Lake Buena Vista, Fla. — Even if IP telephony’s future dominance in the enterprise communication industry seems a forgone conclusion, methods of keeping such systems secure are not so obvious.
That was clear from Gary Audin’s presentation at VoiceCon, the voice technology conference held in Lake Buena Vista, Fla., March 1 to 4. A voice-data expert and president of Delphi Inc., Audin outlined the pitfalls before enterprises that entertain switching from traditional, TDM-based communication systems to voice over IP (VoIP) platforms.
Although VoIP spells easier moves, adds and changes, as well as potentially less expensive long-distance bills as a result of its bypassing the PSTN and connecting correspondents over data lines, the technology also presents certain problems.
Firstly, it’s based on an open standard, the Internet Protocol (IP), which means it’s easier to crack than systems that use proprietary protocols. Secondly, much of the intelligence lies in end-points — the IP phones — rather than in the private branch exchange (PBX). It’s also harder to secure numerous IP phones than it is to lock down a single server.
Still, there are measures that companies can take to secure their VoIP environments. During his presentation called Securing VoIP: Have you done enough? Audin outlined some of his suggestions.
He pointed out some over-arching security methods that could help protect the entire enterprise communication infrastructure, including VoIP implementations. For instance, he said companies should employ a consultant to try and break into their networks. This “vulnerability assessment” could go a long way toward helping IT managers understand just where their systems could use some beefing up.
Audin also said it’s not enough for companies to have a single IT security person. “Can you really trust one person?” he said, pointing out that two heads are better than one. “You always need one person auditing somebody else.”
Regarding telephony specifically, Audin said it’s important to assign robust identity codes. Everybody can guess “admin,” he said.
He also recommended keeping PBX reports on read-only data. That way the enterprise can scrutinize the data, scan for patterns, and never worry that somebody might question the report’s validity. After all, it can’t be altered.
Audin suggested hardening the PBX operating system by turning off features that the company doesn’t need. He said the enterprise’s success in this regard depends on the OS in use. Some operating systems, like Microsoft Corp.’s Windows, are feature rich and somewhat difficult to strip down. Others, like the open source Linux operating system, is more customizable.
It’s important to secure IP end-points, particularly softphones, Audin said. They’re only as secure as the PCs on which they reside. Audin said IP platforms that use the Session Initiation Protocol (SIP) put an awful lot of the intelligence into end-points, so end-point management could be even more important in SIP systems.
Avaya Inc. recently released its SIP-enabled IP phones. According to Alan Klein, a Miami-based corporate systems engineer at Avaya who was demonstrating the SIP portfolio at VoiceCon, his company is well aware of how vulnerable SIP phones can be if they’re not configured for protection. That’s one of the reasons why Avaya puts as much of the intelligence into the server as possible, he said. It’s one way to help keep IP telephony installations safe from spoofers and toll fraudsters.
Asked if Audin’s presentation was helpful, one conference goer said it was, even if the presenter didn’t get all that specific about products or services that could help protect VoIP environments.
“I like that it’s not vendor-driven,” the conference goer said. He wouldn’t offer up his name, but said he’s an IT employee at a large U.S. financial services firm. As for Audin’s lack of specifics, “you can’t cover everything in a four hour session,” he said.