Lack of equipment interoperability and confusion over security responsibility are to blame for the lack of security in voice over IP (VoIP), an issue that IT administrators say is a major concern for them, experts speaking at last month’s VON Europe conference said.
The technology and standards that exist to secure VoIP are not the issue, said Tim Jasionowski, senior technologist for voice and rich media technologies at Nokia Corp. The problem is that most enterprises aren’t using many of the technologies.
That’s mainly because unless an enterprise uses a single vendor for every piece of equipment in their network, including phones, IP-PBX, firewall and all other components in between, then security technologies such as transport layer security (TLS) are unlikely to interoperate across multivendor equipment, he said. Even if an enterprise decided to standardize on a single vendor, it might have additional limits on the products it chooses.
That’s because not all major vendors are building support for security standards like TLS into their products and those that do don’t necessarily support it across their entire product range, said Cullen Jennings, distinguished engineer at Cisco Systems Inc.
Once enterprises decide to extend VoIP into mobile devices, they face additional problems, and once again, not because the standards and technology don’t exist. Ideally, an enterprise might want to run Wi-Fi protected access (WPA) to secure the Wi-Fi connection on a wireless device, an authentication mechanism for users that may attach to public hotspots, a virtual private network (VPN) for accessing the corporate network and possibly other security techniques.
Running all of those security applications requires processing and power — both features in short supply on mobile devices.
In addition, the market hasn’t fully worked out who exactly is responsible for security and for enforcing that security, said Ari Takanen, chief technology officer for Codenomicon Ltd. Currently, layers of security are offered by service providers and equipment makers and sometimes their efforts overlap. Without the clarity of claimed responsibility, no source is liable for security issues, he said.
Enterprises can improve their chances of boosting the security on their VoIP networks in a couple of ways, including carefully examining the type of tests that vendors say they run on their products to make sure they work, Takanen said.
Organizations like the Protos Project, a collaboration between the Finnish University of Oulu and VTT Electronics, can help buyers test products, he said.
In addition, firms are responsible for demanding that vendors interoperate, Jasionowski said. In the meantime, product managers are making decisions against interoperability and against the advice of their engineering staff in hopes of securing more business, he said.