Taking care of VoIP
is unknown territory and enterprises are largely ignorant of the security threats
that their networks face. Abby Tang, Enterprise Solution Marketing Manager,
Asia Pacific, Juniper Networks talks to Anil Patrick R on the pros and
cons of this technology
How extensive is Voice over IP (VoIP) adoption in India?
What are the security threats that Indian CIOs deploying this technology need
to be aware of?
India has seen good growth in terms of VoIP deployments over the past couple
of years. For example, an IDC report said that India witnessed VoIP investments
of $26.6 million in 2002. In 2003, the investments were to the tune of $51.8
million. This is a 95 percent growth in the span of a year.
Before implementing VoIP solutions
you have to think through issues such as the impact of relying too much
on VoIP. For example, if there is no power, how are you going to make
emergency calls? Or if the network goes down, what will the business impact
Much, however, needs to be done. For example, due to certain
regulations there are no domestic long distance calls being made by Indian VoIP
users. So 85 percent of these are to international locations. We can expect
changes if regulations like these are modified.
In terms of security threats, DDoS (Distributed Denial of Service) is something
that companies face all the time, although, they don't admit it. The problem
out here is that with shared network, both data and voice get affected. If you
are getting a DDoS, it means you don't have full bandwidth for the voice call.
In such cases, you get jitter, which means that you can't hear what the other
side is saying. The second VoIP threat is spam.
These days the enterprise is not being too careful on security so there is minimal
protection on anti-spoofing for VoIP calls. This can be dangerous because you
can pretend to be someone else and create mischief. For example, imagine that
you know a CEO's phone number. Let us suppose that I am spoofing the CEO's phone
number. This helps me to pretend as the CEO and call back the office. Not everyone
will challenge the CEO's caller ID. That would be a big social engineering issue.
Viruses and worms threaten networks. Do these affect the
security of VoIP networks as well?
If something such as Sasser or the Love virus or any kind of attack happens
again, it will kill the VoIP network. Since the voice network resides in the
same network as the data, it will kill the quality of the call and lead to the
collapse of the whole network.
How does an enterprise protect itself?
Protecting the network is just as hard as fighting threats such as phishing.
Authentication, too, is a challenge.
What is missing in VoIP in terms of problem solving?
I think what needs to be done is add authentication mechanisms such as PKI (Public
Key Infrastructure). It will be difficult to do two factor authentication over
VoIP. This is why PKI is something that can be really looked at.
In addition to this, organisations should look at methods such as adding VoIP-enabled
firewalls and IDP (Intrusion Detection Protection). IDP or an Intrusion Protection
System can scan for known signatures. This will help it has artificial intelligence
to scan and block threats such as worms and spam in real-time. It will also
help in terms of VoIP. Encryption is also a must in terms of VoIP security.
Do protocols such as SIP and ITU H.323 provide VoIP security
I don't think so.
Both are major protocols fighting each other for supremacy. While it is great
to have an open protocol to work on instead of having none at all, I don't think
these protocols have any VoIP security features.
What do you think about segmenting voice and data in a
network using methods such as VLAN?
On the physical side, it is being done with separate equipment
for voice and data. However, I think this is an inefficient way because if you
already have a box, then you have to duplicate all your equipment.
Even with a VLAN you can do that, but the assumption is that
all equipment in the network will support VLANs. So I think MPLS will be the
way to go to support dedicated resource arrangements and address quality of
service (QoS) issues.
How are things faring on the QoS front?
If something such as Sasser or the Love virus or any
kind of attack happens again, it will kill the VoIP network. Since voice
resides on the same network as data, quality of calls will deteriorate
and lead to a network collapse
A lot of the gear that the Internet is using now is not really
QoS-enabled. Some of the gear is, but once you enable QoS, it kills 70 percent
of QoS of the router itself. So the QoS that is being promised is actually killing
70 percent of the router's utilisation.
This is not feasible and people have to re-evaluate what is out there in the
market. Then they have to make their own choice about what is necessary for
the next generation network.
And are there any VoIP security tools available?
The most I have seen as of now is gateway levels of protection for VoIP.
Basically these involve blocking and enabling of various ports. Encryption is
also part of it, but PKI is still not there as yet.
Are there any other issues with regard to VoIP security?
Just like wireless when things were being first deployed, security will also
have to be part of the selection parameters. It is extremely important for the
enterprise to consider this during large deployments.
This is overlooked to a great extent these days. We have seen customers who
come to our VoIP training seminars and say 'I don't know much about VoIP, but
all I know about it is that it is very cheap and I need to deploy it'.
Don't do that.
You really have to think through issues like the impact of relying too much
on VoIP. For example, if the electricity goes down, how are you going to make
all the emergency calls? Or if the network goes down, what will be the business
impact be? VoIP is very good because it does lower costs, but if it is not deployed
carefully, it can also hurt businesses a lot.
Anil Patrick R can be reached at firstname.lastname@example.org