The Voice over IP Security Alliance (VoIPSA) today announced its much anticipated VoIP Security Threat Taxonomy, a classification and description of the types of security threats that affect IP telephony.
Identified as the alliance's first major task when VoIPSA was formed last February, alliance secretary and taxonomy project head Jonathan Zar, who is also SonicWALL Senior Director, say that the taxonomy is the first step in dealing with VoIP security. "When we were asked by the press and the regulatory community about threats, we weren't always talking about the same thing," he says. "Everyone was talking about their part of the elephant."
By defining the kinds and nature of threats, Zar says VoIPSA hopes to give the Internet voice industry a common reference point to deal systematically with VoIP security issues. "Many vendors said they could solve the problem themselves, but by going to the taxonomy, it became clear that there would still be gaps," he says. "For example, voice spam was perceived as a big deal at the beginning, but it became clear early on that deceptive practices would be a bigger threat,"
Indeed, the threat taxonomy is a necessary precondition for VoIP to fulfill the other projects in its mandate. Zar points out that it makes little sense to develop security requirements and best practices or pursue security research "unless you know what you're up against."
The VoIP Security Threat Taxonomy is organized into four broad phyla. Two --denial of service and unlawful signal or traffic modification -- deal essentially with the integrity of the network signal and infrastructure. Signal interception and bypass of refused consent, on the other hand, categorize threats specific to VoIP and deal specifically with privacy. "Privacy is not a wishy-washy abstraction, it's a concrete idea," Zar says. "So we defined privacy first, and then we defined the expectations for privacy within the community and defined security as a way to ensure that."