Telescope 2007

Voice over IP: Security issues to the fore

With the growing acceptance of Voice over Internet Protocol (VoIP) in India, enterprises have changed their way of communicating within and outside the organisation. Enterprises in India, as well as those in the rest of the world, have successfully used this technology and derived cost savings and other benefits from it. VoIP has now been adopted universally as a reliable technology alternative by which voice is transmitted over a data network. While the acceptance level of VoIP has gone up, threats are looming large with voice spam being a significant blight on the horizon. Questions remain as to how a flood of voice spam will affect the market for VoIP and how vendors selling VoIP equipment are going to tackle this challenge. By Faiz Askari

It’s boom time for VoIP in India. Nagendra Venkaswamy, Managing Director (India & SAARC), Juniper Networks says, “India has the potential to be the world’s largest market after China, due to rising broadband penetration, a huge market and the importance placed on cost savings.”

Nagendra Venkaswamy

Agreeing to the fact that VoIP is growing rapidly in India, Jayesh Kotak, Vice-president, Marketing, D-Link India highlighted another aspect of the technology, “There is no doubt that VoIP is a growing segment. However, SMBs have not been able to benefit much from this technology. The government has allowed logical partitioning, but the benefits will only be widely enjoyed when VoIP is fully deregulated.”

Minhaj Zia, Business Development Manager, Cisco Systems India & SAARC explains, “The market for VoIP services in Asia, including Japan, will grow by $one billion per year between 2005 and 2009, topping $10 billion in 2009.”

The proliferation of VoIP services across Asia-Pacific will rise as telecommunications markets open up. According to the latest report by Frost & Sullivan, this move coupled with the increasing differential between PSTN (public switched telephone network) and VoIP tariffs will ignite VoIP services to revenue growth rates exceeding 320 percent y-o-y.

Spam redux: this time it’s vocal

VoIP spam involves a script sending out mechanically replicated voice messages that can flood corporate VoIP systems inundating voicemail in-boxes. It could also be used for phishing to steal personal information such as bank account numbers and passwords. This kind of spam is particularly dangerous in the case of VoIP because people generally trust the phone more than they do the computer, so they are more likely to offer important information on the phone. In the past the corporate phone systems required some sort of human intervention, but with VoIP, the process of generating spam or phishing calls en masse is entirely automated.

Jayasimha Vardarajan, Vice-president, IT Infrastructure, Thomson Financials elaborates, “Security threats can emerge from a VoIP network if a valid IP address is hacked or stolen for the network will trust the stolen address and will let itself be misused to generate spam.” Perimeter security has to be stringent and there should be security devices that will inform the organisation as soon as the perimeter security is breached before the threat strikes.

He adds, “If the VoIP network’s security is breached it can lead to Denial of Service (DoS) where basic services are denied and access to basic applications is blocked.”

Kiran Bhagwanani, Vice-president, APAC Sales, HCL Comnet adds, “With the advent of VoIP-based application, there is definitely a threat of voice spam and call hijacking / redirection. We are already seeing a lot of voice spam in the existing telecom space, where telemarketing, advertising and even political propaganda is being done on cellular phones and personal fixed-line phones.”

Zia of Cisco says that there’s no denying that security is an important factor while deploying IP telephony, whether you are deploying a native IP solution or a hybrid one.

“Given the risks, it’s imperative that a corporation conduct a thorough evaluation of its security infrastructure before deploying an IP telephony solution,” comments Zia.

The adverse impact of threats on this growing market segment can be curtailed if organisations adopt stringent security practices. The design and implementation of an IP telephony solution should result in focussed attention on an organisation’s overall security plan, and ultimately, may even serve to improve security levels.

Venkaswamy of Juniper says, “VoIP technology is dramatically transforming the telecommunications industry. However, industry observers are cautioning that the open nature of a VoIP phone call makes it easy for spammers to send audio-commercials to VoIP voice-mail in-boxes in much the same way that they carpet bomb e-mail in-boxes today.”

