Security: Secrets and Hype

Greatest Challenge in VoIP Security

The greatest challenge in VoIP security is that there are very few good example case studies available. There are some very good VoIP deployments. But try to find a white-paper with someone disclosing all the their success stories in building a perfect VoIP network. No luck! Unfortunately much of that data is hidden in confidential documents. Still, I have really loved to see VoIP security emerge and evolve from being a hindrance in VoIP deployment, into a key marketing value. Finally some of those success stories will get a chance to see daylight.

VoIP security appears very different from the perspectives of each involved person. For real-world network implementers any available techniques are absolute life-savers. Imagine yourself into the shoes of a legacy telecoms engineer. You know (and nobody believes you) that all telephony systems can be shutdown by anyone with access to the core network. You also know (even though you do not want to know) that all the last-mile engineers can listen into anyone's calls, in the same way as any legal authorities can. And this is just to name a few problems with legacy telephony. Now think VoIP, and all problems are solved (if you want to).

For managers, telephony has always been one of the biggest line items in IT (especially my CEO has always complained about my higher-than-life monthly mobile phone bills). To them, VoIP equals "free". Still, even they understand that for "free" you do not get security. The result is that to them, security in VoIP is the bad news, it equates to the costs that they would love to live without. Still, it is them who make the final decision on what gets funded and what not.

But especially for us security specialists, VoIP security is fun. Let's face it, web security is for dummies. There is nothing challenging really with Wild Wild Web anymore. But what about VoIP? Well, you need to have complex encryption schemes, different ones for different protocol layers, and different ones for various protocols running on those layers. You need at least two or three authentication servers, most probably from different vendors and preferably using as many proprietary data storage formats as possible. And think VPN, IDS, patch deployment, anti-virus, SPIT, ... Oh, I wish I had my own VoIP network also. VoIP is definitely for the best of the best in network security.

But please do not let your excitement win over reason. Fortunately you do have these three roles involved with most VoIP deployments. The legacy telecoms engineer (or should I say engineer with a background in legacy telecoms, as hopefully you are not going to get rid of him) will bring the requirements and healthy reasoning to the mix. "Why have encryption when we have never ever needed that in the past?", could be one question he will raise. "But we do need the best encryption off-loaders, and the best key escrow tools because...", this could sound like logical reasoning for the security engineer.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world