Taking care of VoIP

VoIP is unknown territory and enterprises are largely ignorant of the security threats that their networks face. Abby Tang, Enterprise Solution Marketing Manager, Asia Pacific, Juniper Networks talks to Anil Patrick R on the pros and cons of this technology

How extensive is Voice over IP (VoIP) adoption in India? What are the security threats that Indian CIOs deploying this technology need to be aware of?

India has seen good growth in terms of VoIP deployments over the past couple of years. For example, an IDC report said that India witnessed VoIP investments of $26.6 million in 2002. In 2003, the investments were to the tune of $51.8 million. This is a 95 percent growth in the span of a year.

Much, however, needs to be done. For example, due to certain regulations there are no domestic long distance calls being made by Indian VoIP users. So 85 percent of these are to international locations. We can expect changes if regulations like these are modified.

In terms of security threats, DDoS (Distributed Denial of Service) is something that companies face all the time, although, they don't admit it. The problem out here is that with shared network, both data and voice get affected. If you are getting a DDoS, it means you don't have full bandwidth for the voice call. In such cases, you get jitter, which means that you can't hear what the other side is saying. The second VoIP threat is spam.

These days the enterprise is not being too careful on security so there is minimal protection on anti-spoofing for VoIP calls. This can be dangerous because you can pretend to be someone else and create mischief. For example, imagine that you know a CEO's phone number. Let us suppose that I am spoofing the CEO's phone number. This helps me to pretend as the CEO and call back the office. Not everyone will challenge the CEO's caller ID. That would be a big social engineering issue.

Viruses and worms threaten networks. Do these affect the security of VoIP networks as well?

If something such as Sasser or the Love virus or any kind of attack happens again, it will kill the VoIP network. Since the voice network resides in the same network as the data, it will kill the quality of the call and lead to the collapse of the whole network.

How does an enterprise protect itself?

Protecting the network is just as hard as fighting threats such as phishing. Authentication, too, is a challenge.

What is missing in VoIP in terms of problem solving?

I think what needs to be done is add authentication mechanisms such as PKI (Public Key Infrastructure). It will be difficult to do two factor authentication over VoIP. This is why PKI is something that can be really looked at.

In addition to this, organisations should look at methods such as adding VoIP-enabled firewalls and IDP (Intrusion Detection Protection). IDP or an Intrusion Protection System can scan for known signatures. This will help it has artificial intelligence to scan and block threats such as worms and spam in real-time. It will also help in terms of VoIP. Encryption is also a must in terms of VoIP security.

Do protocols such as SIP and ITU H.323 provide VoIP security features?

I don't think so.

Both are major protocols fighting each other for supremacy. While it is great to have an open protocol to work on instead of having none at all, I don't think these protocols have any VoIP security features.

What do you think about segmenting voice and data in a network using methods such as VLAN?

On the physical side, it is being done with separate equipment for voice and data. However, I think this is an inefficient way because if you already have a box, then you have to duplicate all your equipment.

Even with a VLAN you can do that, but the assumption is that all equipment in the network will support VLANs. So I think MPLS will be the way to go to support dedicated resource arrangements and address quality of service (QoS) issues.

How are things faring on the QoS front?

A lot of the gear that the Internet is using now is not really QoS-enabled. Some of the gear is, but once you enable QoS, it kills 70 percent of QoS of the router itself. So the QoS that is being promised is actually killing 70 percent of the router's utilisation.

This is not feasible and people have to re-evaluate what is out there in the market. Then they have to make their own choice about what is necessary for the next generation network.

And are there any VoIP security tools available?

The most I have seen as of now is gateway levels of protection for VoIP.

Basically these involve blocking and enabling of various ports. Encryption is also part of it, but PKI is still not there as yet.

Are there any other issues with regard to VoIP security?

Just like wireless when things were being first deployed, security will also have to be part of the selection parameters. It is extremely important for the enterprise to consider this during large deployments.

This is overlooked to a great extent these days. We have seen customers who come to our VoIP training seminars and say 'I don't know much about VoIP, but all I know about it is that it is very cheap and I need to deploy it'.

Don't do that.

You really have to think through issues like the impact of relying too much on VoIP. For example, if the electricity goes down, how are you going to make all the emergency calls? Or if the network goes down, what will be the business impact be? VoIP is very good because it does lower costs, but if it is not deployed carefully, it can also hurt businesses a lot.

Anil Patrick R can be reached at anilpatrick@networkmagazineindia.com