Tuesday, August 28, 2007

VOIP Eavesdropping

Working in this industry is a little like walking into a supermarket and trying to find something "not unhealthy" to eat: everywhere you look, there are problems.

Take, for example, VOIP.

I'm not talking about the issues that bedevilled Skype this past week (although that seems to be developing into a fascinating story about what happens when one node on a peer-to-peer network gets out of sync and "central command" lacks sufficient permissions to prevent disaster) - I'm talking about the issues that are emerging relevant to VOIP and security.

VOIP, as we all know, stands for Voice Over Internet Protocol. And it is the "IP" part of this anagram this is both the root of its greatness and its largest potential weakness. Because if your systems are not architected just right, introducing VOIP into your business can introduce an easily-exploitable vector for corporate espionage.

By corporate espionage, I mean the ability to "listen in", record, or otherwise intrude on your corporation's most sensitive phone discussions.

Will Stofega, research manager for VoIP services at IDC, recently said “One or two years ago, the discussion of VoIP security risks was theoretical. What we’re going to start seeing is the threat of moving from theoretical to reality.”

This is no longer a theoretical threat. Stan Quintana, VP of Managed Security Services at AT&T, who I had the pleasure of meeting last year, believes, when it comes to VOIP traffic, "there is substantial exposure to intercepting that conversational data and monitoring it."

Bogden Materna, CTO and VP Engineering for VOIPshield Systems, recommends deploying a "multi-layer security infrastructure that... consists of... SBCs, VOIP Network Intrusion Prevention Systems (NIPS), VOIP DoS defenses, VOIP Network Intrusion Detection Systems (IDS), Host IPSs, AAA servers, encryption engines and VOIP antivirus software."

That may not be overkill - it is absolutely essential to protect voice communications in an enterprise, and VOIP needs added protection so confidence doesn't wane.

Because, as we saw last week in the Skype situation, people will very quickly start experiencing fond recollections of 100 year old POTS technologies when VOIP clients suddenly become unavailable, or start affecting (or infecting) other clients on the network.

No comments: