Hype vs. reality in VoIP security

Voice over IP, like many new technologies, suffers from having security as an afterthought. Headlines tell of VoIP vulnerabilities that can lead to eavesdropping, a new form of spam, even denial-of-service attacks that can take down the one communication network that businesses rely on most.

Lawrence Orans, a research director with Gartner, says some of these threats are overblown and aren’t likely to happen in a corporate setting. Frank Dzubeck, president of Communications Network Architects, which analyzes the industry, believes that given the lack of security built into IP, anything can happen. Network World Senior Editor Cara Garretson spoke with both, aiming to separate hype from reality.

Audio feed: Listen to the entire Q&A on VoIP security issues by Cara Garretson, Lawrence Orans and Frank Dzubeck (25:18)

How serious are security threats to VoIP systems?

LO: First of all, I’d like to clarify the term voice over IP. Voice over IP is an umbrella term. We see it used for all forms of packetized voice, whether it’s Internet telephony, such as Skype, or Internet telephony services provided by cable operators. We also see Voice over IP used interchangeably with IP telephony, which is very much enterprise focused. And there the problems are very real.

[VoIP] is really just another application running over the network, and it’s been the most reliable, so any outage or security breach is just a huge problem. The lack of high-profile attacks has lulled people into a false sense of security. However, the actual threats are very real. With IP telephony, we’ve got a second computer on someone’s desk; the IP telephony handset has memory, and it’s got an operating system. True, it’s a hardened appliance, but still it can be attacked. The PBX server itself, that can also be attacked. And also the protocols themselves, many of the signaling protocols are still relatively new or they’re proprietary, so in either case they’ve not undergone a level of scrutiny for security vulnerabilities as a more mature protocol. So overall I would say the threats are very real and the key thing is to understand the issue well enough so that you can separate the overhyped threats from the real threats.

FD: The issue is IP itself. IP was never designed with security in mind. Voice over IP, correct, it’s an application, and as an application inside the enterprise it’s going to be a pervasive application. But the issue is . . . it has all the vulnerabilities. If you don’t take a look at the security aspects upfront for voice over IP, then you stand a tremendous disaster staring you in the face, because the holes will occur.

I’m in one bit of disagreement with what was said previously [by Orans] and that is . . . the evolution into the Internet space is not a subtlety; it’s a significant piece of this puzzle. Integrating the Voice over IP that may be [on a LAN] and the Voice over IP that’s going to be Internet-based is going to become a reality . . . and if we don’t kill the security aspects now, we never will.