Ottawa-based startup VoIPshield Systems Inc. is marking time on the release of protection products for voice over Internet Protocol (VoIP) applications, but last month released VoIP-specific auditing software as its first product.
The company says the full scope of VoIP threats is still unpredictable and instead is offering VoIPaudit, a discovery and assessment tool that scans the network for VoIP vulnerabilities, then compiles a report and lists recommendations to address known issues.
“Based on our discussions with enterprises, vendors and service providers, this is the first tool they are looking for, because today, no one really knows whether VoIP is fully secure, what the issues are and how to address those issues,” said Bogdan Materna, chief technology officer and vice-president of engineering for VoIPshield.
Alicia Wanless, an analyst at Seaboard Group in Toronto, says although VoIP is in its early stages, the most pressing issue is regulatory compliance. And a product such as VoIPaudit directly addresses these concerns, she says.
“It’s important that VoIP as a new technology is monitored in more of a preventative manner than reactionary, but it would appear the VoIPaudit product is a response to the regulations. There’s a certain amount of auditing necessary and that’s what VoIPshield is offering,” said Wanless.
“Sarbanes-Oxley, Bill 198 in Canada, as well as the Gramm-Leach-Bliley Act (GLBA) enforce that enterprises must have auditing tools in place that will produce reports in real-time for their communication systems. That includes authorization for who has access to information, and that touches voice over IP because of the security issues involved with VoIP.”
The automated auditing tool scans the VoIP hardware and software, and related components such as routers, firewalls and the underlying operating system, supporting applications, directory servers and protocols, such as domain name service (DNS) and dynamic host configuration protocol (DHCP).
VoIPaudit also provides multi-vendor support for VoIP protocols, including SIP, H323, Cisco Skinny, Nortel Unistim and other proprietary protocols.
Vulnerabilities such as virus and denial of service (DoS) attacks, toll fraud, information privacy, buffer overflow attacks and voice spam need to be assessed, says Materna, before the deployment of VoIP over the infrastructure.
“We approach security in three domains,” he said. “Prevention deals with finding vulnerabilities and patching them before deploying VoIP, while protection is where we build defence mechanisms for the VoIP infrastructure, such as firewalls, intrusion protection systems, anti-virus software, session border controllers and encryption.
“But no matter what you do in those two domains, sooner or later something will still get through. The domain we have to begin with is mitigation,” said Materna. “That way, the VoIP network can still be up and running, even if it’s at a lower quality level, and you have enough time to address the issues.”
Materna says VoIP offers new and unique challenges to security teams, particularly because is voice is a real-time service. “VoIP security is not the same as existing security for data networks,” he said.
“Security has to match the real-time demands of packet-loss and garble. Voice has very stringent delay requirements on the network, so encryption isn’t very popular.”
For example, typical firewalls cannot deal with the voice protocols. To this end, security vendors have developed the session border controller (SBC), a device that functions as a firewall and attempts to address VoIP-specific protocol issues.
And voice is only the beginning, says Materna. The IP multimedia subsystem (IMS) extends the IP network to which VoIP is exposed. “New protocols, applications and devices, television over IP and video conferencing, are in constant interaction on the IP infrastructure and all of these create new opportunities for hackers,” he said.