enough target to bring in the bad guys,” he said. “It remains to be seen how much of a threat this really is, but the potential is there.”
For its part, the VOIP Security Alliance is planning to announce additional members this month, adding to the 23 individuals and companies that are currently part of the alliance, and the organization expects to start things rolling in March. “Well be launching near-term projects in mid-March,” Endler said. These will include security involving deployment, testing and tools, he said. The organization has already launched its mailing list, which can be requested on its Web site.