If your company is planning to exploit the incredible power, flexibility and cost savings offered by VoIP, there are two things you need to know: VoIP people don’t think like IP people; security is going to be a nightmare.
Recently I spoke with the leading VoIP folks from around the world. This elite group represents VoIP subsidiaries and working divisions of something like 94 per cent of the planet’s telecom service providers. I got called in to provide an in-context and out-of-context view of VoIP and security. I began with a couple of easy, soft-pitch questions.
Or so I thought.
“How many of you use penetration testing as means to maintain the integrity and continually test the security of your VoIP networks?” I asked. Not one hand went up. I figured there was a language problem, so I rephrased the question. “How many of you have a dedicated staff of security people whose sole job is to stress the network to find problems before the customer does?” Again, no hands were raised.
After recovering from my shock, I asked, “Why don’t you?” The most common response was, “Why should we?”
That’s when I retreated to the security basics. I talked about how denial of service and distributed DoS can paralyze VoIP, and about data-transfer integrity, and asked, “What are you guys doing about this?” They shrugged.
The VoIP community has not travailed with us for the last 25 years and learned the lessons of virtual venom and online conflict. Their biggest concerns are, first, QoS (they get paid more and earn greater profits when the QoS is high; they lose points and money when QoS is low) and, second, billing accuracy.
Historically, the endpoints of communications have been dumb. One lesson the IP world has learned is that complexity breeds insecurity; dumber is securer.
But the world the VoIP crowd is building uses endpoints that are much smarter. Therefore, the VoIP version of security is bass-ackwards from the IP approach. And you’re planning on bringing VoIP into your enterprise?
Hmmm… Next, I asked this group of now-nervous VoIP nellies, “Can any of you tell me where your VoIP and data networks meet, converge, talk to each other, share facilities, etc.?” Silence. I rephrased the question: “How do your VoIP and data networks talk to each other?” Still sort of blank stares.
One guy chirped, “Ah,…they don’t.” Incredulous, I asked a number of people whether their VoIP and data networks were completely isolated from each other, and the consensus was that they were disparate networks.
I whipped out a Sharpie, ran to the flip chart and scribbled some clouds, cylinders and routers. After several Pollock-esque flourishes, someone called out, “Mine connects there,” and someone else said, “Sure, it has to connect here and there and there to make it work.” It was just that they apparently had never been asked the question in a security sort of way.
Over the next several hours, we learned a great deal. The communications world is moving toward VoIP but does not have the security expertise it needs in-house to meet the real-world stress it will encounter. I learned a lesson I should never forget: I assumed these guys were security-clueful, and I was dead wrong.
They learned, I hope, that the threats the VoIP industry is going to face will be merely variants of what it has already seen more than once. I also hope they carried away something more important: an awareness that security must be designed in from the beginning and that the next generation of VoIP gear must have a more aggressive security posture than the current one.
As for you? If you’re getting into the VoIP world, great, but be cautious. Make sure you put on your bad-guy hat and stress the vendor and the technology. In a few short minutes it’s not too difficult to come up with a healthy range of attack vectors. Better for you to detect and delay VoIP deployment problems than to dive headlong into a place none of us want to revisit.
Quick Link051979
Schwartau is a security writer, lecturer and president of Interpact, a security-awareness consulting firm. He can be reached at winn@thesecurityawarenesscompany.com.