VoIP Security: Not all that difficult?

According to an article posted yesterday over on SearchVoIP.com, VoIP security isn’t all that difficult after all, and a lot of the necessary tools and tricks to lock down and secure a voice network are there already. From the article:

“It’s not an add-on,” Kevin Flynn, senior manager of unified communications for Cisco, said about VoIP security. “It’s built into the network already or in the VoIP products themselves.”

According to Flynn, pretty much every facet of VoIP security should already be part of the data network, so finding ways to apply them to VoIP should be a breeze.

“These are things a company ought to be doing anyway,” he said. “They ought to be doing antivirus in the network, access control and IDS. It’s stuff they already own.”

That’s fine when you view the problem entirely from a data network perspective, and from that perspective he’s mostly correct. Unfortunately that’s only viewing half of the problem. It’s true that VoIP is essentially a collection of network applications and as such inherit all of the security issues that come along with the data network, many of which can be addressed as he suggests. What he’s not considering however is that it’s also an extremely complex set of applications in and of itself with many security threats and issues that are extremely specific to what the applications do and how they behave, which cannot be easily addressed by network security and controls alone.

Yankee Group vice president Zeus Kerravala agreed. He said some of the biggest security issues affecting VoIP now are not necessarily VoIP specific, but broader networking issues. He said many more voice-specific concerns stem from vendor hype than from actual issues.

In my opinion, this statement is almost entirely backward. As the previous quote from Kevin Flynn stated, most of the non-VoIP specific threats are the ones that can and should be currently addressed by existing data network security and controls technologies. It’s the VoIP-specific threats that are more difficult to deal with due to the relative immaturity of the technology and the afterthought that the security aspect of the technology generally receives from vendors and implementors.

While the article goes on to make some very valid points about needing a secure data network infrastructure upon which to build your VoIP network, it then continues with this bit on segmentation:

Another key, Flynn said, is segmentation. Separate voice and data traffic. “Separation is next to godliness,” he said. VoIP security 101 is segmenting traffic into VLANs. One way is to block PC port access to the voice VLAN.

I’ve heard this recommendation time and time again, but unfortunately I believe it’s fairly short-sighted. One of the primary benefits of VoIP that you’ll hear promoted by vendors and service providers is convergence. The promise that in the future, and in some cases, presently, your VoIP systems will integrate with your CRM applications, your enterprise messaging and collaboration servers like Exchange and Lotus, and other business applications. If you’re segmenting your entire VoIP infrastructure off from your data network, this becomes difficult to accomplish without an extremely high level of complexity. While normally I’m a big proponent of network segmentation and traffic segregation, I don’t believe it’s a very applicable long-term security measure for VoIP, when viewed as an application suite, as it continues to mature. Such currently non-VoIP business applications will increasingly need access to the VoIP infrastructure, applications, and endpoints, as all of these components begin to converge.

Now, before you get the impression that I found this article completely disagreeable, let me say that throughout the article the people quoted do make some very valid points and very solid recommendations… for closed, enterprise VoIP systems. Unfortuantely those are only one type of VoIP system falling under the over-arching “VoIP” acronym. Also, considering VoIP security from the closed, enterprise VoIP network perspective alone ignores a second future promise of VoIP, which is interconnectivity. Currently, most closed VoIP systems (dubbed “VoIP Islands” by many in the industry) interconnect only via trunks back to the PSTN. In the future VoIP promises true enterprise-to-enterprise connectivity, over IP. That’s what the last three letters of the “VoIP” acronym stand for.

Finally, the case-study at end of the article seems to contradict the opinions at the beginning of the article and throughout; that VoIP security can be handled mostly by network security and controlls. The case study speaks to one enterprise that is currently piggy-backing their VoIP security policies on their network security policies, but realize that much more needs to be done that specificly targets the VoIP technology piece of the puzzle:

Allan said she would advise telecom and voice teams to meet with folks on the security side to develop a VoIP security action plan. VoIP security differs from standard network security, she said, so a new set of best practices may be needed.

“The security team needs to know what we’re doing and needs to understand how VoIP is a different beast on the same pipe to make the best decisions on what to do,” Allan said. “I don’t know that the standard security best practices are all a 100% fit into VoIP, and that’s a challenge for me personally to work on.”

This is the opinion in the article that I agree with. VoIP security is a much larger beast than simply labeling it another network application and calling it a day.