Home > Peak Performance > The Risky Business of IP Telephony

The Risky Business of IP Telephony

The four A’s of security give us some insight
into the security vulnerabilities posed by IP Telephony.

The first is
Authentication, the technologies and processes that identify devices or
users in a particular context, in other words answering the question
"Who are you?"  IP Telephony offers unreliable or inconsistent methods of identifying
or authenticating users and devices. While a particular IP telephone
may require a PIN by a user or identify itself with a MAC address,
dozens or thousands of phones or other devices may not. Organizations
deploying VoIP are probably also enjoying the other benefits of
converged networking by sharing the network with data and video. Most
cameras don’t authenticate themselves, nor do the many other devices
often attached to modern networks, such as door controls, alarm panels,
heating and air conditioning controls. Therefore, deploying VoIP sets a
precedent for authentication anarchy.

Next is authorization, the systems that answer the question "What may
you do?" Viruses perform actions that are not authorized; eavesdroppers
exploit inconsistent encryption to listen when they ought not; and
remote workers introduce unauthorized traffic across VoIP ports. These
are just some of the ways that VoIP deployments leave an organization
with far less ability to ensure that people are doing what they ought
to. Similarly, the computing systems managing traffic within VoIP,
called call managers, is not well understood and will likely not be
undertaken by IT security staff.

If we know who the people are, and what they are expected to do, our
next question is "How do we manage it?" Administration leaves much to
be desired in VoIP. Until we see VoIP solutions consisting of mature
and robust permissioning, provisioning, and user administration, we can
assume that people and devices will operate outside of expected limits,
opening windows of opportunity for bad things to happen.

And the final "A," Audit, requires us to evaluate "Is it working?" and
"What’s happening?" Yet, without authentication we cannot be sure which
person or device is causing trouble, and without good authorization or
administration, we will never be able to set policies to reflect secure
operation. And while ports 1124 through 1760 are open during calls,
there is no tracking what else is passing through. In the end,
answering the "audit" questions is impossible.
VoIP is not safe to use by itself, but the ROI is high nonetheless. So
you can assume that it will be introduced to a network near you very

Therefore, perform assessments of the 4 A’s of security before
deploying VoIP and periodically afterwards, plan for patch management
and virus protection – and VoIP will become about as safe as your
Internet connection.

Categories: Peak Performance
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: