Phone: (678) 987-5900
Contact Us
Home About Us Partners Members Awards
Services
News & Resources
Customers
Company
Contact Us
Strategic Mobility
Inventory and Audit
Strategic Planning
RFP Management
Best Practices
Telecom Benchmarking
VoIP Planning
Data Center Planning
Consulting Services
Wireless Consulting
VoIP Consulting
Telecom Consulting
PBX Consulting
Network Consulting
Data Center Consulting
RFP Services
Wireless RFP
VoIP RFP
Telecom RFP
Data Center RFP

VoIP Security:
The Ugly Stepchild in your IS Security Plan

No one has a prosperity so high and firm that two or three words can't dishearten it.
Ralph Waldo Emerson (1803-1882) U.S. poet, essayist and lecturer.

Most of the enterprises that we encounter through the service of our practice have top-notch Information Security teams. The basic existence of a security team in the organization is evidence that the CIO recognizes and appreciates the enormous risk exposure and potential loss to the business that can result from information security breaches, and has committed to managing it. Indeed, because of the nature of security professionals in general, having such a team at all typically brings seriousness and diligence to this area of governance in the firm. We have further seen that Information Security teams of the Clients that we’ve served are typically very well funded. This again, reflects recognition of the importance of a strong security posture for good corporate governance, and a commitment on the part of executive management to invest in Information Security.

Information Security implementations dedicate substantial resources toward protecting the network, systems, and data that serve the enterprise. Organizations have traditionally created protection against breaches by creating security barriers such as access controls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), firewalls, and cryptography. It is alarmingly common, however, for the voice communications systems to be omitted from the security plan. Beyond the core components of the PBX and Voice Mail platforms, modems and fax lines often serve as bastions of fraud and abuse (costs) as well as back-door access to the data network. While much can be said about adequate inclusion of voice systems in the overall security policy, the increasing proliferation of VoIP deployments and IP Telephony in general, tend to amplify the risk to the overall security posture.

VoIP implementations drive changes beyond the fundamental replacement of voice processing platforms. More so than perhaps any other technology one can think of, these changes have a broad impact on an organization’s security posture. Let’s discuss a few of these at a high level.

At a very fundamental level, VoIP implementations change the characteristics of the data network. We are all very familiar by now with the requirements of IP Telephony on network latency and jitter for acceptable quality of service (often measured as Mean Opinion Score, or MOS). From a security perspective, this translates into not only performance metrics but also availability (one of the legs of the CIA triad for Information Security). Said another way, the management of network performance is, in a sense, now a security issue. In addition to issues of availability and performance, IP Telephony introduces a new family of protocols carried on the data network, as well as stateful session management through firewalls and perimeter boundaries.

If you’re in the implementation stages of a VoIP deployment, then you know that organizational change of some kind is necessary in order to accommodate convergence of voice and data in an operational production environment. If you’re in the consideration or planning stages of a VoIP implementation and think that the traditional Telecom and Data teams can continue to work and be managed with the same level of segregation and independence in the post-convergence environment, well may the force be with you. Organizational changes that occur as a result of IP Telephony implementations are largely driven by Technical Operations concerns. In the pre-convergence environment, a user can request a new phone to be installed, changes to number plans, even call routing and expect the request to be honored ad hoc. In a post-convergence environment, this is a request to add a new endpoint to the network. This is a production impact of a different color, and also now includes AAA (Authentication, Authorization, and Accounting) security components.

Of course there are also numerous technical security aspects introduced by VoIP implementations. We’ve already touched upon the Availability component of the CIA triad. There are also substantial issues to address with the Integrity and Confidentiality components. These issues directly parallel the similar threat taxonomy with data traffic, including packet capture, eavesdropping, redirection, malicious modification, spoofing, and so on. The difference though, is that with VoIP we’re dealing with conversations, person-to-person messages, recordings, and voice mail. In fact, the implementation of IP Telephony creates an opportunity (necessity) for synchronization of the Security

Policy with Technical Operations as well as Architecture and Engineering functions.

Given this backdrop of change to the technical environment, to the technical organization, and to governance policies due to this change of core technology, it is wise to consider conducting a VoIP Security Assessment as a part of the technology governance framework. During the planning and implementation phases of an IP Telephony deployment, a VoIP Security Assessment is just as essential as a network readiness assessment. Including voice security as a part of periodic security assessments is essential as well. In fact, some industry sources are recommending at least annual VoIP Security Assessments, due to the frequency of change characteristic of voice communications platforms and their (now) intimate interconnection with core enterprise data. VoIP Security Assessments should be grounded upon a comprehensive taxonomy of threats to the environment, including not only technical, operational, and compliance issues but also social threats because of the strong impact of human behavior on the security posture of voice systems.

Bob Landstrom
Practice Lead- IS Strategy and Planning
Advocate Networks, LLC
bob.landstrom@advocatenetworks.com
Advocate Networks
6525 The Corners Parkway
Suite 310
Norcross, GA 30092
Phone: (678) 987-5900
Fax: (678) 987-5999		 Home |  About Us |  Services |  Customers |  Sales |  Resources |  Contact Us |  News | 

© 2008. Advocate Networks. All Rights Reserved.