Leading computer security and telecommunications companies said today that they are joining forces to raise awareness of threats to VoIP (voice over internet protocol) technology.
The VoIP Security Alliance will disseminate knowledge of internet telephony security risks through discussion lists, white papers and research projects.
The group hopes to spur adoption of VoIP by promoting best practices for companies that adopt VoIP, and by warning organisations of threats, including spam and denial-of-service (DOS) attacks.
The new group is the first cross-industry association that is focused on VoIP security. It includes major players in the market, such as Alcatel and Avaya, VoIP newcomer Comcast, security technology vendors Qualsys and Symantec, and TippingPoint.
One goal of the group is to clear up misconceptions about the technology, which allows voice conversations to be transmitted over the internet. One misconception the group will try to dispel is that deploying VoIP is the same as deploying traditional data networks.
"There's this idea that you don't need to do anything different after you install VoIP applications," says Dave Endler, director of digital vaccine at TippingPoint.
However, internet telephony introduces new requirements for IP networks, including a higher premium on quality of service so that voice conversations are intelligible, and on the privacy of voice data sent over the network.
Deploying VoIP also raises the stakes for network outages, including DOS attacks, because organisations lose voice as well as network services in such attacks, Endler says.
"Imagine not being able to dial 911, or imagine a 911 call centre [that uses VoIP] inundated with VoIP spam," Endler says.
The group will research and distribute information on internet telephony vulnerabilities and promote VoIP security tools.
For example, the VoIP Security Alliance is backing research into special security tools, including a "fuzzer" for SIP (session initiation protocol), a VoIP communications protocol. The tool will be able to test SIP for weaknesses and vulnerabilities that could lead to attacks.
The group will also promote best practices for deploying VoIP, such as configuring gear and separating voice data from other data on so-called converged networks, he says.
Membership in the VoIP Security Alliance is dominated by companies, but is open to individual researchers and university research groups, as well as to internet telephony enthusiasts who are experts in the technology.
While many leading VoIP-oriented companies have already joined, some major players in the space, including Juniper Networks and network gear maker Cisco Systems, are not listed as members.
But Endler says the group can succeed even without the backing of major technology vendors by becoming a reliable source of information and advice on internet telephony security issues.
He likens the group to the Open Web Application Security Project, a volunteer group that produces tools, documentation and standards for web application security.
Individuals interested in joining the VoIP Security Alliance or subscribing to a VoIP security discussion list can visit the group's website.
For more information, our sister site Techworld has a comprehensive VoIP resource page.