January 05, 2011, 2:14 PM — Among the threats that keep IT security managers up at night, attacks against phone systems have often ranked near the bottom. The last time we asked IT leaders about their telephony security plans, just 2% had experienced a security incident, and in almost all of these cases, the attack was internal misuse of phone systems for personal long-distance calls. Few had developed any sort of comprehensive security or risk analysis plan covering their voice systems.
Even the migration of digital phone systems to IP over the last few years hasn't done much to raise security concerns. Sure the ability to support encryption is a line item on every RFP, rarely do organizations actually enable it. Instead, most architects rely on the assumption that since their IP phone system is separated from the public phone system via a TDM-to-IP gateway, and logically isolated from their internal applications via separate VLANs, they are safe from attack.
They couldn't be more wrong.
Thanks to SIP trunking, unified communications, and fixed-mobile integration the walls around telephony systems are falling, exposing critical communications to new risks, new vectors of attack, and a need for proactive security approaches.
Also watch: Worst network security moments
SIP trunking deployments rose 61% in 2009, while 96% of the more than 200 companies participating in our research benchmark are either planning future deployments or evaluating services. SIP trunking provides a direct IP-based interface between a public network service and an enterprise's on-premise telephony/UC platforms, raising security concerns. As a result, more than 74% of companies are either deploying, or planning to deploy SIP-aware security devices such as firewalls or session border controllers as part of their SIP trunking initiative.
Meanwhile the old idea of isolating voice onto its own VLAN to protect it from other network threats is gone thanks to unified communications. With deployments of UC clients encompassing voice, video, and chat into a single application, it's virtually impossible to isolate voice traffic from other application traffic. As a result, most voice/UC deployments now include application optimization to prioritize voice services ahead of other network traffic, protecting voice during denial of service or other attacks that constrain available bandwidth and processing power.