Voice over IP: Security issues to the fore
With the growing acceptance of Voice over Internet Protocol
(VoIP) in India, enterprises have changed their way of communicating within
and outside the organisation. Enterprises in India, as well as those in the
rest of the world, have successfully used this technology and derived cost savings
and other benefits from it. VoIP has now been adopted universally as a reliable
technology alternative by which voice is transmitted over a data network. While
the acceptance level of VoIP has gone up, threats are looming large with voice
spam being a significant blight on the horizon. Questions remain as to how a
flood of voice spam will affect the market for VoIP and how vendors selling
VoIP equipment are going to tackle this challenge. By Faiz Askari
boom time for VoIP in India. Nagendra Venkaswamy, Managing Director (India &
SAARC), Juniper Networks says, India has the potential to be the worlds
largest market after China, due to rising broadband penetration, a huge market
and the importance placed on cost savings.
Agreeing to the fact that VoIP is growing rapidly in India,
Jayesh Kotak, Vice-president, Marketing, D-Link India highlighted another aspect
of the technology, There is no doubt that VoIP is a growing segment. However,
SMBs have not been able to benefit much from this technology. The government
has allowed logical partitioning, but the benefits will only be widely enjoyed
when VoIP is fully deregulated.
Minhaj Zia, Business Development Manager, Cisco Systems India & SAARC explains,
The market for VoIP services in Asia, including Japan, will grow by $one
billion per year between 2005 and 2009, topping $10 billion in 2009.
The proliferation of VoIP services across Asia-Pacific will rise as telecommunications
markets open up. According to the latest report by Frost & Sullivan, this
move coupled with the increasing differential between PSTN (public switched
telephone network) and VoIP tariffs will ignite VoIP services to revenue growth
rates exceeding 320 percent y-o-y.
Spam redux: this time its vocal
VoIP spam involves a script sending out mechanically replicated voice messages
that can flood corporate VoIP systems inundating voicemail in-boxes. It could
also be used for phishing to steal personal information such as bank account
numbers and passwords. This kind of spam is particularly dangerous in the case
of VoIP because people generally trust the phone more than they do the computer,
so they are more likely to offer important information on the phone. In the
past the corporate phone systems required some sort of human intervention, but
with VoIP, the process of generating spam or phishing calls en masse is entirely
Jayasimha Vardarajan, Vice-president, IT Infrastructure, Thomson Financials
elaborates, Security threats can emerge from a VoIP network if a valid
IP address is hacked or stolen for the network will trust the stolen address
and will let itself be misused to generate spam. Perimeter security has
to be stringent and there should be security devices that will inform the organisation
as soon as the perimeter security is breached before the threat strikes.
He adds, If the VoIP networks security is breached it can lead to
Denial of Service (DoS) where basic services are denied and access to basic
applications is blocked.
Kiran Bhagwanani, Vice-president, APAC Sales, HCL Comnet adds, With the
advent of VoIP-based application, there is definitely a threat of voice spam
and call hijacking / redirection. We are already seeing a lot of voice spam
in the existing telecom space, where telemarketing, advertising and even political
propaganda is being done on cellular phones and personal fixed-line phones.
Zia of Cisco says that theres no denying that security is an important
factor while deploying IP telephony, whether you are deploying a native IP solution
or a hybrid one.
Given the risks, its imperative that a corporation conduct a thorough
evaluation of its security infrastructure before deploying an IP telephony solution,
adverse impact of threats on this growing market segment can be curtailed if
organisations adopt stringent security practices. The design and implementation
of an IP telephony solution should result in focussed attention on an organisations
overall security plan, and ultimately, may even serve to improve security levels.
Venkaswamy of Juniper says, VoIP technology is dramatically transforming
the telecommunications industry. However, industry observers are cautioning
that the open nature of a VoIP phone call makes it easy for spammers to send
audio-commercials to VoIP voice-mail in-boxes in much the same way that they
carpet bomb e-mail in-boxes today.
