Veteran IT managers charged with securing a new implementation of voice-over-IP (VoIP) technology – the cheaper and more flexible way to make phone calls – could be forgiven for feeling a sense of deja vu. The old PSTN (public switched telephone network) phone system was the first target of network hacking, a practice then known as ‘phreaking'. Now organisations' internal phone systems are facing many of the same security threats which plagued the telcos and then their own data networks, such as eavesdropping and service hijacking and interruption.
Many companies are ducking this issue – much in the same way as some chose to reduce exposure to risk in the early days of the Internet – by opting to restrict VoIP networks to the confines of their own offices. In such cases, the session initiation protocol (SIP), a standard for converged communications, is used internally, but SIP-based VoIP calls are not accepted from outside the organisation, and are instead routed over the PSTN.
This avoids problems such as ‘spit', short for spam-over-Internet telephony. Spit operates in much the same way as spam email: perpetrators guess SIP addresses to make higher volumes of unsolicited marketing calls faster and cheaper than traditional phone networks. But it also inhibits many of the benefits of unified communications, such as same-number access to individuals, regardless of their communication method or device.
In spite of the similarity of the threats, common methods of protecting IP networks are not always applicable to VoIP. Firewalls, virtual private networks (VPNs) and encryption, tend to introduce latency and therefore quality problems for a purely real-time application like voice. Whereas quarantining an email for a minute makes no difference the vast majority of the time, in a VoIP call a delay of 50 milliseconds can create echo and over 250 milliseconds can lead to people talking over each other.
The need to minimise latency also increases the potential for disruption from a denial of service attack, which to succeed in a voice environment needs only to delay packets for a split second.
VoIP terminals can also increase physical security risks. "Phones are no longer just dumb handsets but become intelligent terminals," says Forrester Research analyst Elizabeth Herrell. "They provide more points of access into the network." Encryption can provide protection if phones are "tapped". Both the content of the call and the signalling of it can be encrypted so even if someone does intercept VoIP traffic they cannot understand it.
Products such as Cisco's CallManager are also digitally ‘signed', so it can be proven a call came from a certain CallManager. However, according to Paul King, principal security consultant for Cisco UK, encryption has not as yet been widely utilised. "Encryption has not had a huge take-up, but that's because there's not a huge threat. Phone conversations are usually unclassified and companies with sensitive information would not let their employees give out that kind of information over the phone."
Research group Gartner insists "making enterprise networks secure enough for business-quality IP telephony is not rocket science – it is well within the capabilities of most businesses." General security principles still stand, and analysts warn not to think of VoIP in isolation from the rest of the network.
Lessons can be also learnt from how telcos secured their public-switched telephone networks (PSTNs) from phreakers. By separating voice and data onto different VLANs, compromises to one do not harm the other, with the added gain that voice traffic can be prioritised over data, ensuring quality of service. This way, phone networks can come full circle to be as secure and reliable as their predecessors.