Is enterprise VoIP (voice over IP) due for a security wakeup call or are the threats mostly exaggerated? It depends on who’s talking.
“The security aspects of enterprise VoIP have been overblown,” says Irwin Lazar, senior analyst at the Burton Group. “There’s a lot more attention being paid to the fear of attack than what is actually possible.”
Roger Farnsworth, manager of marketing for Secure IP Communications at Cisco, concurs: “VoIP systems can be at least as secure as traditional voice systems, and future IP technologies and voice applications will make them even more secure.”
But Mark Collier, CEO of SecureLogix, a vendor of voice management and security platforms for both traditional phone systems and VoIP, isn’t completely sold. “With IP at its foundation, it’s simply unrealistic to expect VoIP to be any more robust than e-mail, the Web, or DNS,” he says.
Hold the phone. E-mail? The Web? DNS? Who in their right mind would move from the rock-solid service of legacy enterprise telephony to a platform that’s no more secure than e-mail?
Just Another App
In fact, enterprise VoIP is essentially just another application on the IP network. The principal elements of today’s typical enterprise IP telephony systems are call control servers, which usually run on an operating system such as Linux, Windows, or VxWorks; VoIP clients, which are either handsets or softphones; and VoIP gateways, which sit at the edge of the network and translate between VoIP and the PSTN. They all use some relatively standard protocols -- typically either the International Telecommunication Union’s H.323 series of protocols or the IETF’s SIP for the servers and clients and the MGCP (Media Gateway Control Protocol) or Megaco/H.248 protocols for gateways. And the vast majority share the data network, depend on the same routers and switches for voice packet transport, and, ideally, interface with other data applications, including messaging.
So, theoretically, at least, VoIP systems are as vulnerable to attack as other data applications. The list of potential threats is staggering and includes DoS attacks, viruses, worms, Trojans, packet sniffing, spam, and phishing. Spam? If you remember the dark days before do-not-call lists, imagine the potential of SPIT (spam over Internet telephony). “If I want to send 100 calls, I have to dial 100 times or use an autodialer,” says Andrew Graydon, vice president of technology at BorderWare Technolgies. “But with an IP connection, I could upload a WAV file to a computer in the Bahamas, press a button, and send it to 2,000 employees
Click for larger view.
Nonetheless, vendors and analysts emphasize that IP PBXes run on a variety of operating systems, usually stripped down and hardened, and use a mix of still-evolving standards and more proprietary protocols, such as Cisco’s Skinny call control protocol, making VoIP apps more difficult to target than typical data applications.