Testing VoIP for holes
VoIP security assessment is about to become a must.
By Carolyn Duffy Marsan, Network World | Network World US | Published: 08:00, 24 July 2006
Carriers are beefing up their VoIP security services, and demand for these offerings is growing as more VoIP vulnerabilities come to light.
High-profile attacks against VoIP systems are helping drive this market. In early June, for example, two men were arrested and charged with routing approximately 500,000 calls illegally over the network belonging to Net2Phone, a Newark, N.J., VoIP provider. Fifteen Internet phone companies reportedly were victims of the scam.
To combat this type of fraud and other threats, network managers are turning to service providers for security reviews and tests of their VOIP systems. Among the carriers offering VoIP security assessments are Verizon Business and AT&T, while Sprint offers services through Lucent's Worldwide Professional Services Division.
"There is more demand for these services, because there is more discussion of VoIP security," says Will Stofega, research manager for VoIP services at IDC. "One or two years ago, the discussion of VoIP security risks was theoretical. What we're going to start seeing is the threat of moving from theoretical to reality."
VoIP systems are vulnerable to the same threats as data networks, including denial-of-service attacks, viruses, spam and theft, as well as the risks of fraud and privacy invasion that plague traditional voice systems, experts say.
"Attackers like to go after bigger targets," says Cindy Bellefeuille, director of security solutions at Verizon Business. "We anticipate that as the adoption of VoIP systems grows - and we're seeing it grow rapidly - the number of threats will proliferate."
VoIP systems add risks to networks because they bring in new hardware, software and applications. Another threat is the co-existence of regular telephone and VoIP networks during the transition to this new technology, experts say.
"VoIP security and VoIP assessments are one of the biggest questions we get from potential customers," says Stan Quintana, managed security services vice president for AT&T.
AT&T has been offering VoIP security assessments for more than two years through its professional-services arm. These assessments analyse VOIP system architecture, policies, business continuity plans and vulnerabilities.
"We have quadrupled our demand for these services compared to two years ago," Quintana says, adding that demand is coming from financial services, pharmaceuticals and vertical industries "across the board."
Verizon Business announced in June enhancements to its VOIP Security Assessment Service, which dates to predecessor MCI's acquisition of NetSec, a security services firm, in 2005. This service can be purchased before going live with a VoIP system or on an ongoing basis.
"What a network manager should consider is establishing VoIP security policies, proactively designing VoIP networks with security in mind and having expert VoIP security assessments," Bellefeuille says.
As part of its VoIP Security Assessment Service, Verizon Business reviews VoIP system architecture, tests the network and network devices for vulnerabilities, and evaluates VoIP policies. Verizon Business provides customers with a report that includes a scorecard showing how well the VoIP system fared.
The service now includes a review of dedicated firewalls for VoIP traffic and testing of VoIP hardware for vendor-specific flaws that may be exploited by hackers. Verizon Business also provides recommendations on policies and procedures.
"Once a year is normal for this type of assessment," Bellefeuille says. "Financial institutions might be conducting these assessments two times a year or quarterly."
Lucent has sold VoIP security services to the Defense Information Systems Agency, EarthLink and others. Sales of VoIP security services have increased 25 percent this year over last year, Lucent says.
Lucent offers a VoIP Technology Assessment Plan that considers security issues as well as VoIP Security Assessment and Penetration Testing. Lucent's professional-services arm evaluates the security of 1,500 products from 250 vendors, including popular VoIP gear.
"People haven't thought through a lot of the management of VoIP systems. They might be using Telnet to manage systems and devices, and we want to get them steered toward SSH [Secure Shell]. They also might not be using encrypted strings for management data," says Vik Muiznieks, security and reliability global practice leader for Lucent's Worldwide Professional Services Division. "Other things that people forget to think about are CALEA [Communications Assistance for Law Enforcement Act] and 911 support."
In its security reviews, Lucent evaluates everything from firewall security to the physical security of the rooms where companies house servers and IP PBXs. Another important feature of VoIP security is overall system reliability.
"We do quite a bit with business continuity and disaster recovery and thinking that through," Muiznieks says. "You do not want to have single points of failure."
VoIP security assessments typically cost tens of thousands of dollars and are rolled into the cost of VOIP deployments or ongoing security costs rather than tracked separately. Overall, VoIP expenditures will hit US$2.9 billion this year and will grow to $6.9 billion by 2011, according to IDC.
Security assessments are in the "10 percent range in terms of overall VoIP deployment costs," Muiznieks says. "If you start planning for security, it costs less than if you retrofit security afterwards."
AT&T says it is gathering anecdotal information about the types of VoIP security breaches that are occurring.
"Eavesdropping is taking place, and people don't realise it," Quintana says. Because companies don't always encrypt their VoIP traffic all the way to the end users, "there is substantial exposure to intercepting that conversational data and monitoring it," he adds.
IDC's Stofega says the VoIP security assessment services he's seen from AT&T, Verizon Business, Lucent and others are a positive development.
"A service provider being proactive and making sure customers have the option of these services is good," he says. "It's good to see they've sharpened their toolkits to defend against these kinds of attacks."