VOIP: Don't overlook security
Computerworld - Corporations that are implementing voice over IP (VOIP) technologies in a bid to cut communications costs shouldn't overlook the security risks that can crop up when the voice and data worlds converge, users and analysts say.
Most users implementing VOIP these days are primarily concerned about voice quality, latency and interoperability. All are fundamental quality-of-service considerations that companies need to deal with before they can even begin justifying the move to VOIP.
But some security organizations are cautioning users about the dangers of unsecured VOIP services. For instance, in an August 2001 paper on its Web site, the Bethesda, Md.-based SANS Institute warned of privacy- and authentication-related issues stemming from VOIP services and urged users to apply the same precautions they've used to protect their data services.
"With the convergence of the voice and data worlds, the real similarities of the security concerns will become apparent," the SANS report said, urging users to take measures such as encrypting voice services, building redundancy into their VOIP networks, locking down their VOIP servers and performing regular security audits.
Without a sharp focus on security as well, VOIP will never make it into corporate use, say users and analysts.
With VOIP, voice traffic is carried over a packet-switched data network via Internet Protocol. VOIP networks treat voice as another form of data but use sophisticated voice-compression algorithms to ensure optimal bandwidth utilization. As a result, VOIP networks are able to carry many more voice calls than traditional switched circuit networks. VOIP also enables enhanced services such as unified communications.
Voice as Data
Securing voice traffic on such networks isn't very different from securing any data traffic on an IP network, says David Krauthamer, director of IT at Advanced Fibre Communications Inc. (AFC), a Petaluma, Calif.-based manufacturer of telecommunications equipment. AFC is using limited VOIP communications internally and may use it for external communications as well.
"VOIP security needs to be handled in the overall context of data security," Krauthamer says.
But there are some aspects of VOIP networks that users need to pay close attention to, says Christopher Kemmerer, an analyst at NexTiraOne Inc., an integrator of voice and data networks in Houston.
In a VOIP world, private branch exchanges (PBX) are replaced by server-based IP PBXs running on Microsoft Corp.'s Windows NT or a vendor's proprietary operating system. Such call management boxes, which are used both for serving up VOIP services and for logging call information, are susceptible to virus attacks and hackers. Break-ins of these servers could result in the loss or compromise of potentially sensitive data, Kemmerer says.
Consequently, it's important that such equipment is properly locked down, placed behind firewalls, patched against vulnerabilities and frequently monitored using intrusion-detection systems, he says.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!