One theme I noticed that really garnered some visibility while I was out is VoIP security. Here's a sampling of what I came back to find.

The Daily Payload points us straight to an article in Red Herring

VoIP Security Gets Noisy
Analyst says it’s time for service providers to inform businesses about VoIP’s real risks.
November 13, 2006

It is one of the most potent threats to the corporate network, but Internet voice remains perhaps the least understood and most poorly defended security gap in the enterprise, according to a security analyst, and security specialists are aiming business users at the wrong targets.

“Vendors are focusing largely on the dangers of interception of communications on the wire, which we don’t think is the main problem at all,” said Graham Titterington, a principal analyst and security expert with Ovum. “VoIP is an intranet issue because corporations still use traditional phone companies for their long-distance service.”

 

As with many Red Herring articles, I think it's off base, or underdone in many ways. I think it's way off base describimg SPIT or VoIP SPAM as an issue of trust. The real issue here is the denial of service potential and degradation of call quality that will reduce users confidence in VoIP services. There's less issue with inundating users as there is with degrading overall quality. A DoS attack in the traditional telephony world required extensive telecom resources. With VoIP, it's pretty achievable with a small computer network.

Where Red Herring gets it right is in pointing out that the standard IP security threats represent the largest VoIP threats. Grahman Titterington with Ovum, accurately points out that “Vendors are focusing largely on the dangers of interception of communications on the wire, which we don’t think is the main problem at all."

In short, I think Titterington is right on the money, but I think Red Herring went a tad askew in the article.

Also from the Daily Payload, a pointer to this on ZDNet

Get ready for attacks on VoIP?

By Tim Ferguson, Silicon.com
Spam, phishing and denial of service could all soon be threatening VoIP services, and businesses need to take steps now to ward off the danger.

As VoIP products and services become more widely used by businesses, analyst Ovum has warned that while companies are concerned with voice quality and functionality they are not considering all of the potential security risks associated with VoIP.

I read this as nothing more than ZDNet parroting the Red Herring article.

Colleague Garrett Smith adds a voice of reason with his thoughts on the "brow raisin" article in Red Herring. To quote Garret:

"I found it to be ‘brow raisin’ not because it presented new information, but it mis-represents, mis-informs, and is filled with “half-truths” all in what appears to be nothing more then scare tactics. Yes, there are security concerns with VoIP, and I even agree with this statement..."

Read full post

What Garrett points out is the problem I seem to have most often with Red Herring articles. They seem filled with the sort of shocking, worrisome partial insight that always leans toward scare tactics. Red Herring is quite consistent in this reporting approach, and it comes across as very unbalanced.



My good friend and colleague Dan York has two posts, both noteworthy.

SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. The press release identifies six major trends in attack patterns and includes this:

5. VOIP (Voice over Internet Protocol) attacks used now to make money by reselling minutes and potentially for injection of misleading messages and even for creating massive outages in the old phone network.

And this post

VoIP included in SANS Top 20 "Internet Security Targets" list for 2006

SANS today released their 2006 "Top 20 List of Internet Security Targets". As I highlighted in my posting on the Voice of VOIPSA weblog today, the list for the first time includes VoIP.

Rather than cross-post, I'll refer you to that posting for more information about the relevance to VoIP.



I will say here, though, that several people have asked me if I honestly think this is good for VoIP - and yes, I do. First off, it's a sign of the success of VoIP - and the importance of VoIP - that it is worth attacking (and therefore also defending/protecting). Second, there are a lot of issues around VoIP security, but there are also a lot of solutions - a spotlight like this will only help to show those solutions. Third, it may certainly motivate some of the companies out there that haven't been paying attention to security to get off their tails and do something about it. (Then again, it might not.)

Dan and I agree far more frequently than we disagree. One area in this particular story thread we agree on heavily is that this is good for VoIP. That's right, this sort of news reporting is good for VoIP!

VoIP has achieved critical mass in the marketplace. I fequently argue that VoIP has passed well beyond the disruptive technology it once could have been. VoIP has quietly become an industry standard, sustaining technology that is widely used and adoped. As such, given that it's truly dependent on the IP infrastructure over with it operates, how could any reasonable person not expect that the security problems we see talked about it such frightening terms become a reality. We could have predicted this years ago, and many of us did. VoIP security is inherently tied to the security of the underlying IP network. That isn't the only factor, and certainly VoIP introduces some new security threats through new protocols and network elements.

What's important is that there is nothing unexpected with regard to VoIP security. All these threats were known and existed in either the old IP network or the old PSTN. Toll fraud isn't new. I helped prosecute PBX toll frauds cases twenty years ago. DoS isn't new. None of thies is new.

What VoIP does, as a sustaining technology that's being widely adopted, is give us good reason to revisit the security posture of our networking environment from a holistic viewpoint. It motivate us to rethink our security posture across all enterprise services. It's not a cause for paranoia. It's cause for sound critical thinking and planning.

Thats a good thing.


Technorati Tags: VoIP security