IP deployments bring new security concerns

Although IP telephony is relatively new, certain elements associated with voice connectivity carry over from the traditional circuit-switched camp. According to industry observers, security is one of those unchanging aspects. In a world where voice and data travel the same pipes, as long as your data network is secure, so too is your voice connection, insiders say.

Don Hausman Jr., director of product management with 3Com Corp. in Andover, Mass., said infrastructure security is key to success with IP telephony, adding that 3Com advocates a “security-conscious” platform for enterprises that comprises centralized network management and security policies, public key infrastructure (PKI) and remote authentication dial-in service (RADIUS).

Hausman said 3Com’s IP-PBX, the NBX, operates on Wind River Systems Inc.’s VXWorks OS.

Alcatel, another network gear manufacturer, has created a multilayer security platform for its IP PBX, the OmniPCX 4400. The protective framework, dubbed CrystalSec, addresses security at the server with a hardened operating system (Unix or Linux with unnecessary features turned off) and at the network with robust transmission paths via adaptive routing.

Jeanne Bayerl, Alcatel’s Boulder, Col.-based director for the OmniPCX, said these measures are new only in that they apply to the voice system rather than other applications. In the IP world, voice is just another server and “we have to adhere to the same requirements” expected of other applications, she said.

Jim Thomas, senior marketing manager, voice over IP with Brampton, Ont.-based Nortel Networks Corp., said IP does bring certain vulnerabilities, but added that the technology can be secured.

Since IP is an open medium, it’s easier to manipulate than the proprietary protocols switch makers tend to use in the TDM world, he said. But at the same time, it’s easier to encrypt IP info, so even if a call were intercepted, it would remain inscrutable.

“The richest, low-hanging fruit is signalling,” Thomas said, explaining that information is most vulnerable during session initiation. The IP phone sends useful data, such as its location, its number and other details – info enough that some smart cracker might be able to tap the line and listen in on the call.

What’s the answer? Encryption via VPN helps, Thomas said. But what if an enterprise wants to rely on the firewall alone for protection? Traditional firewalls have trouble understanding signalling protocols like H.323.

“Getting a firewall to understand voice or multimedia protocols, particularly H.323, is not simple,” said Joel Snyder, senior partner with network test firm Opus One Inc. and a Network World Canada columnist. He explained that the firewall would have to open a number of ports to deduce whether incoming voice packets are legitimate. The situation could leave the network vulnerable, Snyder said.

Nortel’s Thomas said his company has an answer in its patent-pending technology that essentially teaches firewalls the difference between voice and data transmissions, such that the protective devices can handle both sorts of messages. Known as “pinholing,” it’s ensconced in Nortel’s Realtime Transmission Protocol (RTP) Media portal, which comes with its Interactive Multimedia Server (IMS) IP Centrex platform, he explained.

Matthew Kovar, an analyst with The Yankee Group in Boston, said some vendors offer firewalls that work well with VoIP applications. He advocates employing one of these smart devices in concert with intrusion detection systems to keep the network safe.

Check Point Software Technologies Ltd. this summer unveiled its Secure Virtual Network Architecture (SVN) to fix firewalls for voice. The company said its SVN supports SIP, H.323 and is compatible with network address translations, which are associated with off-site IP devices.

Barry Brock, director of information technology services at Algonquin College in Ottawa, said he is “not at all” concerned about the security of the school’s IP telephony infrastructure.

Algonquin installed Cisco’s architecture for voice, video and integrated data (AVVID). “We’ve had it in for two years and it hasn’t been touched,” Brock said, adding that a dash of prudence goes a long way. With 1,500 users over three campuses, the college employs VLANs, VPNs and firewalls to make sure only those with the right credentials gain access to certain parts of the network. Brock also consulted with early adopters to learn best practices from the field.

With these tools at hand, Algonquin has put to rest any fears about security and IP telephony, “unlike some places you hear about caught without their default (admin) passwords changed,” Brock said.

– With files from IDG News Service