Without the use of strong encryption, a VoIP call is no different from an unsecured analogue line. VoIP vendors will need to address these issues quickly. Just as Web users can be plagued by pop-up advertisements and spam e-mail, it is expected that VoIP services will be the next target. Users could find calls redirected or hijacked by advertisements. 2007 is expected to be a good year for VoIP applications. It will also be the year of voice spam.

Kotak of D-Link adds, “The threats have always been there and there will be ways to counter it. Has the spam affected e-mail usage negatively? In fact, everyone is now aware of such challenges and technology has the capability to counter these problems.”

Rajnish Gupta, Director, Marketing, Tadiran Telecom India feels, “It is one of the major bottlenecks when it comes to VoIP penetration but there is a lot of work going on to counter the threat of voice spam. In case of our solution, when using VoIP, there is full protection against voice spam as all the users connected to our systems are fully authenticated and only registered users are allowed to access the system.”

Filtering voice spam

IP telephony is essentially just another service running on a network, and all of the security technologies and policies that companies have deployed for their data networks can protect voice services as well. This differentiates IP telephony and unified communications from traditional telephone systems, which often lack general-purpose, cost-effective security measures that can be easily adapted as business conditions change.

Bhagwanani of HCL says that latest security solutions have the capability to inspect VoIP traffic at the application level with authentication mechanisms, PKI (Public Key Infrastructure) certificate-based systems and encryption technology being incorporated into the VoIP solution framework, the threats posed would be mitigated to a large extent.

While explaining about how the voice spam threat can be handled, Zia of Cisco informs that security is among the most important differentiators of any IP telephony solution. Independent tests by Miercom have rated Cisco voice security as the best in the industry. “To date, we are the only IP telephony vendor to earn Miercom’s highest rating of ‘secure’ for its proven ability to defend an IP telephony service against malicious attacks. An expert team of hackers, assembled and supervised by Miercom, could not disrupt, or even disturb, phone service or features after three days of continual, sophisticated attacks,” says Zia.

In terms of security, VoIP solutions also provide integrated security that protects the entire network over which voice traffic travels. However, technology has reached a level where multiple layers of defence exist—for the infrastructure, call management, applications, and end-points—to protect against known threats, as well as emerging unknown ones.

Securing VoIP

Corporations that are implementing VoIP technologies in a bid to cut communications costs shouldn’t overlook the security risks that can crop up when the worlds of voice and data converge, say users and analysts.

Enterprises need to protect their data and VoIP environments by implementing a combination of anti-virus, firewalls, intrusion detection systems (IDS), encryption and virtual private networks (VPNs). Perhaps the most important measure to be taken is the separation of voice and data traffic.

Dabinder Singh, Head, IT, Greenply Industries says, “To ensure the protection of your VoIP network you should see to it that the ISP has anti-spam and firewall systems in place and the domain provider of an organisation’s Web site should be equipped with perimeter security.”

Bhagwanani of HCL suggests that at the network level, products such as firewalls, IDS and IPS have application-specific engines that can do deep-packet inspection of VoIP, traffic in real-time so that no delays are introduced into the voice path. Voice solutions have incorporated technologies such as Secure RTP (Real-Time Transport Protocol), which gives media encryption for the voice stream, end-point (phones or soft-clients) authentication using digital signatures, hardened OS-platform for the IP-PBX to mitigate attacks and secure communication between gateways which are responsible for PSTN interconnects. Plus all systems also provide extensive logging and accounting capabilities, which allow for auditing of all voice traffic.

Security experts predict that the next level of attacks will target services such as VoIP as well as Internet ielephony (Skype). Although Indian usage of these services is yet to gain critical mass, organisations that are already using these services need to watch out.

