VoIP less vulnerable on secure networks

When ECWebworks Inc. switched over from old-fashioned voice equipment to an IP telephony platform, the company had nary a concern about potential security vulnerabilities. But a lot has changed since then.

The Burlington, Ont.-based application service provider in the summer of 2000 moved to a new office and installed 3Com Corp.’s NBX, an IP PBX.

“We’re a technology company and we wanted to show that we were up on it,” said Mark Harding, an ECWebworks spokesman. “The other thing is, when we compared the cost, a traditional system would have been more expensive.”

Harding said the firm was enamoured with the single-wire architecture 3Com’s product offered. With IP serving both data and voice, ECWebworks had just one wire at each user’s desktop, a sole line for both telephone and computer connectivity.

Along with simpler network management, the NBX brought improved integration among the company’s computers and phones, which made working from home much easier for ECWebworks’ employees, Harding said.

But that was two years ago. Since then, uncertainty about IP telephony and security has set the industry abuzz. Concerns about hackers targeting phone systems and other external vulnerabilities bring into question the wisdom of ECWebworks’ decision.

People worry about the servers these platforms employ – some use Microsoft Corp.’s Windows operating systems, which, thanks to their popularity, are more susceptible to denial-of-service (DoS) attacks and viruses than other OSes.

Some point out that firewalls, designed to scrutinize incoming data, are not equipped to handle voice. It’s a situation that leaves enterprises with two choices: toss the firewall out or forget about IP telephony extensions beyond the office walls.

Security groups suggest even certain IP phones are vulnerable, designed as they are for improved integration and, at the same time, easy intrusion.

Yes, a lot has changed since ECWebworks installed its NBX – mind you, the company hasn’t changed its mind. Harding said the firm is no more concerned about security and IP telephony today than it was in 2000.

He pointed out that, at its core, voice is just another application on the network. If IP telephony is somehow dangerous then “it’s the case with any network application,” he said.

Certain rules apply to both voice and data. Security is an immutable element that transcends the media. So “if you’ve addressed network security, you shouldn’t have any worries,” Harding said.

Industry insiders suggest that IP telephony is only as secure as the underlying infrastructure and therefore no more dangerous than running a network in the first place. Nonetheless, stories about virus-ridden IP PBXs and smart phones that act dumb suggest voice over IP is not so simple to deploy.

Consider the case of Carnival Cruises and its IP PBX woes. The company found out the hard way that managing an IP telephony system is different from running phone systems based on traditional TDM technology.

“Our [Cisco] CallManager got hit by the Nimda virus last year,” said Tom McCormick, senior technical analyst with the Miami cruise line. “It was a demo box and it wasn’t patched to protect against the latest viruses.”

McCormick said the Cisco Systems Inc. IP PBX, which runs on a purpose-built Intel Corp.- and Windows-based server, was being used only by the IT department for evaluation, so the company’s business was not affected by the crash.

But the incident was an eye-opener. The system, which is in the company’s live network now, has since been patched, and is maintained regularly for security fixes.

Earlier this year the Sys-Security Group, a security-minded IT company headquartered in Tel Aviv, Israel, found a problem with Cisco’s IP Phone 7960. In a report, the firm said troubles with the device “lead to complete control of a user’s credentials, the total subversion of a user’s settings for the IP telephony network, and the ability to subvert the entire IP telephony environment.”

What’s an enterprise to make of these horror stories? Not much, said Chris Cullin, a manager with Cisco’s enterprise voice and video group in San Jose.

Concerning the vulnerability Sys-Security found, the network gear maker responded with a list of best practices when deploying IP phones, he said.

“No specific vulnerability [Sys-Security] highlighted required a fix on the phone,” Cullin said.

Readers will find Cisco’s response in the product section of the company’s Web site (search for “Sys-Security” to get a direct route to the document).

He noted that if the user’s network is secure, so is the IP telephony platform.

Most rely on VPNs to make sure information – voice or data – is encrypted en route to the IP PBX from outside the office, Cullin said. VPNs “extend the corporate data network” so employees working off-site are encapsulated in the network’s hard shell.

In Cisco’s case, the company suggests that users employ VLANs to segment the voice and data signals. That way “there’s no connectivity between PCs…and the CallManager,” Cullin said.

As for denial of service ambushes directed at the IP PBX server, Cullin said firewalls keep intruders out. As such, “the only person who could do a denial-of-service attack would have to be inside the company,” said ECWebworks’ Harding.

Cullin said it’s incumbent on enterprises to make sure the infrastructure is secure before considering IP telephony. Tie down the applications through to the switch because ultimately “securing one [layer] without the other doesn’t make much sense.”

Next issue Network World Canada will continue its look into IP telephony and security with a nod towards the mostlikely vulnerabilities, the story of one smart customer, and advice from industry insiders.

– With files from IDG News Service