printer friendly version

VoIP security still a major issue

A recent column by Steve Taylor, president of Distributed Networking Associates, writing for Network World in the US is instructive. As networking starts to impact on the design and installations of security solutions, so the need to secure these solutions becomes increasingly important. Taylor's comments on how security concerns are impeding voice-over-IP implementation are a red flag to end-users and purveyors of network-based security solutions, and it is for this reason that his thoughts are published in Hi-Tech Security Solutions this month.

Says Taylor, "According to Webtorial's recent 2003 VoIP 'State of the market report' (available for download at www.webtorials.com), about 40% of the approximately 300 respondents cited security as one of the top four reasons why they have not deployed VoIP. Digging deeper into the results, about 25% of the respondents cited concern about security of the network infrastructure as a major problem, while the rest took a less drastic view of the problem."

Taylor suggested that when asked about security of the network infrastructure vs the security of voice content, the greater concern was about the infrastructure.

"The recent Blaster and SoBig-f attacks demonstrate that some of these concerns are well-founded - especially if the network infrastructure is not appropriately cared for. Some VoIP users who did not apply patches to protect against Blaster found their VoIP networks bogged down along with their data applications. Blaster-type attacks will force companies to take patches and upgrades more seriously. This additional diligence in securing the data network will have the side benefit of protecting the VoIP infrastructure," he maintains.

"But SoBig-f exposed a separate and equally disturbing VoIP vulnerability. By affecting e-mail, SoBig-f had a severe effect on thousands - if not millions - of PCs. While e-mail problems were being resolved, the PC became unusable for other applications. If you are dependent on your PC for telephony, when your PC becomes unstable, your phone becomes unstable, too. This raises some serious questions about the wisdom of adopting soft phones - software that turns PCs into IP-based phones - as a part of overall VoIP implementation."

Added taylor, "According to the 'State of the market report', end users strongly favour maintaining their traditional phones as part of their overall voice infrastructure. When asked about the importance of integrating traditional phones into the VoIP infrastructure and given five choices from 'not important at all' to 'extremely important', more than half of the respondents chose 'very important' or 'extremely important'. It is not clear whether security concerns were a part of this desire to maintain traditional phones at the time the survey was taken, but it is another issue that must be considered."

Concluded Taylor, "Overall, virus/worm incidents should not have a major effect on the VoIP market. These are data security issues, and when they are addressed for the data network, the VoIP installation will be addressed by default. But virus/worm incidents do indicate that if you are getting ready to go full-throttle with VoIP, it is common sense to apply any applicable patches to keep your infrastructure up to date."

Perhaps it is about time the security integrators started acquainting themselves with the potential hindrances to the roll out of network-based solutions?

Share this article:

Further reading: