VoIP implementations could expose the corporate network to additional security threats. Here, we provide an understanding of network security and VoIP's impact on the corporate firewall, and we illustrate how VoIP security offerings ensure networks are secured against a range of threats.
While companies of all sizes are now seeing the benefits of VoIP for solutions such as remote working and SIP trunking, security for themselves and their customers has become top priority. In a recent survey undertaken by Toshiba, 73 per cent of office workers saw the desk telephone as an important communication method, with 60 per cent seeing it as the best way to communicate with customers. "Businesses therefore need to be confident that the security and reliability of a VoIP system will ensure that they can always reach customers and, perhaps more importantly, that customers can always reach them," said Daniel Fuller-Smith, Toshiba's Sales Manager for UK & EMEA.
"Unsecured VoIP systems would allow any intrusion to immediately be on the switch, potentially resulting in serious interruption to the business, and ‘phone phreaking' where an intruder gains access to the telephone system remotely, and then makes changes to allow them to call any number in the world. Exactly the same as you would any server, the VoIP system must therefore be protected as far as possible."
Some solutions will include built-in firewalls and Virtual Private NetworK (VPN) functionality. However, points out Fuller-Smith, aside from potentially duplicating technology that a business already owns, this means that the entire telephone switch must be exposed to the Internet, leaving it open to attack. "For this reason, Toshiba's Strata CIX sits in the application area of a business network, behind a company's existing firewall. Each IP card has its own IP address, allowing only the cards that need to be exposed to the Internet to be placed in the De-Militarized Zone (DMZ), providing maximum security," added Fuller-Smith.
He highlighted that the risks to a business can effectively come in a number of forms. Firstly, Denial of Service attacks such as fragmented packet bursts are designed to overwhelm a company's firewall, with the main aim of taking down the communications network. Other attacks will aim to gain access to the communications network, either eavesdrop on calls, gain access to other parts of the network or to make calls anywhere in the world at great cost. This also leaves customers open to ‘vishing' where a non-authorised person could dial out from the network and get customers to give out account details over the phone.
Fuller-Smith noted: "Many resellers are unaware of the risks, and voice products do not always support the security required. Fortunately there are data products designed to help with convergence such as wireless access points that have lower security levels for WiFi handsets, but restrict their access to the network based on the increased risk."
Natalie Stallwood, Business Development Manager at Alcatel-Lucent, agrees that as more organisations harness the cost-savings offered by VoIP, many still lack awareness about the associated security risks. "Insecure VoIP systems are particularly vulnerable to attacks and illegal use, and companies risk falling victim to voice tapping and manipulation," commented Stallwood. "While discussing the benefits of VoIP, resellers should also educate end users on the security risks and the need for a comprehensive VoIP security offering.
"There are many security products available to help secure VoIP - including stateful inspection firewalls and intrusion detection systems - however, they only offer limited defences. Resellers must offer solutions which protect all web-facing IP telephony applications, while also safeguarding and guaranteeing quality of service for VoIP calls. Solutions with multiple layers of protection and the ability to dynamically monitor the call setup, opening only the necessary ports for authorised communications, will ensure networks are secured against a range of threats, without compromising their quality, performance or reliability."
For the majority of existing and new VoIP installations, there are opportunities for the channel to sell security solutions. While there are opportunities, there is also a hidden threat, warns Ian Kilpatrick, Chairman of VAD Wick Hill Group. "Security-aware data resellers who are selling into companies that have, or are implementing VoIP, are already looking at the security threat VoIP represents and at the revenue opportunities for them there," stated Kilpatrick. "Not only that, they are also looking at the opportunity to provide VoIP itself, so they can come out winners in the converged voice and data space. In addition, and this is a big differentiator for the channel, those channel partners who are able to add value both against other voice resellers and against data resellers will be able to win more deals and retain more margin.
"Because the voice channel has so far had considerably less experience of attacks than the data channel, there is underestimation of the security risks. As companies who have experienced losses also tick the no publicity box, there is significant under reporting of the risks. This has been compounded by the desire of many vendors to play down the risks in order to push sales forward. It's a bit like the expenses scandal - the threat is already there, damage is already being done and at some point the users will become aware of the scale of the problem."
Kilpatrick points out that there is a range of solutions including secured gateways which enable end users to securely integrate VoIP onto their existing PBX environments. "Other solutions that provide protection are firewalls and VPNs, which are capable of dealing with VoIP threats (include SIP attacks) alongside more traditional threats," added Kilpatrick. "Suppliers in this area include Check Point and WatchGuard. Both provide appliance-based solutions for easy installation. At the other end of the scale, a number of suppliers have VoIP systems which support VPN sessions to ensure that call traffic is protected by encryption, and which can work in conjunction with firewalls."
According to Chris Richardson, Portfolio Manager for voice at Damovo, most people realise the risks associated with wifi technology and tend to secure the network from outside access. However, once the network is secure this is not the end of the story, says Richardson: "Any user can still sniff the packets with readily available free software and therefore listen in/play back conversations. IP telephony needs to be encrypted to counter this risk, but this brings problems all of its own particularly with the need to record conversations centrally for dispute resolution, for training employees or for compliance purposes, something which is inherently difficult with encrypted voice traffic. Ultimately, security is measured in risk and the value that can be attributed to it in terms of loss of information or service in the same way you approach data security."
Richardson observes that most IPT solutions from established manufacturers offer encryption. This encryption is normally set-up on a per call basis between two end points and provides security. "If the device is a WiFi device using perhaps a SIP client then it is more difficult to encrypt the call. It can be done but normally from a central server issuing encryption keys. Again, most known manufacturers provide this type of equipment but if the user is not using some form of encryption then the issues become apparent. Legitimate recording of encrypted calls is a complex task and requires thought and design to carry out efficiently without degregating normal data services."
Concerns over VoIP security should not be an obstacle to a sale in today's modern corporate world, according to Nimans' Systems Sales Director, Phil Adams. He says advances in technology, particularly in-built system security, have strengthened networks and made general hacking issues a thing of the past. Adams says resellers should be on the front foot when trying to convince customers who may be concerned about adding voice to an existing network - as security is enhanced. "If there is a weak infrastructure for data then the same problem will obviously exist for voice, as security protection is only as strong as the network itself," said Adams. "But to support that network a lot of the manufacturers have developed in-built security into their VoIP enabled switches as a secondary strength, so security is higher on the voice than it is on the data packet."