LONDON—Enterprise voice-over-IP systems can be made reliable and secure, but to do it, many IT managers will have to do a lot more than theyre doing now, said security experts at this weeks VON Europe conference here.
Executives from Alcatel, Hewlett-Packard Co., Cisco Systems Inc. and security firm Codenomicon Ltd. agreed that voice running on a companys IP network is just like any other application, with the same kinds of vulnerabilities and similar processes for ensuring security. The problem, they said, is that many companies are not up to scratch on security best practices—a situation that may be acceptable for e-mail and Web systems, but that can only lead to trouble when voice comes into the picture.
“Switching to VOIP broadens the scope of what you have to worry about,” said Cisco Technical Marketing Engineer Greg Moore. “It opens up all the problems that affect the Internet, including worms and denial-of-service attacks.”
Enterprise IP telephony is distinct from “voice over the Internet” in that it almost always takes place over companies own managed data networks, and thus is insulated from the vagaries of the public network. For that reason enterprise VOIP systems are among the easiest to secure, after long-distance bypass systems, according to Alcatel Director of Security Research Francois Cosquer. More complex are residential systems and especially voice over the Internet, he said.
That said, many companies havent taken basic steps to secure their data networks, said Moore. “When they go to put voice on their network, the telecoms manager is like, No way are you putting my voice on your insecure network,” he said.
The advent of VOIP means well-known exploits such as man-in-the-middle attacks can intercept not just e-mails, but voice conversations with customers or between executives, Moore said. Besides the run-of-the-mill e-mail worms, there will inevitably be viruses aimed specifically at VOIP systems—and even VOIP spam, warned Alcatels Cosquer.
Then there are software vulnerabilities, an issue that cant be addressed by security protocols or standards, said Ari Takanen, chief executive of Codenomicon. “The problem of software quality is hard to solve. All software will have mistakes, and on the Internet everybody will be kicking it and punching it to find out what those mistakes are,” he said. “If you know a vulnerability, you can disable that software from anywhere, at any time, repeatedly.” The answer is third-party testing, Takanen said.
For all the seriousness of these problems, there are preventative steps that can be readily taken. Some are as simple as turning off Microsoft Corp.s Internet Information Services if its not needed, since 80 percent of the attacks on Windows are aimed at IIS, according to Moore. “That alone makes Windows as secure as Linux,” he said.
Modern routers also include features that can stop attacks such as denial-of-service and man-in-the-middle—though of course configuring these adds to the difficulty of setup. “There is always a cost for security, whether its in dollars or in complexity,” Moore said.
Its a different matter with voice over wireless LAN, where the biggest issue is quality of service rather than security. Even without extra security measures, the typical WLAN tends to fall over under the burden of more than one or two voice conversations, according to industry observers. When security measures such as VPNs are introduced, it gets worse: “You move to a different subnet, and the VPN no longer recognizes you,” said HP VOIP Program Manager Marie-Paule Odini.
Then again, the vulnerabilities of “open” Internet Protocol must be put into perspective against those of the “closed” public switched telephone network. “Somebody can go outside my house and listen to my calls in 5 seconds,” said Cosquer. He noted that most people dont bother encrypting their e-mail, and dont think twice about discussing important deals on their cell phones in public places such as trains and airports. “Encrypt VOIP, why not? But lets not lose track of what assets we are trying to protect here,” he said.
IP systems can be more robust than traditional phone networks, said Moore: “After 9/11, the PBXs went down and the VOIP systems stayed up. Disaster recovery is easier with IPPBXs.”
The security debate can be something of a distraction from the real issues of VOIP, said Cosquer. “There is not really a choice between IP and traditional networks,” he said. “IP is what the research and development resources are going into. We are going to have a good IP-based infrastructure.”