VOIP Security Group Urged On

A newly formed industry group is being pressued to help users deal with the impact of voice over IP (VOIP) security threats on their back-end systems.

The fledgling VOIP Security Alliance (VOIPSA) has been asked to beef up its approach to VOIP threats by issuing security standards for VOIP equipment (see Info-Tech Pinpoints VOIP Gaps).

VOIP networks, in contrast with the analog telecom networks that preceded them, rely heavily on back-end data center gear. That makes them potential conduits of data center trouble. If you’re putting an inherently insecure network onto your data network, you are exposing your entire infrastructure to risk,” says Carmi Levy, analyst at Info-Tech Research Group.

Levy is urging VOIPSA to start certifying both VOIP handsets and back-end systems to prove they are as secure as traditional telephone networks. Until this is done, he warns, users risk having their calls hijacked or eavesdropped, or having their voicemail compromised.

But expectations of quick progress by VOIPSA could be disappointed. David Endler, director of security research at TippingPoint Technologies Inc. and VOIPSA chairman, says that it is still early days for the organization. And despite Levy's urging, Endler can't say whether VOIPSA will deliver its own certification. “It’s not something that we have either ruled out or committed to,” he says. “The technical advisory board will continue to weigh that."Meanwhile, “We’re working on our first, near-term projects,” he says. These include defining the security requirements for a typical VOIP network and publishing a taxonomy of the different threats that users face.

Endler hopes these projects will be delivered by the end of July. Other projects in the pipeline include VOIP testing and best-practice initiatives.

VOIPSA was set up back in February 2005 in an attempt to meet the security challenges posed by VOIP protocols (see VOIP Security Alliance Formed and Vendors Step Into VOIP Void).

TippingPoint, which has since been snapped up by 3Com Corp. (Nasdaq: COMS), was the prime mover behind the initiative, which includes rival vendors such as Symantec Corp. (Nasdaq: SYMC), service provider Qwest Communications International Inc. (NYSE: Q), and end-user Fidelity Investments.

But getting a disparate group of vendors, service providers, and users together can be like herding cats, so it remains to be seen what long-term impact VOIPSA will have. Earlier this year, for example, security vendor Webroot Software Inc. parted company with an anti-spyware consortium it had founded. In a statement, Webroot said that it was concerned with the direction the Consortium of Anti-Spyware Technology Vendors (COAST) was taking (see Webroot Splits With COAST).Could that kind of controversy overtake VOIPSA? Endler remains positive. “There’s a level of scrutiny and skepticism when an industry group gets together,” he says, but he insists “it’s coming together,” as VOIPSA gains momentum.

Endler says VOIPSA’s membership is on the rise, with around 50 members now, and double that figure expected in the next two weeks. VOIP is also set to be a key talking point at next week's Supercomm 2005 in Chicago.

— James Rogers, Site Editor, Next-Gen Data Center Forum