Among the threats that keep IT security managers up at night, attacks against phone systems have often ranked near the bottom. The last time we asked IT leaders about their telephony security plans, just 2% had experienced a security incident, and in almost all of these cases, the attack was internal misuse of phone systems for personal long-distance calls. Few had developed any sort of comprehensive security or risk analysis plan covering their voice systems.
Even the migration of digital phone systems to IP over the last few years hasn't done much to raise security concerns. Sure the ability to support encryption is a line item on every RFP, rarely do organizations actually enable it. Instead, most architects rely on the assumption that since their IP phone system is separated from the public phone system via a TDM-to-IP gateway, and logically isolated from their internal applications via separate VLANs, they are safe from attack.
They couldn't be more wrong.
Thanks to SIP trunking, unified communications, and fixed-mobile integration the walls around telephony systems are falling, exposing critical communications to new risks, new vectors of attack, and a need for proactive security approaches.
Also watch: Worst network security moments
SIP trunking deployments rose 61% in 2009, while 96% of the more than 200 companies participating in our research benchmark are either planning future deployments or evaluating services. SIP trunking provides a direct IP-based interface between a public network service and an enterprise's on-premise telephony/UC platforms, raising security concerns. As a result, more than 74% of companies are either deploying, or planning to deploy SIP-aware security devices such as firewalls or session border controllers as part of their SIP trunking initiative.
Meanwhile the old idea of isolating voice onto its own VLAN to protect it from other network threats is gone thanks to unified communications. With deployments of UC clients encompassing voice, video, and chat into a single application, it's virtually impossible to isolate voice traffic from other application traffic. As a result, most voice/UC deployments now include application optimization to prioritize voice services ahead of other network traffic, protecting voice during denial of service or other attacks that constrain available bandwidth and processing power.
Finally, an increasing number of IT leaders tell us they are taking another look at IP telephony plans based on replacing digital phones with IP handsets; finding that these plans are falling out of sync with a growing virtual and mobile workforce that spends less and less time in a fixed office. Instead, IT leaders increasingly seek to leverage technologies such as softphones and fixed-mobile integration to enable their workers to use their cell phone just as they would use a desktop extension. FMC raises significant security concerns, not only from the need to allow access to enterprise telecom systems from devices residing on public networks, but also because of the need to protect data stored on a mobile device in the event of loss or theft.
The bottom line? The old calculation based on "I'm safe, because I'm isolated" no longer adds up. Security and telecom managers who neglect voice do so at their own peril.
Lazar is vice president and service director at Nemertes Research and is filling in for Andreas Antonopoulos this month, Andreas will be back soon....
Read more about wide area network in Network World's Wide Area Network section.
This story, "Ignore telephony security at your peril" was originally published by Network World.