There's a problem larger than eavesdropping or Denial of Service (DoS) when it comes to VoIP security -- and it's that enterprise customers and even some channel partners don't believe there is a real problem.
"What we deal with more than security is the integrity of the call," said Bill S. Annino Jr., director of the network convergence solutions group at Exeter, R.I.-based solution provider Carousel Industries.
For some partners, VoIP security solutions aren't on the radar because many enterprise customers don't ask for them. Customer apathy stems from a combination of factors, including a lack of publicized VoIP breaches, budget constraints and a lack of regulatory requirements for reporting problems on voice networks.
"There hasn't been that high-profile hack. No bank has stood up and said there's been a problem," said Rick Dalmazzi, president and CEO of VoIPshield Systems, which researches voice vulnerabilities and sells security applications. "On the data side, regulators force companies to disclose [a major breach], but we don't have that on the VoIP side." Regulatory bodies from industries including healthcare and financial services require companies to report data network breaches.
Other partners say VoIP security solutions aren't an easy sell in a rough economy.
"A lot of things we sell today make customers more productive or can save them money, and security is a difficult sell there," said Ray Nelson, chief technology officer of Consultedge, a Juniper partner with a large VoIP and security practice.
But analysts warn that as VoIP uptake grows and voice becomes further intermingled with data in the network, threats will rise and a major breach will occur.
"Where things start changing is when VoIP evolves from being an IP version of a traditional TDM [time-division multiplexing] system to being part of unified communications," said Ted Ritter, an analyst at Nemertes Research, adding that until now many VoIP systems were kept separate from data. "Now it's part of the whole IT infrastructure, and there are also more exposed ways to get at the system."
According to Nemertes' recent unified communications and collaboration benchmark survey, there is already heavy VoIP market penetration, with 20% of enterprises having full deployment of VoIP, 43% having expanding deployment, 25% having limited deployment and 4% currently in pilot. Among those respondents, 60% said VoIP is their first step to UC.
Other analysts warn that VoIP vulnerability will grow as data systems get stronger.
"There are two things that drive attackers to target systems, the cost benefit of the attack and familiarity," said Paul Kocher, president and chief scientist of Cryptography Research. "It's easier to attack someone's phone systems than [data]. Other systems are getting hardened more quickly, so now they will go after the softer targets."
Not-so-secret VoIP network vulnerabilities
VoIPshield is on a mission to find these soft targets and publicize them. The company does "ethical hacking," meaning its employees purposely crack systems from the four big providers -- Cisco, Nortel, Avaya and Microsoft -- in order to find and report vulnerabilities.
When VoIPshield first began reporting these vulnerabilities earlier this year, Cisco, Nortel and Avaya ignored the tiny security lab and application maker. But when VoIPshield continued finding and reporting problems, all three manufacturers owned up and began publicizing the problems on their own websites. It was big headway in the VoIP security market.
This week, Microsoft is in the hot seat. VoIPshield reported Wednesday that it had found vulnerabilities in audio and instant messaging, specifically in Microsoft's Office Communications Server 2007, Office Communicator and Windows Live Messenger. VoIPshield warned of DoS not just for the messaging applications but for the entire desktop environment.
Dalmazzi said all it takes is a little poking around on the Internet to find talk about breaches. He said you can find people writing on Asterisk websites, "I just had my system hacked and someone tried to do telemarketing from my system."
Breaking down the vulnerabilities
VoIPshield breaks down vulnerabilities into five categories. The most common is DoS, which can happen when hackers either flood a system with calls to bring down a network or disrupt specific streams of voice packets, cutting off service.
But eavesdropping can cause the most serious compliance issues. In an eavesdropping attack, hackers listen in on voice packet flows, for instance, coming out of a contact center that might include identity information. That problem can be addressed by encryption, but it is difficult to encrypt every flow of voice packets along an entire network without causing latency.
Theft is also a problem. Once hackers are in the voice system, they can find their way to the data network and even more secure information. And finally there is IP telephony spam and so-called vishing, the voice version of phishing. Hackers can do caller ID spoofing on a VoIP system, which enables them to place calls to victims pretending to be, for example, a credit card company, to ask for private information.
VoIP security solutions are about as easy to pin down as the problems they address. There are numerous approaches ranging from basic VPN and firewalls to user authorization, voice encryption, network monitoring and mirroring, and a host of edge fixes like session border control for SIP trunking. SIP trunking is when VoIP systems can directly launch a session onto the public or service provider network, providing an opening for the local network.
Some partners say just starting out with a strong network is the best answer.
"If you have correct best practices around IP telephony architecture, it shouldn't be too much of a problem," said Lawrence Imeish, principal consultant at Dimension Data. Basics include firewalls to protect the voice virtual LAN (VLAN) and more traditional telephony fixes like security codes. He said Cisco's networks provide these fixes.
Manfred Arndt, distinguished technologist and convergence solutions architect for HP ProCurve, said the VoIP security approach has to combine solutions.
"The way ProCurve is encouraging security is through a multilayer approach," Arndt said.
Other than basic firewalling and VPNs, Anrdt said ProCurve recommends network access control (NAC) to authenticate clients. Once devices are on the network, there should be monitoring. Intrusion prevention or detection applications can be deployed throughout the network, constantly looking at samplings of packets. He stressed that these applications can be overlaid and should be chosen only if they are able to work on network components from any manufacturer.
VoIPshield's appliance plugs into the PBX and looks for problems in behavioral patterns, as well as the signatures that it has found in its friendly hacking research.
What partners can do
It's not easy for partners to push VoIP security solutions.
"Small companies say, 'Hey, I am willing to take the risk,'" Arndt said. But the bigger companies know they are more exposed, and this may be where partners have to start.
Dieter Rencken, senior product manager for ShoreTel, said once partners start serving those larger customers, they'll be ready when the smaller companies come looking.
"I don't know if security is huge in the sales process," Rencken said, but if a provider can't answer security questions, "it will disqualify them from that deal."
At this point, it's about educating clients.
"The struggle that you have as a reseller if you load the quote with too many things [is] you look too expensive. We give a base quote, but we give options to put a security quote onto that," said Nelson. "When the customer says, 'Why are you adding that?' you can start the conversation.
In the meantime, partners can start with the fundamentals.
"For the channel partners, doing the installation and support and making sure their technicians know basic things like how to choose a strong password and which features need to go behind a firewall instead of on the Internet [are important]. Basic hygiene goes a long way," Kocher said. For example, 90% of customers don't turn on the basic security functions that come with their networking components, he said.