Guide to VoIP Security
Putting VoIP vendors to task on security
Nine Questions you should ask anyone trying to sell you VoIP securityBy Cara Garretson, Network World, 10/01/07
When it comes to deploying VoIP systems, making security a top priority can save an organization the expensive and headache of having to retrofit protection after a network is built; not to mention avoiding the pain caused by any VoIP-specific exploit.
One way to ensure security is a priority from the start is to choose VoIP infrastructure products – namely IP PBXes – that include security measures or that integrate well with outside security offerings. The level of security that's integrated with different VoIP infrastructure products can vary greatly.
"Because of VoIP's proprietary nature, the security of a Cisco VoIP system is different from one from Avaya, which is different from securing Nortel," says Lawrence Orans , a research director at Gartner.
The following are just some of the questions enterprises should ask their VoIP infrastructure vendors to help them understand the level of security offered by their products:
1.) Does the vendor sell security appliances that sit in front of the IP PBX to protect voice traffic? If so, what protocols does the appliance work with? If not, is there an adequate selection of third-party security products that work with the vendor's infrastructure equipment?
2.) Is the security appliance default-configured to work with VoIP traffic? According to Orans, Nortel is the only big North American IP PBX vendor that sells a firewall preconfigured to work with VoIP traffic.
"This shows a lack of maturity in the market; only one vendor has taken the steps to do it," he says. Since VoIP security expertise is still an emerging specialty, it's worth it to have the vendors do the preconfiguring for these products to work together than possibly having to hire an outside consultant to do it.
3.) Do these products also offer features such as encryption and authentication of VoIP traffic? Such features are particularly important if an enterprise is planning to run VoIP traffic across the Internet. Customers should also determine how complex configuring these features can be.
4.) Do the VoIP applications that run on these offer adequate security, such as multilevel administration features so that access to all management features aren't granted to administrators when they're not necessary? For example, an application should be able to grant one administrator rights to user management and another to dialing plans without having to expose all rights to all managers.
5.) Enterprises should ask if perspective VoIP security products work with the IETF's Session Initiation Protocol (SIP), the standard towards which many experts believe the market will eventually shift, as well as the proprietary protocol used by the vendor's IP PBX.
As VoIP installations multiply across the corporate landscape, so do products aiming to secure these communications.
While many of the vendors that manufacture VoIP infrastructure products sell dedicated security products as well, there is also a market of third-party security offerings designed specifically for VoIP equipment that look to add much of the same protection to voice traffic that traditional firewalls, intrusion-protection systems, and other security offerings do in the data world.
Highlighted by startups with significant venture-capital funding behind them, such as Sipera Networks and Covergence, this market for third-party VoIP security products is gaining ground. Third-party VoIP security products offer features ranging from firewall protection to intrusion prevention to encryption and authentication – all designed to heighten VoIP security to a level of enterprise acceptance.
In order to ensure an organization is getting the most protection possible from its third-party VoIP security products, the following questions should be asked of any potential vendor:
1.) Which types of threats does your product protect against? Ideally an organization wants to secure itself from all of the threats known to the data world -- including spam, phishing, viruses, intrusion, information theft, and others – as well as exploits specific to voice communications, such as eavesdropping. If multiple products are necessary to achieve this coverage, ask how well they would work together.
2.) What voice protocols does your product work support? Listen closely to the answer of this question, as protocol support can be a confusing issue in the voice world.
"There are multiple flavors of SIP [the IETF's Session Initiation Protocol], so even if two companies say they support SIP, they may not interoperate," warns Mark Slaga, chief technology officer with Dimension Data, and IT services company that has installed enterprise VoIP systems and also offers security testing of existing systems.
3.)What kinds of advanced security features are offered? Encryption is emerging as a must for VoIP communications, particularly when voice traffic travels out across the open Internet. Other advanced security features include authentication; spam and virus filtering, and enabling security policies based on user, group, device, or other characteristic.
4.)How difficult is it to implement the advanced security features? If these features, particularly encryption and granular policy control, require a customer to call in VoIP security experts to configure, it's best to find that out up front.