Security directors find new opportunities, and consequently new challenges, in most new technologies. Many are seeing great opportunity in voice over Internet protocol. This technology offers potential benefits when deployed in the right places, but security directors should also be aware of the information security concerns of VoIP and the steps that should be taken to address those concerns.
The Good News
With the adoption of the TCP/IP protocol across multiple technologies and service offerings, it was inevitable that we'd eventually use the data network and IP-enabled technology to handle voice transmissions. The cost savings alone holds great appeal. VoIP can eliminate the entire expense stream of establishing and maintaining a circuit-switched network for telephone connections. The concept of running only one wire to the desk is also appealing.
Vendors like the idea of bundling services for customers because it increases the perceived value of their offerings. Customers like the idea of having to call only one vendor (or department, for internal applications) for installations and service calls. As deployment of VoIP service offerings continues to grow, the increasing competition and options for the consumer are making the prospect of VoIP even more appealing.
The adoption and growth of this industry is somewhat akin to a gold rush. Recently Microsoft acquired the Zurich-based media-streams.com AG, which specializes in VoIP applications, with the vision of adding VoIP capabilities to its Office products. EBay has also jumped on board with its $2.6 billion acquisition of Skype Technologies, one of the world's largest providers of VoIP service signals.
But I always get nervous when I hear comments like, “Well, everyone's doing it!” There is often a life lesson attached to comments like that. Moving to VoIP is a perfect example.
Problems for Law Enforcement
First, don't make the mistake of assuming VoIP works just like a traditional phone line, because it doesn't. In fact, the move to this technology has presented challenges in unexpected areas. For example, in the rush to establish and configure VoIP services, everyone forgot to consider the needs of law enforcement and wiretapping regulations. Well-defined laws and processes give law enforcement access to traditional telephone traffic, and they need it now more than ever due to their increasing role in handling terrorist threats. The fact that an increasing percentage of telecommunication traffic is going over a completely different technology throws uncertainty over the processes used.
New regulations approved by the FCC in August that make it easier for law enforcement to tap Internet phone calls are being challenged in court. Internet service providers and universities are wincing under the potential expense of complying with the new regulations. In October, CNN quoted Terry Hartle, senior vice president of the American Council on Education, saying, “We fear that the FCC order will make every college and university replace every router and every switch in their systems. The cost of doing that is substantial.”
When VoIP is brought up, most information security professionals groan and mutter something along the lines of, “Oh man, not another one!” It's not that they think VoIP by itself is evil or more troublesome than other IP-enabled technologies. But they understand all the effort necessary to make it available, useful, and properly secure.
Much of the current VoIP technology has not been constructed or deployed with security in mind. Much of the time it is deployed before a serious risk assessment and analysis is conducted. In a recent seminar I attended, this issue was described as the “airline magazine syndrome”; a high-ranking executive reads an interesting article about the technology in an airline magazine and buys it without a second thought. The IT staff is then tasked with finding enough baling wire and duct tape to pull the project together, since they did not have the benefit of architecting the solution before it arrived.
Before you deploy VoIP, make sure you are working closely with your IT and information security staffs to ensure that it is done right the first time.
The following example illustrates the reality shift you need to deal with before going VoIP. Today, if you're working at your desktop and you notice your network connection has suddenly closed, you sigh in frustration and pick up the phone to call the help desk. You find out that the help desk is aware of the problem and is estimating at least a 20-minute outage as they evaluate the problem and determine what is necessary to resolve it. You then call a coworker to discuss a couple of ideas for a particular project while you wait for the network to come back. But wait…
In a VoIP environment, which is running on the network, you may not be able to make that call, nor can you make a sales call, nor can you call home to let your spouse know you will be a few minutes late coming home, nor, for that matter, can you call the help desk. Obviously the particulars of these problems will depend upon individual situations, but the fact is that your telephony is now dependent upon network availability. Imagine that you have a medical emergency in the building at the same time. You may not be able to call 9-1-1—at least not from a desk phone.
