Now that VoIP is emerging as the go to technology in voice, the dirty little secret is that security is very much a concern. With voice networks being managed like IT networks there is ample opportunity for people with malicious intent to hack into networks via the voice network. It is my opinion the premise based systems are more susceptible than hosted systems. Hosted VoIP is usually more separated from the core network functions of the user and the system is usually in a secure environment and maintained by experts who are adept at network security. There is a break even point when the user grows to a certain size, the need for better security outweighs the cost savings of a hosted system. Large companies generally need to manage their networks in house.

Unified Communications brings even more exposure to the user's network because more of the IT network is made available on the internet. In the beginning, VoIP was usually kept on a different sub network than the IT network but as more web based applications were used, the IT and Voice networks had to communicate with each other and are commonly found on the same subnet or the subnets are mapped to each other.

I do believe that VoIP is the best way to manage voice networks but when considering any application like Unified Communications, ask a lot of questions about security. Good security is a "you get what you pay for" proposition. Private networks are better but more expensive so the cost savings realized from VoIP and UC may go right back out to enhanced network security.

Glen Marshall

Principal, Grok-A-Lot, LLC

Posted on March 24, 2011

Network security is, and has been, of concern for years. The unification of communication methods into a more homogeneous network actually simplifies the chore.

Basically, update your risk and threat analysis to incorporate the communication traffic that you now experience. Then prudent risk management, informed by the analysis, will guide you to seek and select solutions. Keep in mind that physical and administrative controls are often more economic, and often just as effective, as technological controls. So your choices should include such non-technical solutions.

Frank Laurijssens

Information security infrastructure designer, ICTIO

Posted on March 27, 2011

Apart from network security, Unified Communications creates a new entry point into your systems. While it might sound cool that you can use the voice mail system to read you your most recent e-mail messages, this could turn out to be not so cool when your CFO uses 1234 as PIN for the voice mail system. It might also do harm when every available Instant Messaging client is able to show everyone's Free/Busy information.

Daniele Cardesi

Sales Director, Sysnet IT Solutions

Posted on March 28, 2011

The VoIP and UC security threats are many and different. Some related to the underestimating of the user/password definition of the voip accounts (security hole used by the voip scanners), pin of the voicemail, etc. Other related to the networks logic as vlan, etc.
The problem is also internal and external to prevent eavedropping, toll frauds, etc.
A generical approach is to apply the encryption on VoIP protocol like SRTP/TLS standard that can encrypt both signaling and voice stream dinamically with an high level of security.
This can prevent a large number of security threats and is simply because many vendor of voip hardware and software solutions supporting it (cisco, snom, asterisk based pbx... and PrivateWave). For the end users is trasparent and also is a good way to prevent unauthorized call interception.
Last but not least, the companies that choose for an on premise VoIP/UC infrastructure shared on internet have to select specific firewalls with protection from strategies like protocol fuzzing, hijacking, malformed packets, etc to have more warranties in terms of stability and continuity of the infrastructure.
It sounds complex, but is the same of what happen in the past for web surfing, email services, etc. I work in the field of VoIP security and this market is growing fast. The customers have to choose dedicated technologies for this application evaluating the number and type of features available.
To acquire a VoIP/UC technology without considering the security is the same of to acquire a mail server without an antivirus/antispam service.
The VoIP/UC technology is mature and secure, it's only a problem of attention and evaluation of the benefits, costs and risks.
If a company want to be a cutting edge player in the market have to choose the most innovative technologies having attention on security!

Val Jelinic Replied on April 27, 2011

Excellent response Daniele!

Part of the issues surrounding UC Security are the misconceptions that because there is a Firewall in place, their network is protected. As you mentioned, security is a multi-layered approach with the weakest link being the strongest protection you can expect. VOIP/UC Security should be approached with dedicated technologies or applications focused on their respective strengths.

As was learnt when emails first arrived and shortly thereafter the broad range of attacks, viruses and trojans, so too should we take the threat to VOIP/UC Security quite seriously and apply some very basic rules/guidelines:
1. Policies to protect unauthorised access (time of day, user groups, regional, etc)
2. Processes to protect security (control of info, network access, applications use, etc)
3. Prevention (policing policies and processes to ensure they are continually being improved and adhered to)

Thanks for the comment!

Val

Howard Gunn

CIO,CTO,VP,Director, BST Technoloiges

Posted on April 12, 2011

I think the most prevalent electronic security issue surrounding on-demand voice communications and now on-demand UC connectivity is simple. The use of IP for communications increases the probability that the communications can be intercepted.

The recognition of the increased interception risk raises the basic 'security' issues to the conscious level - the electronic network media between the source of new information being sent and the receiver of new information being received is not secure. It is not a new thought or problem.

While it is easy to suggest that network media has never been and probably never will be secure, the security question is so what?

I think the recognition of the interception problem will stimulate the evolution, adoption and use of application level security, to protect the source of information from the easy pickings on the IP networks.

There are already product implications reflecting this security risk recognition. Microsoft, for example, is using TCP protocols to emulate SIP protocols, for voice messaging. Does this subtle change potentially obsolete and entire generation of easy to intercept and use VoIP boxes? Not really. Will this be a technical diversion or vendor battle over self-interest standards or will it ultimately lead to application level security per transaction?

My bet is that shift to TCP will produce application level security per transaction in the near future, if it has not already started to occur in the high end security market!