Is enterprise VoIP (voice over IP) due for a security wake-up call or are the threats mostly exaggerated? It depends on who's talking.

"The security aspects of enterprise VoIP have been overblown," says Irwin Lazar, senior analyst at the Burton Group. "There's a lot more attention being paid to the fear of attack than what is actually possible."

Roger Farnsworth, manager of marketing for Secure IP Communications at Cisco, concurs: "VoIP systems can be at least as secure as traditional voice systems, and future IP technologies and voice applications will make them even more secure."

But Mark Collier, CEO of SecureLogix, a vendor of voice management and security platforms for both traditional phone systems and VoIP, isn't completely sold. "With IP at its foundation, it's simply unrealistic to expect VoIP to be any more robust than e-mail, the web or DNS," he says.

Hold the phone. E-mail? The web? DNS? Who in their right mind would move from the rock-solid service of legacy enterprise telephony to a platform that's no more secure than e-mail?

Just Another App
In fact, enterprise VoIP is essentially just another application on the IP network. The principal elements of today's typical enterprise IP telephony systems are call control servers, which usually run on an operating system such as Linux, Windows, or VxWorks; VoIP clients, which are either handsets or softphones; and VoIP gateways, which sit at the edge of the network and translate between VoIP and the PSTN.

They all use some relatively standard protocols - typically either the ITU's H.323 series of protocols or the IETF's SIP for the servers and clients, and the MGCP (Media Gateway Control Protocol) or Megaco/H.248 protocols for gateways. And the vast majority share the data network, depend on the same routers and switches for voice packet transport, and, ideally, interface with other data applications, including messaging.

So, theoretically at least, VoIP systems are as vulnerable to attack as other data applications. The list of potential threats is staggering and includes DoS attacks, viruses, worms, Trojans, packet sniffing, spam, and phishing. Spam? If you remember the dark days before do-not-call lists, imagine the potential of SPIT (spam over Internet telephony). "If I want to send 100 calls, I have to dial 100 times or use an autodialer," says Andrew Graydon, vice president of technology at BorderWare Technologies. "But with an IP connection, I could upload a WAV file to a computer in the Bahamas, press a button, and send it to 2000 employees instantly." Phishing is accomplished simply by spoofing caller ID information to masquerade as a representative of a legitimate institution.

Nonetheless, vendors and analysts emphasise that IP PBXs run on a variety of operating systems, usually stripped down and hardened, and use a mix of still-evolving standards and more proprietary protocols, such as Cisco's Skinny call control protocol, making VoIP apps more difficult to target than typical data applications.

Also potentially menacing are man-in-the-middle attacks (hackers masquerading as a SIP proxy and logging all call activity) and trust exploitation (hacking into a data server that has a trust relationship with VoIP servers to gain access to the latter). To these, add toll fraud, which is accomplished by hacking into a voice gateway and making international calls at the company's expense. Then there's eavesdropping: Users with access to the network and two free, easily available tools called tcpdump and VOMIT (Voice over Misconfigured Internet Telephones) can reassemble and convert a voice conversation over IP to a standard WAV file.

Further, VoIP systems often depend on vulnerable applications to function properly. "SQL Slammer attacked Microsoft SQL Server, but because Cisco Call Manager telephony servers depend on SQL server, it disrupted many of them as well," Collier says.

Latency Hang-ups
Compared with other applications, VoIP also has its own unique challenges. In order to achieve PSTN-quality voice, latency cannot drop below 150ms for one-way traffic, according to David Fraley, director of Federal Practice at Gartner. "Voice encoding can take up to 30ms and a voice call over a reasonable distance [cross country] on a public IP network can take up to 100 or even 125ms." And this is before security measures such as firewalls, encryption, and intrusion prevention are added.

Most mainstream firewalls don't take VoIP into account nor do they address some of the peculiarities of SIP and H.323. For example, SIP uses at least three port numbers, only one of which is static, H.323 uses ports 7 and 11, with only two static, and both use both TCP and UDP (User Datagram Protocol) initiated from inside and outside the firewall. This means that you must open a huge number of ports on a standard firewall, which is unacceptable in terms of threat exposure. In addition to the IP addresses in the header, SIP and H.323 also embed IP addresses, so incoming calls can have problems with traditional NAT set-ups in firewalls and routers.

Carriers and some of the larger enterprises make use of fairly expensive devices called SBCs (session border controllers) to handle NAT and open port issues. Newer firewall products from the major firewall and IPS vendors such as Check Point, Juniper, and WatchGuard, have also started to become more VoIP-aware, implementing a technology called NAT traversal, opening and closing ports dynamically based on careful monitoring of VoIP sessions, and even implementing some QoS features, but this often means upgrading hardware and software, and requires careful shopping.

On Friday, part 2: Harden your networks...