VoIP security tools are lacking

In last week’s Clear Choice Test on VoIP security, in which we set hackers loose on IP telephony configurations from Cisco and Avaya, I got to play referee in this first-of-its-kind product testing. I was privy to how the hackers planned to attack and how the vendors planned to defend against them. Imagine wearing a zebra-striped shirt on Omaha Beach on D-day.

As it turned out, more Cisco security gurus showed up than we had hackers. I figured that was for psychological effect, but I was only partly right. Over the course of the testing I saw the scope and breadth of settings and interfaces involved in configuring and tuning the gamut of Cisco’s security stuff. Mind-boggling is an understatement.

The Cisco VoIP system and underlying Layer 2/Layer 3 infrastructure – all Cisco stuff of course – held up so well against our hacker assaults because the security and defense pieces were implemented in every layer of the architecture. There were security pieces in the VoIP CallManager servers, in the Catalyst switches, in the IOS-based routers, in the intrusion-detection system and in the multiple PIX firewalls. That amounts to a half-dozen radically different platforms, each with its own management interface. Watching the Cisco team (which totals an estimated $1 million in combined annual salaries) adjust and configure all its security stuff, I understood why so many of them had shown up.

If IP telephony is going to prevail, there will have to be some better way for normal users to set up and adjust all of the pertinent pieces needed to make their VoIP networks secure. On the Avaya front, there were fewer security pieces to configure. That’s the good news. But the overall security effectiveness of the Avaya solution? That’s the bad news.

Avaya actually touts that it is switch-agnostic. That means it will do its best, security-wise, running the Avaya IP telephony package over whatever network infrastructure the customer prefers. We tested its VoIP products running over Avaya Layer 2 switches, and then over Extreme Summit and Alpine systems. Avaya had no more than three engineers on-site during the testing. Cisco showed the world that building a secure VoIP network is possible. But it has a long way to go to convince the world that its customers can do it themselves, affordably and effectively.

How to proceed? Ahem . . . Cisco, are you listening?

The challenge

Ours is a two-part challenge to VoIP vendors. Make VoIP security education and VoIP security technical assistance more readily available. And second, we’d like to see better tools and user interfaces, in the long run, that let users more globally set security parameters.

Phase 1: Education and assistance. Cisco does have some literate documentation on its Web site about securing VoIP. You get to that information by searching on “SAFE” from the Cisco home page.

There are also online resources that are helpful for configuring many of the Cisco security pieces.

For now, end users need to share the burden with vendors. Like it or not, network managers have so far had to learn about the mechanics of firewalls, VPN gateways and the like. Getting your arms around the additional pieces for a secure, full-stack IP telephony deployment is a necessary expense. Just accept it. Half is theory; the other half is vendor-specific. Hopefully scenarios such as ours last week will start to force VoIP and IP telephony vendors to put together, and tighten up, packages that offer effective security. However, we are challenging Cisco, Avaya and the rest of the VoIP vendors to offer prospective customers free VoIP security training or, better yet, throw in a network-assessment and security audit with your package, with specifics about how that particular user can best patch security holes and vulnerabilities.

Phase 2: Better tools and interfaces are imperative. What do I mean? Go to your Internet Explorer browser. Go to Tools, Internet Options and look at the Security tab. If you are a masochist, you can select Custom and try to configure the dozens of security settings yourself. But you can also just select from a few general settings: Low, Medium and High. VoIP vendors need to reach for that security configuration model. Cisco and other vendors need to develop a tool that takes a customer’s general direction (say, bullet proof, pretty safe and wide open), and then automatically applies all the appropriate settings to all the assorted Cisco components.

Because Cisco and Avaya stepped up to the plate in our inaugural VoIP security testing, we offer both companies space in print to respond to this two-part challenge. But that is not to say that we don’t want to hear from other VoIP vendors who’ve got something to say on this matter. We’ll publish those responses in our online forum on this topic.

So let us know how deploying VoIP security is going to be handled in the future, because it’s a long, long way from perfect now.

Mier is a network technologist, consultant, author and founder of Miercom, a network product test center in Cranbury, N.J. He can be reached at edmier@mier.com.