This issue of VoiceCon Enews is sponsored by the VoiceCon Tour:

VoiceCon Tour 2007: “Reality Check On Unified Communications” Last Two Stops.
Only two more stops remain on the 2007 Tour. Come and learn what’s real, what’s not and what’s coming in Unified Communications.

• San Francisco - This Thursday, November 1
• Chicago - Thursday, November 15

For details on dates, locations and agenda, or to register, visit www.voicecon.com/tour/. Register with VIP CODE: MLXKVT01 to secure your best pricing.

I moderated a panel at Interop New York last week on VOIP security, and the participants, Jonathan Rosenberg of Cisco and Dan York of Voxeo, both expressed what seems to be the consensus of experts on this topic: It’s not the exotic-sounding, interestingly-named VOIP attacks that are your biggest concerns. Indeed, the best approach for securing VOIP is one that essentially tracks traditional IT security best practices.

You shouldn’t stay up at night worrying about SPIT and VOMIT (what is it with VOIP security and bodily fluids?). As Jonathan Rosenberg pointed out, IP-telephony isn’t free yet, and so spam over IP-telephony (SPIT) isn’t as cost-effective as traditional email spam. If those economics change, you might need to reassess, but for now, SPIT remains, as Jonathan pointed out, more a favorite of tech headline writers than of Internet bad guys.

Basically, the principles to follow in VOIP security center on protecting your assets from those most likely to attempt (and succeed at) a breach. That means having defenses in place from insider attacks that target big blocks of valuable, resellable information—customer data from the call center being an example that Rosenberg called out.

Another general security principle that applies is that widespread SIP adoption is likely to create challenges for IP-telephony security, for two reasons: Ubiquity and complexity, both of which conditions breed security problems.

As one of the authors of SIP, Rosenberg believes strongly in the protocol, but he conceded that once most enterprises (and carriers) have transitioned to SIP as their primary or only call control/connection protocol, this will represent a fat target, just as there are more attacks on Windows PCs than Macs. Furthermore, SIP is a complex protocol, and “where there is complexity, there is vulnerability.”

That goes not just for the protocol itself, but for IP architecture and functionality in general. Many IP phones contain Web or SSH servers, so when you deploy 1,000 SIP phones, you’re also deploying 1,000 Web servers that you have to protect, Rosenberg said: “You’ve got to treat it as a computer that’s been deployed out there.”

Another thing to watch out for is what Dan York described as a “self-inflicted denial-of-service,” which isn’t a security attack per se, but could have the effect of such an attack. What he was talking about was if you have some kind of a temporary outage, or maybe you’re cutting over a large site or something, and all of your SIP clients try to re-register and once, crashing the network.

If that scenario sounds familiar, it’s basically what Skype claimed had occurred when it suffered an outage this past summer, except instead of SIP phones it was Skype clients all re-registering at once, supposedly after Microsoft’s Patch Tuesday took them down for an update.

Finally, Dan York is chairman of the VOIP Security Alliance Best Practices group, so I asked him if there is such a thing as a VOIP security best practices document. Turns out there isn’t one yet, but that VOIPSA is planning to put one out.

For now, the best practice, in general, seems to be to apply IT security best practices, in the broadest possible sense of that term, to your VOIP security approach. You don’t have to think differently about VOIP security—but you do have to think about it.

What do you think? Drop me a note here in the VoiceCon Enews Forum or directly at ekrapf@cmp.com

Eric H. Krapf
Editor, Business Communications Review
VoiceCon Program Chair

Posted in Security, VOIP, Architecture |

You can follow any responses to this entry through the RSS 2.0 feed. Trackback from your own site.