Industry group plans VoIP best practices

By Tim Greene, Network World
October 31, 2005 12:06 AM ET

. What's this?

An industry group is working toward a best-practices document that will spell out for businesses how to build secure VoIP networks using specific makes and models of equipment.

While the report won't be available until next year, it will be a practical implementation guide to securely set up VoIP, says Andrew Graydon, a director of the VOIP Security Alliance (VOIPSA ), the group writing the papers.

The document will present sample deployments that have been tested by VOIPSA and found to be interoperable and secure, he says. He said it won't be ready until after another VOIPSA report that will be released by year-end. The project is third on a list of tasks the group is addressing, and VOIPSA is still soliciting members of a committee to work on it.

Vulnerability is a major concern for businesses implementing VoIP and for governments that want to guarantee reliable phone service to sustain their economies. A German government agency last week released its own list of VoIP threats. The German report finds the risk of IP-voice service interruption so great that it recommends keeping voice and data networks separate - undermining convergence.

Related Content

Earlier this year in the United States, the National Institute of Standards and Technology (NIST) issued its own report on the subject, including recommendations for avoiding security pitfalls. Unlike VOIPSA's work, which is being done mainly by vendors with an eye toward the nuts and bolts of implementing networks, NIST's document was made by government researchers setting principles to follow when doing so.

VOIPSA last week cataloged 36 pages of potential VoIP vulnerabilities and plans to issue a separate document by year-end that describes how technologies, without mentioning vendors, can protect networks.

The list of potential vulnerabilities, called "VoIP Security and Privacy Threat Taxonomy," defines potential threats, Graydon says. In addition, the taxonomy can inform businesses considering VoIP about known threats so they can deal with them. "It describes a set of risks you need to be mindful of, specific issues you might want to be concerned about," says Jonathan Zar, the head of the project.

The study lists potential problems including theft of service, spamming, intentional disruption of services, number harvesting, man-in-the-middle attacks, call rerouting and altering conversations. Solutions for some of these problems exist today.

VoIP, as a software application running on IP networks, is open to many threats, says Art Manion, an Internet security analyst for the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh. While the potential exists, he says he is unaware of any exploit being carried out to exclusively target VoIP.

"Every piece of software has vulnerabilities, and that includes VoIP software," Manion says. "A VoIP phone is a small computer, so the same problems that affect Web servers and browsers can affect VoIP."

VoIP is also susceptible to general network threats, such as denial-of-service attacks, worms and viruses. These don't have to take down the network entirely to affect a voice call; they just have to cause enough delay and jitter to break up the stream of voice packets to cause audible disruption, he says. Assuring the general security of the network is a must for VoIP security.