Just like any other technology, the idea of the "converged network" and related applications often come under some sort of fire, whether it be cost, functionality, or security. Users and those who deploy the technologies must then evaluate whether or not these stumbling blocks are indeed deal breakers. It's common for system engineers and network managers to focus on "outside facing" or WAN-side security threats, But, what is often underscored is the threat that lies within.
With any new technology development, it's common to fixate on certain problems and certain solutions. Suddenly, there's a panic from end users frantically asking if they're immune to the SQL Slammer, at risk for malware, or could have their conversations monitored on the new IP phone system.
Encryption has become one of those industry buzzwords that seems to permeate the air. It generates questions from end users across all applications, such as "is this a secure connection," or "can somebody tap this call?" Suddenly, upper-level managers without a strong understanding of the technology begin to demand encrypted media and signalling paths. Trust me, I'm not saying that encryption is bad - it's not! In fact, any enhancements to the layered defense of security makes a difference. But, like all large systems or problems, there are multiple facets, problems, and solutions. Security does not begin and end with one technology in one place.
Robert McMillan from IDG News wrote an article titled, "Georgia student arrested for hacking grades, VoIP". A 19-year-old college student allegedly eavesdropped on phone conversations traveling across the school's IP network, recording conversations in the process.
Most true threats that face VoIP systems, IP-PBXes, or media gateways, aren't necessarily from the outside. It's what the space between a user's handset and the media gateway that can be most at risk. Internal threats should scare us all, especially in "risky" environments, such as academic, public, or outside-facing networks. But, the question remains: can encryption solve problems that eminate from internal threats? In short form, the answer is no.
In true form, any voice network possesses multiple "weakest link" routes, points, or links. If I'm encrypting the internal media paths, then what about the PSTN? Can somebody tap my PRI? What about the analog lines that terminate outside the building? Is the infrastructure at my telco secure? The questions continue into paranoia. So, what's a worried administrator or engineer to do?
In that specific Georgia college incident, we learn that any security incident such as this will ultimately prompt a review and improvement of security practices. But, most organizations have a finite amount of resources (time, money, staff) to dedicate to enforcing, monitoring, and improving security. We can't analyze every RTP stream for remote injection or man-in-the-middle attacks.
In conclusion, there are significant improvements that the telecom industry could work towards to improve internal and external media transport security. For this, we can examine the success of secure HTTP, SSL, or other similar implementations of encryption technology. If media transport requires the issuance of certificates, and multiple CAs, then so be it. But, we need a unified solution across the board. It's the promise of interoperability that drives the convergence industry. Security must be a joint effort - plain and simple.
The Leader in Network Knowledge
