|
 |
By Howard Schmidt
The movement towards Voice over Internet Protocol (VoIP) is unstoppable. The private sector, a leading indicator of where technology is headed, is driving the VoIP trend. As many as 66% of large organizations in the US will be using VoIP products and services by 2010[1], says one analyst.
There are strong arguments for routing voice over the Internet or other IP-based networks. For instance, according to a panel at March’s Information Technology Association of America (ITAA) event, the U.S. government could recognize a $10 billion cost savings by switching to VoIP. That’s a compelling benefit. When you look at this from a business return on investment, I know of very few better cases.
One of the many questions that we need to ask about VoIP, is it just another application that can be folded into current network operations and, if so, how easy will it be to securely integrate it into our current environment? As with any other relatively new technology the right answer to both is, “it depends.”
VoIP is just another IP based application, but to leave it at that is over-simplifying things. There are some well-founded concerns around the security and reliability of any type of voice network. As an IP-enabled, network-connected technology, VoIP can fall victim to criminals seeking to undermine the availability and security of service, opening new chinks in the network security defenses. There continues to be the potential issue of software vulnerabilities as the criminals do more to target the applications in addition to the traditional “network” hacking. While the threat of cyber criminals eavesdropping on VoIP conversations has achieved buzzword-worthy status, Denial of Service (DoS) attacks that impact Quality of Service (QoS) are a much likelier threat. We have even seen law enforcement 911 call centers that have successfully switched to VoIP systems, scramble to find pens and paper to deal with calls when the system has been affected by a security issue. Simple things like power outages, loss of internet connectivity and limited bandwidth affect VoIP. As with any newer technology, the security and reliability needs to be factored into deployment plans.
One of the key issues we deal with on the security front is that some network defenses, like data firewalls, which many organizations rely on to keep their networks safe, were not built to account for voice-based applications. Network administrators, therefore, could find themselves re-engineering network defense systems to accommodate the voice application, turning what should be an easy install into a drawn-out, management-heavy implementation. Designing for the security and reliability of VoIP should be undertaken from the very beginning stages of discussion and not when a problem occurs.
So, assuming VoIP is a given, how do you ensure that your approach doesn’t cause more problems than it solves? Here are three recommendations to consider:
- Choose your vendor wisely. In a report published earlier this year[2], Gartner warns against treating voice and data networks as though they are the same, and recommends selecting a voice vendor separately from a network infrastructure in some cases “one size fits all” but in others one should select what works best for their enterprise. Flexibility and cost are at stake here, among other things. Deploying a new phone system carries enough of a burden without implementing the need for new switches as well.
- “It’s just another application” aside, network administrators implementing VoIP should do so on a virtual LAN (VLAN) separate from the data VLAN. This limits the ability of threats that take advantage of the vulnerabilities of one network protocol to jump to the other, and ensures that QoS, or guaranteed performance level, is maintained in a converged LAN.
- While it’s true that many in-place network security products aren’t designed to find and stop threats on voice networks, there are technologies that can secure voice networks. What’s key here is to look for solutions that deploy at network Layers 2 and 3, below the application layer. This placement means that the security product is looking at network traffic patterns to determine if something looks off and requires further investigation and/or action.
While I strongly believe that the benefits of VoIP outweigh its risks, it doesn’t come with a simple “on” switch. But, if set up intelligently and with security measures in place, it should prove to become an integral, “how did I live without it?” part of our operations.
For more information:
________________________________________________________________________
Howard A. Schmidt, CISSP, CISM, is president and CEO of R&H Security Consulting LLC and a Special Agent/computer crime investigator with the US Army CID. Formerly vice president and CISO for eBay, CSO for Microsoft, and Chief Security Strategist for the US CERT Partners Program, Schmidt also served President George W. Bush as vice chair of the President’s Critical Infrastructure Protection Board and Special Advisor for Cyberspace Security for the White House. He sits on a number of corporate boards and is an adjunct professor with Georgia Tech’s Information Security Center.
[1] Infonetics, User Plans for VoIP, North America, 2006, Infonetics.
[2] Pitfalls lurk where IP Telephony meets Network Access Control, Gartner, January 25, 2006.
|