Without the use of strong encryption, a VoIP call is no different from an unsecured
analogue line. VoIP vendors will need to address these issues quickly. Just
as Web users can be plagued by pop-up advertisements and spam e-mail, it is
expected that VoIP services will be the next target. Users could find calls
redirected or hijacked by advertisements. 2007 is expected to be a good year
for VoIP applications. It will also be the year of voice spam.
Kotak of D-Link adds, The threats have always been there and there will
be ways to counter it. Has the spam affected e-mail usage negatively? In fact,
everyone is now aware of such challenges and technology has the capability to
counter these problems.
Rajnish Gupta, Director, Marketing, Tadiran Telecom India
feels, It is one of the major bottlenecks when it comes to VoIP penetration
but there is a lot of work going on to counter the threat of voice spam. In
case of our solution, when using VoIP, there is full protection against voice
spam as all the users connected to our systems are fully authenticated and only
registered users are allowed to access the system.
Filtering voice spam
IP telephony is essentially just another service running on a network, and all
of the security technologies and policies that companies have deployed for their
data networks can protect voice services as well. This differentiates IP telephony
and unified communications from traditional telephone systems, which often lack
general-purpose, cost-effective security measures that can be easily adapted
as business conditions change.
Bhagwanani of HCL says that latest security solutions have the capability to
inspect VoIP traffic at the application level with authentication mechanisms,
PKI (Public Key Infrastructure) certificate-based systems and encryption technology
being incorporated into the VoIP solution framework, the threats posed would
be mitigated to a large extent.
While explaining about how the voice spam threat can be handled, Zia of Cisco
informs that security is among the most important differentiators of any IP
telephony solution. Independent tests by Miercom have rated Cisco voice security
as the best in the industry. To date, we are the only IP telephony vendor
to earn Miercoms highest rating of secure for its proven ability
to defend an IP telephony service against malicious attacks. An expert team
of hackers, assembled and supervised by Miercom, could not disrupt, or even
disturb, phone service or features after three days of continual, sophisticated
attacks, says Zia.
In terms of security, VoIP solutions also provide integrated security that protects
the entire network over which voice traffic travels. However, technology has
reached a level where multiple layers of defence existfor the infrastructure,
call management, applications, and end-pointsto protect against known
threats, as well as emerging unknown ones.
VoIP spam involves a script sending
out mechanically replicated voice messages that can flood corporate VoIP
systems inundating voicemail in-boxes. It could also be used for phishing
to steal personal information such as bank account numbers and passwords.
This kind of spam is particularly dangerous in the case of VoIP because
people generally trust the phone more than they do the computer
Corporations that are implementing VoIP technologies in a bid to cut communications
costs shouldnt overlook the security risks that can crop up when the worlds
of voice and data converge, say users and analysts.
Enterprises need to protect their data and VoIP environments by implementing
a combination of anti-virus, firewalls, intrusion detection systems (IDS), encryption
and virtual private networks (VPNs). Perhaps the most important measure to be
taken is the separation of voice and data traffic.
Dabinder Singh, Head, IT, Greenply Industries says, To ensure the protection
of your VoIP network you should see to it that the ISP has anti-spam and firewall
systems in place and the domain provider of an organisations Web site
should be equipped with perimeter security.
Bhagwanani of HCL suggests that at the network level, products such as firewalls,
IDS and IPS have application-specific engines that can do deep-packet inspection
of VoIP, traffic in real-time so that no delays are introduced into the voice
path. Voice solutions have incorporated technologies such as Secure RTP (Real-Time
Transport Protocol), which gives media encryption for the voice stream, end-point
(phones or soft-clients) authentication using digital signatures, hardened OS-platform
for the IP-PBX to mitigate attacks and secure communication between gateways
which are responsible for PSTN interconnects. Plus all systems also provide
extensive logging and accounting capabilities, which allow for auditing of all
Security experts predict that the next level of attacks will target services
such as VoIP as well as Internet ielephony (Skype). Although Indian usage of
these services is yet to gain critical mass, organisations that are already
using these services need to watch out.
Venkaswamy of Juniper suggests an approach wherein multiple elements that ensure
the security of a converged (voice, data, and video) network are incorporated.
