Opinion: VoIP security industry -- guilty as charged
VoIP is, in essence, a time bomb, poised for a massive exploit
Network World - We in the IT security industry are collectively guilty for allowing a fundamentally insecure system such as voice over IP (VoIP) to be launched into the market.
We've known for years that only "secure out of the box" should be the default. Yet VoIP is not only insecure by default, it's almost impossible to make natively secure. What's worse, VoIP end devices (the phones) are a full computer -- usually with their own Web browser and (insecure) file transfer protocols to manage the firmware updates. So just as organizations are coming to grips with managing the vulnerabilities on their PCs, we have just doubled the management nightmare.
The return-on-investment claims made for moving to VoIP rarely stand up to proper scrutiny. The phones cost more than a standard "business" phone, and have a reduced replacement cycle. In its November 2006 report, Gartner Inc. said "IP telephony technology, in many cases, can be more expensive than equivalent TDM-based PBX Systems."
The ability to benefit from toll-bypass (routing your voice traffic over your private WAN to take advantage of spare WAN capacity) is frustrated by the fact that peak time for voice traffic is also the peak time for data traffic on the WAN. Most network managers that I know are looking for ways to offload peak traffic from congested, expensive corporate WAN links -- not add huge volumes.
The ability to integrate your computer and your phone is another "benefit" that is on a salesperson's list, with features such as Click to Call, Find Me/Follow Me and Unified Messaging, but in reality companies rarely take any advantage of such computer-telephony integration options.
Then toss in all the extra Band-Aid solutions you need to add, from VoIP firewalls to specialist VoIP security assessments (just run a Google search for "VoIP security solutions"), to make it even partially secure, and the extra management for firmware upgrades, vulnerability assessment and mitigation, and, of course, the WAN upgrades and all of a sudden those incredible savings the salesperson promised magically disappear.
VoIP is, in essence, a time bomb, poised for a massive exploit. With VoIP gaining traction in the corporate world, from boardrooms to the world's financial trading floor, VoIP is a public security exploit waiting to happen -- with the large potential consequences. But unfortunately, this may be what is needed before the industry agrees to take VoIP security seriously.
The historical problems with being able to listen in to conversations that people assumed were secure (or where people assumed security through complexity) are well known: In the 1980s, the world became aware of problems with analog cell phone security when tabloid journalists printed details of an intimate cell phone conversation between Prince Charles (then married to Princess Diana) and Camilla Parker Bowles. We're at the stage now with VoIP that something like that is likely to happen, but with consequences far more serious than embarrassment on the part of the British royal family.
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Who does NSS Labs "Recommend" for NGFW? In 2012, NSS Labs found that most available NGFW solutions "fell short in performance and security effectiveness." In 2013 NSS Labs noted "marked...
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Improving Business Value of WAN Optimization Want to achieve faster ROI with WAN optimization? Read the latest IDC report and discover how you can cut IT costs without compromising...
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency... All Networking White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!