Venkaswamy of Juniper suggests an approach wherein multiple elements that ensure the security of a converged (voice, data, and video) network are incorporated. For threat defence it is important to address network and system protection with technologies such as firewalls and IDS. Connectivity is secured with the help of IPSec VPN, SSL VPN and Voice and video-enabled VPN (V3PN) to ensure that sensitive data, voice and video communications are secure and intact as they are transported across public and private networks. Trust and identity management solutions help companies identify, and then permit or restrict, both people and machines (such as IP phones) that have access to network resources.

IP phones now affordable

Zia of Cisco says, “The high prices of IP phones have always been a limiting factor for VoIP. With prices reducing, market penetration will increase. Also, there are a host of cost and productivity benefits from VoIP implementations that can enhance adoption.”

IP telephony reduces administrative, networking and IT support costs and improves collaboration and mobility for users. While savings differ from company to company and vary from installation to installation, it is common for early users to achieve a quick return on investment (RoI).

Agrees Bhagwanani of HCL, “With the drop in prices of VoIP equipment, the cost divide between the legacy TDM (Time Division Multiplexing) equipment and VoIP gear has drastically reduced.” Price reductions are linked to demand, with the increased sales of IP telephony products, we can expect additional drop in prices. Moreover VoIP as a technology has matured and hence vendors are rolling out newer equipment with better features and performance at lower price points. This is also driving market penetration in a big way.

Zia adds, “The greatest cost benefits come from green-field deployments and full-replacement installations. On an average, customers can recover their investments within two years. Some organisations have experienced a reduction in costs by 15 percent, going up to 40 percent in certain cases, depending upon usage.”

Venkaswamy of Juniper says, “Deregulation has proved to be the biggest enabler for the proliferation of the service, making Asia-Pacific one of the fastest-growing markets in the world for IP telephony services. Value-added services such as VoIP over broadband, unified communications solutions and voice portals would provide a possible revenue stream and market niche for smaller players.”

Kotak of D-Link adds, “There are two ways of looking at this, even without concern of revenue loss from using VoIP for national long distance the prices have fallen down, so what is the harm in opening it up. The other way is imagine the prices when customers have choice of VoIP as well. This will benefit the competitiveness and the productivity of the SMB.”

Regulatory curbs remain

IP telephony faces certain challenges that impede its growth. In India, the biggest of these were regulatory restrictions imposed by the Indian government and interoperability issues that result from a lack of standardisation.

Till recently, companies were disallowed from maintaining a single infrastructure for PSTN and CUG. However with Telecom Regulatory Authority of India notifying approval for ‘logical partitioning’ of PSTN and Closed User Group (CUG) networks, enterprises, service providers, application software developers as well as Internet telephony vendors have reason to rejoice. Corporate users now can slash down the investment that goes into setting up networks, as they would not have to manage the expense of two separate PSTN and CUG networks.

Bhagwanani of HCL says, “The relaxation in regulations has been one of the key drivers in the increased adoption of VoIP as a technology for voice services. With the legal issues addressed, customers have started deploying VoIP and are seriously considering VoIP for all their new implementations.”

Interoperability is a major concern due to lack of standardisation. However, with the adoption of a standard protocol such as SIP (Session Initiation Protocol) in the Call Control Engine organisations can integrate their legacy or hybrid systems with Cisco IPT solutions thereby preserving their investment.

Gupta of Tadiran says, “Once the interconnection restrictions are removed / relaxed, VoIP shall penetrate the Indian market in a big way. Today many organisations are spread over multi-locations in India or even outside Indian borders.”

He adds, “Once these organisations are allowed to use IP as a medium to interconnect various locations, they shall immediately benefit from cheaper tariffs, easier accessibility etc. Businesses in India are expanding. India is one of the fastest growing economies and it is expected that by 2020, it shall be the third largest economy.”

He concludes, “As businesses grow, need for communication also increases and as backbones and infrastructure improves, the demand for VoIP solutions shall go up in a big way. In fact, all trends today point in the same direction as we are witnessing specifications, RFPs (Request For Proposals) being published with VoIP as the major requirement.”