|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
VoIP: Is the tech ready? By Ong Boon Kiat, Special to ZDNet November 29, 2004 URL: http://www.zdnet.com.au/news/hardware/soa/VoIP-Is-the-tech-ready-/0,130061702,139168291,00.htm
commentary How secure is voice-over-IP (VoIP) as a technology platform? The debate is not new, but the question will remain relevant until this technology reaches the dependability and resilience of existing circuit-switched telephony systems. There are no quick answers. This is a complex technology that has valid -- and for now, incomplete -- arguments on both sides. The security vendors that I recently spoke with had their knives out. McAfee chief executive George Samenuk called the VoIP platform "the next big area for attack". Robert Graham, chief scientist from ISS, is equally leery of the resilience of VoIP. He said in a recent interview that the technology in its current guise is "completely insecure", and that its vulnerabilities will blow up in the same way Microsoft's vulnerable remote procedure call (RPC) allowed Blaster and Sasser to wreck the havoc that they eventually did.
Safe enough? "People who criticise the unsafeness of the VoIP platform seemed to have forgotten that people used to attack PBXes before," said Michael Frendo, vice president of voice systems engineering, voice technology group. "Remember back in the eighties, when the cool hack was to use a signal generator to steal a long-distance line?" he asked. "If you knew what were the right tones to play, you could steal any service. And you could buy a tone generator for fifty bucks each -- easily. The fact is this: people will always find ways to attack." He continued: "You have to remember that with VoIP, we are building an application that sits on top of a network -- we are not building something from ground up. If you don't secure the network with say, perimeter defence, than the potential of being comprised is the price that you pay for enjoying the flexibility of this technology." Fair argument. But Frendo's point on VoIP applications being dependent on the resilience of the networks they ride on isn't very comforting. Given the alarming reports we read daily on PC virus outbreaks, exposed system vulnerabilities and the rise of organised hacking activities like phishing, network security isn't likely to improve very much from current levels in future. And if it doesn't, is that good enough for a telephone system? Secondly, like ISS' Graham, I am concerned with how the increased exposure to public data networks will hurt VoIP systems as they gain traction. While the backbones of circuit-switched telephone systems are pretty obscure, IP networks are within the reach of thousands of script kiddies and millions of bots that roam the Web each day.
Toughening the voice pipe "If you have an MPLS trunk carrying voice between two offices, you basically have a closed network between both offices," said AT&T Asia Pacific's director of planning and engineering John Mulligan. Or if you are building your own VoIP systems, Cisco's Frendo offered two ways to toughen the pipe. First, enterprises and service providers can encrypt VoIP signalling over a secure tunnel, he said, by using transport layer security (TLS). Secondly, they can then follow this up by encrypting the actual voice traffic, using secure real-time protocol (SRTP). The combination of both measures, he said, will protect IP phone systems against phone-tapping and caller ID-spoofing. But the larger question of simple reliability remains. Most VoIP applications will ride on open systems, as opposed to circuit-switched telephony systems which are almost mainframe-like in their closed-ness. To stretch a crude analogy, moving to a VoIP-based telephony system is akin to moving from an IBM RS/6000 to a Windows XP system. It's hard to see how the latter can be as robust as the former. Actually, as any network administrator know, it is easy to trip up an IP network. Frendo recalled a customer which had been frustrated by a network that was resetting itself every 30 seconds. The problem was eventually traced to a spanning tree-error in its network switch. "Now this customer was able to live with this problem and initially did not even worry about it because the problem only meant that their employees' Web browsers were taking longer to fetch data. With a voice platform, however, this will become an intolerable quality issue," he said. In fact, it may take less network quirkiness to render a VoIP platform unsatisfactory. As Mulligan pointed out, all it takes is a slight jitter in a voice conversation to introduce tension, which can eventually lead to a lost business deal. To put his quote in context, however, he said that while expounding the virtues of AT&T's VoIP-EVPN service, but his point about voice being extremely intolerant to network quality inconsistencies is generally valid. Me? I am going to give vendors the benefit of the doubt -- with a caveat. Given the excellent quality of the current crop of VoIP products and services, and collective momentum of the platform, which IDC predicted will be worth US$15 billion in worldwide equipment sales three years from now; I have to believe vendors will be more than capable of solving any quality or security challenges as they roll out new equipment and services. My caveat is this: I agree with ISS' Graham when he said that VoIP vendors and users alike tend to only react when hackers come knocking. Right now, that has not happened because the technology is still niche. But when hackers and viruses come calling in drones (can someone say Blaster?), I hope VoIP vendors will be ready for it.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
