If the Voice over IP Security Alliance (VOIPSA) proves anything, it's that voice over IP (VoIP) security is something that a whole lot of people take very seriously. "The reason why our membership has mushroomed is that the industry as whole is saying 'we're concerned," VOIPSA secretary and Sonicwall senior director Jonathan Zar says. "The carriers are saying 'we're ultimately responsible for integrating all of these products and we know there are problems."
Many of VoIP's security vulnerabilities are nothing new; they are simple the consequence of routing voice traffic over IP networks. Traditional telephony has been spared the kind of denial of service (DoS) attacks and worms that have bedeviled the Internet since Robert Tappan Morris set the first worm loose in 1988. However, the transport medium changes everything, even if VoIP lets users make and receive telephone calls with the same ease as with traditional phone service.
"You have to consider the underlying infrastructure," Infonetics directing analyst for enterprise voice and data Matthias Machowinski says. "If worms and viruses bog down your network, it's a data security issue, of course, but that's also going to affect voice quality and reliability."
In fact, real-time traffic like voice is particularly susceptible to any attacks on the IP network carrying it. Few users, Machowinski notes, will notice a network hiccup when they're downloading an e-mail attachment, but the same minute delay could play havoc with voice data. The bottom line is that VoIP security is only as good as the overall security of the network it's on, but even that's just a starting point.
"VoIP inherits every one of the denial of service vulnerabilities that you have on the net," Zar says. "It's also vulnerable to DoS attacks that are protocol-aware."