Multi-layered Security Solutions For VoIP Protection

Multi-layered Security Solutions
for VoIP Protection
Copyright© 2005 internet Security Systems, Inc. All rights reserved worldwide
TAhead of the threat.Multi-layered Security Solutions for VoIP Protection An ISS Whitepaper 1
INTRODUCTION
The Benefits of VoIPVoice over Internet Protocol (Voice over IP or VoIP) allows users to make phone calls over the Internet, or any other IP network, using thepacket switched network as a transmission medium rather than the traditional circuit transmissions of the Public Switched TelephoneNetwork (PSTN). As the technology has become more reliable in recent years, companies have been moving to VoIP for a number of reasons.Consolidation of voice and data on one network reduces costs and results in a lower network total cost of ownership (TCO). Operatingexpense savings include lower long distance charges, reduced support costs and savings via workforce virtualization. Companies also usethe migration to VoIP as an opportunity to replace aging telephony equipment with feature-rich technology like teleconferencing andcollaboration/multimedia applications. VoIP supports increased mobility, since remote workers have the same access to voice features ascorporate office employees.
Research organization Gartner Inc. recently reported that spending by US companies and public-sector organizations on VoIP systems is ontrack to grow to $903 million in 2005 (up from the $686 million in 2004). By 2007, Gartner expects 97 percent of new phone systems1installed in North America to be VoIP or hybrids .
Planning and Implementing VoIP SecurityWhile it is true that Voice over IP can provide savings over traditional telephony solutions, there are security risks associated with thistechnology that need to be addressed. Risks include denial of service (DoS), service theft, unauthorized call monitoring, call routingmanipulation, identity theft and impersonation, among others. Not only does VoIP inherit all data network security risks, but it introducesnew vectors for threats related to the emerging and untested technology and protocols associated with VoIP. These new threat vectors inturn increase the risk to the data network.
Companies may spend $100,000 or more on network upgrades required to support a VoIP implementation, yet they may overlook VoIPsecurity during their network assessment. Many enterprises assume that their existing security policies are adequate. And in many cases,executives do not include security managers in the decision-making process (either for purchase or deployment of VoIP).
The technology behind VoIP is a complex collection of protocols, applications and appliances that all require attention when planning anew implementation or conducting risk assessments of existing technology. An ideal VoIP security solution provides multi-layered,preemptive protection from threats affecting both traditional data-driven network traffic and the underlying infrastructure, devices andprotocols that support VoIP data transmissions, all without interrupting Quality of Service.
1. http://blogs.zdnet.com/ITFacts/index.php?id=P2656 (February 22, 2005).
TTAAhheeaadd ooff tthhee tthhrreeaatt..Multi-layered Security Solutions for VoIP Protection An ISS Whitepaper 2
ISSUES ASSOCIATED WITH VoIP SECURITYThe biggest threats associated with VoIP are service disruption or degradation (DoS) and remote compromise that can lead to unfetteredaccess to an enterprise's critical systems and the confidential information stored on those systems. Attack prevention and the preservationof Quality of Service are the key requirements for a VoIP protection system.
Quality of Service (QoS) VoIP requires higher standards of Quality of Service and availability than are accepted on worldwide data networks. The degree of latencythat may be acceptable for data traffic cannot be tolerated for voice transmissions. Any threat that disrupts service, even slightly, orcompromises call integrity could result in a service outage. Executives contemplating or undergoing the switch to VoIP need to considerhow an outage might impact their business. A prime example of VoIP risk is a business call center undergoing a denial of service attack.The "lines" would be flooded; no calls could get through. The cost of network cleanup and recovery may be substantial, but that pales incomparison to the cost of lost business opportunities whi... [download for more]