SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

CHANNEL BY TOPICS


QUICK LINKS




 
tmc logo
November 2007 | Volume 10/ Number 11
Feature Articles

IP Communications Security Challenges

By Richard “Zippy” Grigonis

In the early days of VoIP, proponents argued that IP voice packets could be treated as just another form of IP data. Not exactly true. First came VoIP’s quality of service considerations owing to its real-time nature, and then everyone discovered that VoIP implementations not only inherit the same security threats as data networks, but also have a bevy of their own: theft of service (good old “toll fraud” in the telephony world), voicemail susceptibilities, denial-of-service vulnerabilities, confidentiality problems, and related issues such as VoIP compliance with internal and regulatory requirements.

A huge market in firewalls and Session Border Controllers (SBCs) then appeared to tame the VoIP security jungle, but other companies have appeared with new approaches. Take, for example, BorderWare’s (http://www.borderware.com) “application-specific” firewalls, first used in the tricky area of messaging security.




Dominic Chorafakis, Director of Product Management at BorderWare, says, “We are seeing a trend for a different class of device than the traditional SBC that your telco will buy and place it in the carrier network. As more and more enterprises turn to VoIP and unified messaging in general, we do see that these enterprises recognize the need for something that looks like an SBC to sit on their network and provide the typical enablement services that SBCs provide, such as NAT [Network Address Translation] traversal, but also to secure their infrastructure, be it a small, open source Asterisk PBX, or a big Avaya IP PBX. People recognize the need to protect these things. But traditional SBCs and the price tag they carry really don’t fit into the enterprise network. That’s why some vendors have scaled down their SBCs to try to capture this market.”

“The use of proprietary hardware - ASIC chips and things of that nature - have made it difficult to achieve a good price point,” says Chorafakis, “and that’s where we see this evolution toward a purely software-based solution that can be run on whatever the appropriate hardware is for the specific deployment. That applies in the voice space. BorderWare started with offering packet inspection and proxy-type firewalls. Our next foray, which was our major success, was in the e-mail security and content control marketplace. Then, we moved into the VoIP/SIP marketplace. As was the case with e-mail, as we see voice and instant messaging experience growth, we’re now focusing our energies there, and we’re moving toward offering a unified solution to address voice, video, IM, web and e-mail. That’s where our BorderWare Security Platform comes into play, which offers a unified solution for IP Communications in general.”

“Heads are Spinning”

Another interesting VoIP security software company is VoIPshield Systems (http://www.voipshield.com). Founded in early 2005, it offers the VoIP Security Suite, a set of security applications purpose-built to protect VoIP networks and devices. Their customers tend to be medium-to-large enterprises that find themselves managing large VoIP deployments.

One of VopIPshield’s more ingenious products is VoIPaudit, which is a vulnerability assessment and penetration testing product specifically designed to identify VoIP security threats. It also does a neat job of discovering VoIP infrastructure assets including PBXs, softswitches, gateways, multi-media servers, phones and soft clients. Indeed, VoIPaudit can discover and manage multiple VoIP networks simultaneously. It even has built-in asset management so that an organization can keep track of changes and updates to the VoIP infrastructure.

Rick Dalmazzi, CEO of VoIPShield, says, “Every year the world spends more money on voice products and services than on data. It’s really interesting to see the biggest phenomenon in VoIP and VoIP security today, which is a collision of two worlds: First, you’ve got older telephony guys who for years had a beautiful closed system that always worked. Their only real security issue was toll fraud. Now, however, we’re moving into the open jungle of IP, where the threat model for IP voice more resembles the data world, than the old voice world. The old telephony heads are spinning. The security concepts of confidentiality and authenticity and integrity are totally foreign to them.”

“The corporate data security groups forced to accept security responsibility for voice are guys who use a telephone, but that’s about it,” says Dalmazzi. “They aren’t interested in the telephony world. When selling voice security products, we’ll perhaps encounter the CIO, but more likely the people who run the office’s network and security. The person responsible for the phone system won’t typically be senior - more of a mid-level manager. It’s fascinating to observe the dynamics of who’s going to be responsible for VoIP security and who’s going to pay for it. For me, that’s the most interesting phenomenon going on in voice security today.” IT

Richard “Zippy” Grigonis is Executive Editor of TMC’s IP Communications Group.

» Internet Telephony Magazine Table of Contents



Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
MSPWorld
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas