How to measure the increased business risk of VoIP vs Landline?

The source article appears to make the assumption that because it's VoIP, it's exposed to all of the perils that hackers and other miscreants on the Internet present. However, most service providers of cloud-based VoIP services utilize a point to point circuit, which is not connected to the Internet, but rather directly between the service provider and the hosted customer. This essentially makes the circuit a private network. In addition, customer-premise-based systems can use private networks, VPN tunnels, firewalls, etc., which can mitigate much or all of the risk associated with being connected directly to the Internet. There is certainly risk associated with running VoIP over a regular Internet circuit. There are other problems with running VoIP over the Internet though - namely quality of service (QoS) and class of service (CoS). By addressing QoS and CoS issues, Internet circuits are eliminated from consideration, making much of the security issue a moot consideration. Am I missing something?

My source article from Business Wire:

http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&n...

Jon,

Your comments are categorically correct on all counts. I just wonder how many times 60 Minutes will have to show generators blowing up from "white hat" cyber attacks in order for people to get the fact that plugging any vulnerability is a big issue. They also reported that this was the first year that cyber attacks cost banking more than old fashioned bank robbery.

One company that has tackled this issue and offers the only solution for encrypted VoIP is another tech spin-out from IIT that was initially funded by a phase 1 NSA grant. I am attempting to raise awareness of this new technology that uses a watermarking technique combined with statistical analysis of the vunnel (VoIP tunnel) to purify the transmission.

The reason that we are working together on this is simply because they are commercial ready and we are not. Therefore, it is my hope that anyone reading this will contact me directly, so that I may introduce them to Salare Security. This will in turn help fund the development that will achieve proof of concept with our distributed queue layer 2 MAC.

Thanks again for your Focus expertise,

Jonathan

Not easy to give an answer without details about the architectures, but also voice like other media can be transported in a reliable and secure way implementing the right technologies and policies.

Starting from your LAN environment, you should first use different VLANs (one for voice and a second one for data), in this way you assure segmentation, security at L2 and also implementing the right QoS policies marking voice traffic with the right priority.

You can use a proprietary SBC in order to separate your network from the SP Network, and of course implementing voice security features like device authentication, signalling/media encryption and so on, but really depend on how you integrate with the Service Provider Network, with a Voice Gateway, using a SIP Trunk, over a MPLS Network or Internet access.

So the features and functionalities to assure integrity and security for voice calls are really a lot, and today security over IP is not more an issue.

Regards

At our shop, we don't utilize VoIP over the internet. Our cores are internal, behind our corporate firewalls. Standard internet traffic comes through public and partner DMZ's and our current PBX handles the TDM to IP translation for the lines coming from our telco provider's CO.

As SIP becomes more of a reality, and as local telco's move away from older TDM and toward IP at their CO's, expect that dedicated IP circuits to your telco provider's CO will become a reality, replacing the TDM circuits in place today. PBX equipment will become software on a "features server" and accessed via a SIP gateway, replacing the current PBX.

You will still see separate circuits from your ISP/telco providers, as you do today. As Joe Nemsatil mentioned above, the same will be true for VoIP in a cloud, where separate circuits will continue to exist for voice. But, your VoIP cloud provider will see their circuits changing from TDM to IP for connectivity to a CO. (Same architecture but hosted at your cloud provider.) The weak spot will continue to be your provider's connection to you. Many cloud providers attempt to place their hosting centers at critical internet locations (no less than three hops from their customers) and encourage their customers to use tier-1 ISP's (to avoid over-subcription issues).

That helps some but stil doesn't solve the knotty issue of encryption/decryption at your firewall. The question is one of cost. Is it cheaper to purchase VoIP load balancers and IP accelerators (think F5 equipment for voice) or bite the bullet and move your internal network to in-house VoIP connected to your telco provider? If your running a call center, I'd certainly choose the latter.

Alessandro Greco's comment is also worth noting. MPLS costs are dropping and provide a great way for a geographically-dispersed company to obtain some guaranteed, secure bandwidth.

This question would be geared more to the non-corporate environment or the SMB who do not readily pay for engineered solution but boxed solution. Voice security will ultimately fall on pricing, because this generally equates to the level of quality and service from equipment to delivery vessels of voice transportation. If the security level cannot be controlled at both endpoints and delivery system (Internet) then it is impossible to guarantee endpoint to endpoint security. This is typically why solutions and services differ in price. As a voice carrier VOIP is subjected more to data manipulation due to the way packets are sent and received there has been instances when we have tested this and been able to manipulate content when not secured by end point to endpoint translation descriptors. This can only be controlled in a lab environment with various software and hardware components in place. There is no uniform standard from both the CPE and LEC’s level to ensure security no matter what is place on either endpoint given hardware or software. Enhancing encryption before a universal standard is set will only cause rejection of packets on the LEC levels as unauthorized or malformed. Remember their a various solutions for voice data transportation but these where developed using different SIP protocols so there are many other variable to consider on production solution and claims cannot be made that a certain solution will work on all platforms.

Jamal Thompson