Alliance maps VOIP best practices

An industry group is working toward a best-practices document that will spell out for businesses how to build secure VoIP networks using specific makes and models of equipment.

While the report won’t be available until next year, it will be a practical implementation guide to securely set up VoIP, says Andrew Graydon, a director of the VOIP Security Alliance (VOIPSA), the group writing the papers.

The document will present sample deployments that have been tested by VOIPSA and found to be interoperable and secure, he says. The guide won’t be ready until after another VOIPSA report that will be released by year-end. The project is third on a list of tasks the group is addressing, and VOIPSA is still soliciting members of a committee to work on it.

Vulnerability is a major concern for businesses implementing VoIP and for governments that want to guarantee reliable phone service to sustain their economies. A German government agency this week released its own list of VoIP threats. The German report finds the risk of IP-voice service interruption so great that it recommends keeping voice and data networks separate — undermining convergence.

Earlier this year in the U.S., the National Institute of Standards and Technology (NIST) issued its own report on the subject, including recommendations for avoiding security pitfalls. Unlike VOIPSA’s work, which is being done mainly by vendors with an eye toward the nuts and bolts of implementing networks, NIST’s document was made by government researchers setting principles to follow when doing so.

VOIPSA recently cataloged 36 pages of potential VoIP vulnerabilities and plans to issue a separate document by year-end that describes how technologies, without mentioning vendors, can protect networks.

The list of potential vulnerabilities, called “VoIP Security and Privacy Threat Taxonomy,” defines potential threats, Graydon says. In addition, the taxonomy can inform businesses considering VoIP about known threats so they can deal with them. “It describes a set of risks you need to be mindful of, specific issues you might want to be concerned about,” says Jonathan Zar, the head of the project.

The study lists potential problems including theft of service, spamming, intentional disruption of services, number harvesting, man-in-the-middle attacks, call rerouting and altering conversations. Solutions for some of these problems exist today.

VoIP as a software application running on IP networks is open to many threats, says Art Manion, an Internet security analyst for Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh. While the potential exists, he says he is unaware of any exploit being carried out to exclusively target VoIP.

“Every piece of software has vulnerabilities, and that includes VoIP software,” Manion says. “A VoIP phone is a small computer, so the same problems that affect Web servers and browsers can affect VoIP.”

VoIP is also susceptible to general network threats, such as denial-of-service attacks, worms and viruses. These don’t have to take down the network entirely to affect a voice call; they just have to cause enough delay and jitter to break up the stream of voice packets to cause audible disruption, he says. Assuring the general security of the network is a must for VoIP security.

QuickLink: 053159

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now