Voice over IP, commonly referred to as VoIP, has a threat model more closely resembling that of data networks than traditional voice networks. Not only does VoIP inherit most of the same reliability issues and security threats as data networks, it is subject to added vulnerabilities due to the “real-time” and mission-critical nature of voice communications. A data packet arriving a second late is usually inconsequential to the recipient; whereas, a voice packet that arrives a second late is useless to the recipient. For many companies, an attack that brings their website down for an hour is problematic; an attack that cuts off phone communications for an hour is catastrophic.

VoIP requires the IT infrastructure to support stringent requirements for latency (total time a packet is in transit), jitter (variation in the time between packets arriving), and packet loss (failure of voice packets to reach their destinations). These requirements result in implementations that are vulnerable to various forms of security attacks.

The chart shows common VoIP security threats and their impact to companies and individuals:

Traditional security products, designed and built to protect data networks, are not equipped to identify and mitigate the security vulnerabilities inadvertently built into VoIP products and networks by their vendors. Intrusion Prevention Systems (IPS), for example, examine data traffic and check for the existence of known attack signatures. Examining voice traffic for these same signatures is useless; voice exploits have their own unique signatures. Unless the IPS knows about and checks for these unique VoIP signatures, the voice network is vulnerable to attack.

Fortunately, new security solutions are emerging that are purpose-built to address these specific VoIP vulnerabilities. In 2008 we will see the introduction of a new category of security products, which include applications such as VVA – VoIP Vulnerability Assessment; VIPS – Voice Intrusion Prevention System; VNAC – VoIP Network Access Control; and Anti-SPIT products.

Get ready now

Besides the increased attention that hackers, cyber criminals and corporate spies are paying to VoIP networks, regulators are recognizing the role that VoIP plays in the transmission, processing and storage of confidential information. Expect legislation such as Sarbanes-Oxley, GLBA, HIPAA and others to include provisions for securing VoIP networks.

Steps you can take

to minimize VoIP security risk and prepare for the coming compliance requirements:

1 Look at your VoIP system through new eyes. Review your architecture with security in mind.

2 Perform a VoIP-specific vulnerability assessment and penetration test. Remediate reported vulnerabilities: policy and process, administrative, configuration and vendor-specific. Do this regularly.

3 Examine your organization’s regulatory requirements for VoIP. Incorporate VoIP security into audits and compliance reporting.

4 Conduct employee education for VoIP threat awareness. Add VoIP expertise to your security team.

5 Begin cross-functional meetings between network, telecom, security and audit departments to jointly plan your VoIP security protection and mitigation strategies.

Rick Dalmazzi is President & CEO of VoIPshield Systems (www.voipshield.com). He can be reached at rdalmazzi@voipshield.com or 613-224-4443 x201.