Today's network security managers spend little time worrying about telephones. Most are too busy trying to protect their data network from hacking, viruses, spam and a myriad of other threats that have become part of day-to-day business.
But as more companies take the decision to move voice traffic off traditional circuit-switched networks and onto a converged communications platform, the problems of securing voice look set to make data management look simple.
Many analysts have expressed concern that businesses do not fully understand the challenges of managing and protecting voice traffic on Internet protocol (IP) networks, presuming that the measures in place to protect data traffic will be sufficient to also protect voice. Elizabeth Herrell, a vice president at industry analyst Forrester Research, for example, believes there is widespread complacency: "Many mistakenly believe that if they have security for their data network, it will be adequate for their voice. This is not true and additional security is needed."
To help highlight this issue and help develop solutions, the Voice over IP Security Alliance (VoIPSA) was formed in February 2005, bringing together a range of vendors, researchers and consultants. Its view on the risks associated with converged networks: "Successful attacks against a combined voice and data network can cripple an enterprise, halt communications required for productivity, and result in irate customers and lost revenue."
David Lacey, chief security officer of the Royal Mail, is equally alarmist. "Putting VoIP into the data network will drive a coach and horses through existing firewall security," he says.
Speed versus safety
The main problem lies in the fact that the time-critical nature of voice packets means they cannot be quarantined for inspection in the same way as data. Firewalls, understandably, tend to slow the transfer of data by anything from a matter of seconds to a few minutes while they scan the contents of the data packet, but even a minimal delay to a voice packet would render a voice call unintelligible. However, opening up firewall ports to ensure faster communication leaves the voice network open to threats, such as denial of services and toll fraud.
A Gartner study, ‘IP Telephony Security Demystified', recommends that to minimise the security threat, "the firewall must scan VoIP messages and open ports dynamically only for calls approved by the call control server. At call disconnection, the firewall must close the session as well as any open ports."
There is an added complication. Because people are used to the high availability and quality of the public switched telephone network (PSTN), expectations for VoIP are also sky high. Most converged networks can now ensure four or five ‘nines' of reliability – that is, they are up for 99.99% or 99.999% of the time – but there are still a plethora of quality of service issues.
Any delay over 50 milliseconds, for example, can create echo on a VoIP call and delays over 250 milliseconds can lead to participants talking over each other. Jitter – the disruption in sound that is the result of packets being delivered at different times – can be minimised by holding the packets long enough for the slowest to arrive, but that causes delay.
Such delays can be alleviated by prioritising voice traffic over data, meaning that although they may use the same routes, a voice packet will always get through ahead of a data packet. Gabor Szabo, security business development manager from networking vendor 3Com, says, "Switches should be able to automatically understand voice. An application-oriented network [AON] better understands how traffic should be handled." A converged voice and data AON could put voice above other applications, such as a supply chain or enterprise resource planning system.
Craig Pollard, head of security products and services at network equipment maker Siemens Com-munications, agrees that the network needs to be more intelligent, "because more openings to that network are intelligent". For example, he says: "When you pick up an IP handset, you're essentially picking up a computer."
All the networking vendors are now working on adding more intelligence – and resilience – to their products. That there is work to be done with regards to tightening vendors' offerings was made clear in July 2005 when Cisco, the undoubted leader in the field, had to issue a patch for a major vulnerability in its CallManager software which, if seized upon, could be used to launch denial of service attacks. CallManager is the call-processing component of Cisco's architecture for voice, video and integrated data (AVVID).
The session initiation protocol (SIP), which facilitates communication across differing networks and devices, is also susceptible to security breaches since its relative immaturity as a standard means it does not have clearly-defined security requirements.
Herrell of Forrester Research believes that this is a cause for concern: "The lack of firm specifications on SIP standards allows vendors to determine how much security is built into the system. Standard security tools for data networks are ineffective with SIP and must be upgraded."
Converging voice and data also has implications for business continuity and disaster recovery – but these are not all bad. Putting voice and data on the same network increases the risk of voice going down, because IP networks fail more often than a PSTN. However, since IP extends across the whole network, if there is a disaster it is easy for employees working remotely to access the system, and thus, in the case of a converged network, maintain communications. There is no need for a remote site with dedicated, pre-wired lines to be set up. Instead the workforce just has to have access to broadband and business will continue as usual. "It's a boon to business continuity not a threat to it, otherwise why would you bother?" asks Neil Sutton, general manager of IT services at BT. "Businesses need a tangible benefit."
Others also see communications convergence as having a positive impact on overall security – if businesses are willing to take the threats seriously. The introduction of a new architecture, they argue, presents a valuable opportunity to invest in protection simultaneously, meaning the technology is secure from the start rather than having to play catch-up as happened with data. Ari Takenen, CEO of Codenomicon, a provider of tools that automate software testing, says that it is important that VoIP is not allowed to fall "into the patch-and-penetrate race we have had to witness with other widely deployed communication software".
Protecting converged networks undoubtedly requires a radically different way of thinking about security, says Lacey of the Royal Mail, and, he argues, there are gaps in understanding risks and solving them. But, he says: "It is do-able." Moreover, he agrees that putting another valuable application – voice – over the data network could pave the way for investment in a comprehensive, secure infrastructure.