Information Security Issues
VoIP uses TCP/IP both within your network and over the Internet, and that brings with it a whole raft of information security issues. The first thing to understand is that all of the information security exposures, controls, management issues, network vulnerabilities and challenges that already exist in the network and the Internet will become issues for VoIP. If you are not aware of these issues, then now is an excellent time to get to know your IT folks.
There are a number of recent articles and studies describing VoIP security problems. For example, Germany 's Federal Office for Security in Information Technology released a report in October that listed 19 varieties of attacks on VoIP systems that could lead to identity theft, data manipulation and transmission errors. Hackers have also discovered a means to manipulate the cost codes used to bill for phone calls, “zeroing out” the codes to eliminate legitimate call charges.
Bandwidth. One of the first challenges you will need to plan for is network bandwidth. Your available bandwidth may limit how you can deploy VoIP. A bandwidth analysis and test will be useful in determining the real costs and issues prior to an implementation. If the pipe is simply not big enough, your VoIP may have significant performance issues. There are a number of measurements that you may want to become familiar with before you complete that analysis.
Latency . With VoIP, when you talk into the phone, the conversation is broken into packets. The packets arrive at the other end of the connection and are reassembled so that the recipient hears the conversation. Latency is the time it takes for the packets to get from the source to the destination. Most users expect a phone delay of about 150 ms, because that's what they have grown to expect from telephone systems. Obviously, if your network bandwidth cannot deliver latency in the neighborhood of 150 ms, then you will have users complaining about how slow the system is. There are many things that can impact latency. Unfortunately, many security controls, such as encryption of sensitive conversations, can slow things down. The frequent result is that security controls are sacrificed for higher throughput.
Jitter. Jitter is manifested when packets have different latencies. If the packets don't travel at the same speed, then the reassembly of the packets becomes problematic and the person listening on the other end hears the effect of that problem. In addition to jitter, you can experience packet loss, where some packets simply don't make it to the other end, or arrive too late to be included in the traffic. Again, the quality of the call suffers.
Perimeter security. Depending on your existing investment in firewalls and network security devices, you may need to have significant adjustments made to your network perimeter security. Your firewalls may work fine for the traffic that currently runs through them, but if you intend to move to VoIP, they may need to be replaced with firewalls designed to handle that kind of traffic. You will likely need to invest in firewalls, switches, and routers that are able to recognize and act on VoIP data to keep your latency down.
DOS. A denial of service (DOS) can adversely affect the quality of your calls, just as jitter and latency can. A DOS is anything that causes the sheer volume of activity on the firewall or network to become a limiting factor in the transmission of packets. Essentially, the network is too busy to deliver the quality of phone transmission that you expect. This can be handled in a number of ways depending on your network architecture. But in some cases you can't do anything but ride out the storm.
If you're looking for more information on the vulnerabilities and components of VoIP, check out the SANS Institute whitepaper “Voice over Internet Protocol (VoIP) and Security” at www.sans.org/rr/whitepapers/voip/1513.php.
Information security for a VoIP system should begin with an appropriate risk assessment and solid security on the company's network. The project should include a determination of the impacts of implementing the VoIP system in your environment, so that any bandwidth or control issues are planned for.
Don't make the mistake of assuming that you have enough horsepower, network pipe size, or controls up front. Engage the IT folks and have them find out what it will take for real. Determine your business requirements first and how you intend to use the technology. Do your homework, and then design your implementation.
Eduard L. Telders is the director of enterprise information security at T-Mobile. Since 1981 he has served in physical security, information security, corporate contingency planning, and safety programs in the banking, insurance, and financial industries. He is active in a number of security trade groups and associations such as ASIS, ISACA, InfraGard, the AGORA, CyberGuard Advisory Council, and others, for both physical and information security, and he is a contributing technical editor for ST&D.