Industry group sets out to make VOIP secure

A group formed to head off VOIP (voice over Internet Protocol) security problems laid out its first set of priorities on Monday: setting up a taxonomy to classify threats and establishing the requirements for making VOIP secure.

The VOIP Security Alliance (VOIPSA), which was established last month and includes Verizon Communications, Nortel Networks, VeriSign, PricewaterhouseCoopers and about 50 other vendors and service providers, also announced its first board of directors.

Initially, the group will set up two committees, according to David Endler, VOIPSA chairman and director of security research at Tipping Point, a 3Com Corp. company that sells intrusion prevention gear. One committee will figure out a way to classify threats and the other will define security requirements for VOIP equipment and security components, as well as for network architecture and management and user authentication. Armed with the results of these committees, VOIPSA will move on to defining best practices, developing test methodologies, driving research into vulnerabilities and educating the industry and public, Endler said. VOIPSA is not intended as a standards organization but as a vendor-independent resource for the industry, he said.

VOIPSA aims to prevent a common problem with popular new technologies, such as Wi-Fi wireless LANs, in which the technology is quickly adopted and only later does the industry find and address security problems, Endler said.

Potential dangers to VOIP include DDOS (distributed denial of service) attacks, voice spam and a form of phishing in which attackers could spoof the phone number of a legitimate caller on a caller ID display, Endler said. The threats are only beginning to emerge, but over time they're likely to proliferate, even getting into the hands of inexperienced hackers known as "script kiddies," he said.

"The same security threats that plague data networks today are inherited by VOIP," Endler said. But the addition of VOIP as an application on the network makes those threats even more dangerous, he added. For example, a DDOS attack may slow down someone browsing the Web, but on a VOIP network it could prevent 911 calls, he said. "By adding VOIP components to your data network, you're also adding new security requirements."

Though the group has a broad roster of equipment vendors, service providers and security companies, major VOIP names such as Cisco Systems Inc., Vonage Holdings Corp. and chip maker Texas Instruments Inc. are not yet members. Those companies all have been invited, Endler said.

Cisco declined the invitation because it's already working on enhancing VOIP security through standards organizations such as the Internet Engineering Task Force, International Telecommunication Union and SIP (Session Initiation Protocol) Forum, said Roger Farnsworth, a Cisco product marketing manager. Cisco believes it ships secure VOIP systems today and has published its own set of guidelines for implementing secure IP telephony as part of the Cisco SAFE Blueprint series, he said.

"We thought it would be redundant to join another group that is addressing these problems," Farnsworth said. "If they specify activities that are in the interests of the industry and aligned with Cisco's interests, we'll be the first to line up," he added.

IDC VOIP analyst William Stofega is cautiously optimistic about the alliance.

"I think they have enough critical mass between carriers and vendors that it should provide enough momentum to solve some of the outstanding problems," Stofega said. However, the addition of more service providers and a dominant company such as Cisco or Microsoft Corp. would help, he added.

Other major threats to VOIP networks include spam calling, tapping into calls and denial of service, Stofega said.

One frequently overlooked area that should be addressed in VOIPSA's guidelines is physical security for server rooms, Stofega said. An attacker who gets access to a server can wreak havoc, and the results could be especially devastating if that server is running a company's phone calls, he said.