Industry group sets out to make VoIP secure

IDG News Service - A group formed to head off voice-over-IP (VoIP) security problems laid out its first set of priorities yesterday: setting up a taxonomy to classify threats and establishing the requirements for making VoIP secure.

The VoIP Security Alliance (VOIPSA), which was established last month and includes Verizon Communications Inc., Nortel Networks Corp., VeriSign Inc., PricewaterhouseCoopers and about 50 other vendors and service providers, also announced its first board of directors.

Initially, the group will set up two committees, according to David Endler, VOIPSA chairman and director of security research at Tipping Point, a 3Com Corp. company that sells intrusion-prevention gear. One committee will figure out a way to classify threats; the other will define security requirements for VoIP equipment and security components, as well as for network architecture and management and user authentication.
Armed with the results from these committees, VOIPSA will move on to defining best practices, developing test methodologies, driving research into vulnerabilities and educating the industry and public, Endler said.

VOIPSA isn't intended as a standards organization but as a vendor-independent resource for the industry, he said. The organization aims to prevent a common problem with popular new technologies, such as Wi-Fi wireless LANs, in which the technology is quickly adopted and only later does the industry find and address security problems, Endler said.

Potential dangers to VoIP include distributed denial-of-service (DDoS) attacks, voice spam and a form of phishing in which attackers spoof the phone number of a legitimate caller on a Caller ID display, Endler said. The threats are only beginning to emerge, but over time they're likely to proliferate, even getting into the hands of inexperienced hackers known as script kiddies, he said.

"The same security threats that plague data networks today are inherited by VoIP," Endler said. But the addition of VoIP as an application on the network makes those threats even more dangerous, he added. For example, a DDoS attack may slow down someone browsing the Web, but on a VoIP network it could prevent 911 calls. "By adding VOIP components to your data network, you're also adding new security requirements," Endler said.

Though the group has a broad roster of equipment vendors, service providers and security companies, major VoIP names such as Cisco Systems Inc., Vonage Holdings Corp. and chip maker Texas Instruments Inc. are not yet members. Those companies all have been invited, Endler said.

Cisco declined the invitation because it's already working on enhancing VoIP security through standards organizations such as the Internet Engineering Task Force, International Telecommunication Union and