If your company is planning to exploit the incredible power, flexibility and cost savings offered by VoIP (voice over IP), there are two things you need to know: VoIP people don't think like IP people; and security is going to be a nightmare.
Recently I spoke to an elite group representing VoIP subsidiaries and working divisions of something like 94 percent of the planet's telecoms service providers. I got called in to provide an in-context and out-of-context view of VoIP and security. I began with a couple of easy questions. Or so I thought.
"How many of you use penetration testing to maintain the integrity of your VoIP networks?" I asked. Not one hand went up. I figured there was a language problem, so I rephrased the question. "How many of you have a dedicated staff of security people whose sole job is to stress the network to find problems before the customer does?" Again, no hands were raised.
After recovering from my shock, I asked: "Why don't you?" The most common response was, "Why should we?"
That's when I retreated to the security basics. I talked about data-transfer integrity and how denial of service can paralyse VoIP, and asked, "What are you guys doing about this?" They shrugged.
This is a community that has not learned the lessons of virtual venom and online conflict. Its biggest concerns are QoS, or quality of service (they get paid more and earn greater profits when QoS is high; they lose points and money when QoS is low), and billing accuracy.
Historically the endpoints of communications have been dumb. One lesson the IP world has learned is that complexity breeds insecurity; dumber is securer. But the world the VoIP crowd is building uses endpoints that are much smarter. And you're planning on bringing this technology into your enterprise? Hmmm.
Next, I asked my now-nervous audience: "Can any of you tell me where your VoIP and data networks meet, converge, talk to each other, share facilities and so on?" Silence. I rephrased the question: "How do your networks talk to each other?" Blank stares.
One guy chirped: "Ah… they don't." Incredulous, I asked a number of people whether their VoIP and data networks were completely isolated from each other, and the consensus was that they were disparate networks.
I ran to the flip chart and scribbled some clouds, cylinders and routers. After several Pollock-esque flourishes, someone called out, "Mine connects there," and someone else said, "Sure, it has to connect here and there and there to make it work." It was just that apparently they had never been asked the question from a security point of view.
Over the next several hours, we learned a great deal. The communications world is moving toward VoIP but does not have the security expertise it needs in-house to meet the real-world stress it will encounter. I learned a lesson I should never forget: I assumed these guys were clued-up, security-wise, and I was dead wrong.
They learned, I hope, that the threats the industry is going to face will be merely variants of what it has already seen more than once. I also hope they carried away something more important: an awareness that security must be designed in from the beginning and that the next generation of VoIP gear must have a more aggressive security posture than the current one.
As for you? If you're getting into this brave new world, great; but be cautious. Make sure you put on your bad-guy hat and stress the vendor and the technology. In a few short minutes it's not too difficult to come up with a healthy range of attack vectors. Better for you to detect and delay VoIP deployment problems than to dive headlong into a place none of us want to revisit.
Winn Schwartau is a security writer, lecturer and president of Interpact, a security-awareness consulting firm.
For more information, our sister site Techworld has a comprehensive VoIP resource page.