For threat defence it is important to address network and system protection
with technologies such as firewalls and IDS. Connectivity is secured with the
help of IPSec VPN, SSL VPN and Voice and video-enabled VPN (V3PN) to ensure
that sensitive data, voice and video communications are secure and intact as
they are transported across public and private networks. Trust and identity
management solutions help companies identify, and then permit or restrict, both
people and machines (such as IP phones) that have access to network resources.
IP phones now affordable
Zia of Cisco says, The high prices of IP phones have always been a limiting
factor for VoIP. With prices reducing, market penetration will increase. Also,
there are a host of cost and productivity benefits from VoIP implementations
that can enhance adoption.
IP telephony reduces administrative, networking and IT support costs and improves
collaboration and mobility for users. While savings differ from company to company
and vary from installation to installation, it is common for early users to
achieve a quick return on investment (RoI).
Agrees Bhagwanani of HCL, With the drop in prices of VoIP equipment, the
cost divide between the legacy TDM (Time Division Multiplexing) equipment and
VoIP gear has drastically reduced. Price reductions are linked to demand,
with the increased sales of IP telephony products, we can expect additional
drop in prices. Moreover VoIP as a technology has matured and hence vendors
are rolling out newer equipment with better features and performance at lower
price points. This is also driving market penetration in a big way.
Zia adds, The greatest cost benefits come from green-field deployments
and full-replacement installations. On an average, customers can recover their
investments within two years. Some organisations have experienced a reduction
in costs by 15 percent, going up to 40 percent in certain cases, depending upon
Venkaswamy of Juniper says, Deregulation has proved to be the biggest
enabler for the proliferation of the service, making Asia-Pacific one of the
fastest-growing markets in the world for IP telephony services. Value-added
services such as VoIP over broadband, unified communications solutions and voice
portals would provide a possible revenue stream and market niche for smaller
Kotak of D-Link adds, There are two ways of looking at this, even without
concern of revenue loss from using VoIP for national long distance the prices
have fallen down, so what is the harm in opening it up. The other way is imagine
the prices when customers have choice of VoIP as well. This will benefit the
competitiveness and the productivity of the SMB.
Regulatory curbs remain
IP telephony faces certain challenges that impede its growth.
In India, the biggest of these were regulatory restrictions imposed by the Indian
government and interoperability issues that result from a lack of standardisation.
Till recently, companies were disallowed from maintaining a single infrastructure
for PSTN and CUG. However with Telecom Regulatory Authority of India notifying
approval for logical partitioning of PSTN and Closed User Group
(CUG) networks, enterprises, service providers, application software developers
as well as Internet telephony vendors have reason to rejoice. Corporate users
now can slash down the investment that goes into setting up networks, as they
would not have to manage the expense of two separate PSTN and CUG networks.
Bhagwanani of HCL says, The relaxation in regulations has been one of
the key drivers in the increased adoption of VoIP as a technology for voice
services. With the legal issues addressed, customers have started deploying
VoIP and are seriously considering VoIP for all their new implementations.
Interoperability is a major concern due to lack of standardisation.
However, with the adoption of a standard protocol such as SIP (Session Initiation
Protocol) in the Call Control Engine organisations can integrate their legacy
or hybrid systems with Cisco IPT solutions thereby preserving their investment.
Gupta of Tadiran says, Once the interconnection restrictions are removed
/ relaxed, VoIP shall penetrate the Indian market in a big way. Today many organisations
are spread over multi-locations in India or even outside Indian borders.
He adds, Once these organisations are allowed to use IP as a medium to
interconnect various locations, they shall immediately benefit from cheaper
tariffs, easier accessibility etc. Businesses in India are expanding. India
is one of the fastest growing economies and it is expected that by 2020, it
shall be the third largest economy.
He concludes, As businesses grow, need for communication also increases
and as backbones and infrastructure improves, the demand for VoIP solutions
shall go up in a big way. In fact, all trends today point in the same direction
as we are witnessing specifications, RFPs (Request For Proposals) being published
with VoIP as the major requirement.