The greatest challenge in VoIP security is that there are very few good example case studies available. There are some very good VoIP deployments. But try to find a white-paper with someone disclosing all the their success stories in building a perfect VoIP network. No luck! Unfortunately much of that data is hidden in confidential documents. Still, I have really loved to see VoIP security emerge and evolve from being a hindrance in VoIP deployment, into a key marketing value. Finally some of those success stories will get a chance to see daylight.
VoIP security appears very different from the perspectives of each involved person. For real-world network implementers any available techniques are absolute life-savers. Imagine yourself into the shoes of a legacy telecoms engineer. You know (and nobody believes you) that all telephony systems can be shutdown by anyone with access to the core network. You also know (even though you do not want to know) that all the last-mile engineers can listen into anyone's calls, in the same way as any legal authorities can. And this is just to name a few problems with legacy telephony. Now think VoIP, and all problems are solved (if you want to).
For managers, telephony has always been one of the biggest line items in IT (especially my CEO has always complained about my higher-than-life monthly mobile phone bills). To them, VoIP equals "free". Still, even they understand that for "free" you do not get security. The result is that to them, security in VoIP is the bad news, it equates to the costs that they would love to live without. Still, it is them who make the final decision on what gets funded and what not.
But especially for us security specialists, VoIP security is fun. Let's face it, web security is for dummies. There is nothing challenging really with Wild Wild Web anymore. But what about VoIP? Well, you need to have complex encryption schemes, different ones for different protocol layers, and different ones for various protocols running on those layers. You need at least two or three authentication servers, most probably from different vendors and preferably using as many proprietary data storage formats as possible. And think VPN, IDS, patch deployment, anti-virus, SPIT, ... Oh, I wish I had my own VoIP network also. VoIP is definitely for the best of the best in network security.
But please do not let your excitement win over reason. Fortunately you do have these three roles involved with most VoIP deployments. The legacy telecoms engineer (or should I say engineer with a background in legacy telecoms, as hopefully you are not going to get rid of him) will bring the requirements and healthy reasoning to the mix. "Why have encryption when we have never ever needed that in the past?", could be one question he will raise. "But we do need the best encryption off-loaders, and the best key escrow tools because...", this could sound like logical reasoning for the security engineer.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
