May 17, 2006
(IDG News Service)
STOCKHOLM -- Equipment interoperability problems and confusion over who is responsible for security are to blame for the lack of security in voice over IP, an issue that's a major concern for IT administrators, said experts speaking at VON Europe on Wednesday.
The technology and standards for securing VoIP are not the issue, said Tim Jasionowski, senior technologist for voice and rich media technologies at Nokia Corp. The problem is that most companies aren't using many of the technologies.
That's mainly because unless a company uses a single vendor for every piece of equipment in the network, including phones, IP-PBXs, firewalls and all other components in between, then security technologies such as Transport Layer Security (TLS) are unlikely to run smoothly across multivendor equipment, he said.
Even if an enterprise decides to standardize on a single vendor, it might have additional limits on the products it chooses. That's because not all major vendors are building support for security standards like TLS into their products, and those that do don't necessarily support it across their entire product range, said Cullen Jennings, distinguished engineer at Cisco Systems Inc.
Once companies decide to extend VoIP into mobile devices, they face additional problems, but not because the standards and technology don't exist. Ideally, a company might want to run Wi-Fi Protected Access to secure the Wi-Fi connection on a wireless device, an authentication mechanism for users that may attach to public hot spots, a virtual private network for accessing the corporate network and possibly other security techniques.
"That's great if you have a nuclear power plant in your pocket attached to your mobile phone," Jasionowski said. Running all those security applications requires processing and power, both features in short supply on mobile devices.
In addition, the market hasn't worked out who is responsible for security and who is responsible for enforcing that security, said Ari Takanen, chief technology officer at Codenomicon Ltd. Currently, layers of security are offered by service providers and equipment makers, and sometimes their efforts overlap. Without making it clear who is responsible, no source is liable for security issues, he said.
Enterprises can improve their chances of boosting security on their VoIP networks in a couple of ways. One way is to carefully examining the type of tests that vendors say they run on their products to make sure they work, Takanen said. Organizations like the Protos Project, a collaboration between the University of Oulu in Finland and VTT Electronics, can help buyers test products, he said.
In addition, companies are responsible for demanding that vendors make products that interoperate, Jasionowski said. In the meantime, product managers are making decisions against interoperability against the advice of their engineering staffs in hopes of securing more business, he said.