VoIP Security, service provision in a hostile world

Voice-over-IP (VoIP) services continue to attract attention with most enterprise users exploring the benefits of VoIP while both carriers and service providers are starting to offer VoIP based services.

The term VoIP covers a wide range of service offerings including business grade services and peer-to-peer services aimed at consumers and end-users. For businesses, VoIP offers efficiencies and enhanced services by linking voice and data applications and delivering converged communication applications that integrate email, Instant Messaging and telephony. Further integration couples these converged communication applications with back-office database systems making VoIP services a favourite of call centres but equally applicable in other industry sectors.

The benefits of VoIP are obvious and have been extensively documented, but an equally important aspect that receives a lot less attention is security. It is easy to forget that, as its name suggests, VoIP is an IP service and as such is open to all of the security threats that affect services such as web and email. There are also a range of application specific threats that stem from the design of the VoIP protocols and the nature of the application itself. Security is often overlooked because users consider their VoIP systems to be restricted to internal use and therefore isolated from other network and because they see little evidence of threats.

The reality is that a completely isolated VoIP system is a rarity. Any level of voice/data integration and any use of softphones on laptops or PDAs links the VoIP system and the data network where emails and web downloads require external links. There are also pressures for more direct links including the use of trunking services, disaster recovery requirements, the need to extend the VoIP network to roaming users or home workers or simply to be able to make VoIP calls to other organisations. Any of these connections brings VoIP into contact with the hostile world of the Internet.

Unless steps are taken to protect the VoIP infrastructure, it is vulnerable to external threats and attacks that could seriously disrupt the service or lead to complete failure. At very least these threats have the potential to negate the benefits of installing VoIP, but the risks extend to loss of control over the system, loss of call confidentiality and integrity or complete service failure.

Peter Cox, CTO of Borderware, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.