VoIP Driving The Need For SSL VPNs: Survey

The need for VoIP security is an increasing important reason cited by enterprises for deploying SSL VPNs, according to a new report by market research firm Infonetics Research.

Security is still the top concern when implementing VPNs, but "VoIP support is moving up the list of important features for VPN products as more and more organizations roll out VoIP and discover compatibility problems with VPNs," the report found.

The report also found that:

* SSL is becoming increasingly popular, and will rise from 21% usage today to more than a third by March, 2008.

* VPN/firewall appliances are the most popular devices for deploying VPNs, followed by router-based products.* Cisco is rated the best vendor from users in all categories but pricing.Check Point rates second highest for security. SonicWALL rates highest for pricing and second highest for price-to-performance ratio.

Why VoIP And VPNs Make A Good Match

As VoIP becomes central to enterprises, security has become an increasing issue, not only because of potential backdoors opened via VoIP, but because VoIP can be wiretapped via sniffing IP packets.

That's large part of the reason for the increasing need for VoIP-aware SSL VPNs. Not everyone agrees that VPNs are always needed, though.

Aziz Khadbai, general manager of Converged Nortel Networks, told CRN ,"VoIP installations today are within closed networks managed by a single entity. In the context of an internal network, the need for encryption is less critical than if the traffic passes over untrusted networks."But many people disagree with Khadbai, as the results of the Infonetics survey shows. They point out that many attacks are launched by those inside an enteprise, and not from outsiders. For example, Robert Moskowitz, senior technical director at ICSA Labs told CRN that an "CSI/FBI study shows that 80 percent of [VoIP] attacks are from insiders. Consider the ease of SIP hijacking and the ease of header manipulation. It's easy to become a man-in-the-middle and effectively wiretap all VoIP communications."

VoIP-aware VPNs are particularly important in branch offices that connect to main offices via VoIP, or when remote workers use VoIP to communicate with corporate offices. As a result, VPNs targeted at branch offices now commonly include VoIP features, such as the just-released Check Point's VPN-1 .

In the long run, though, it may be that VoIP-aware VPNs are only a stopgap measure, and that a more standardized, cohesive security architecture will ultimately solve the problem.

A proposed IETF standard, Interactive Connectivity Establishment (ICE), would allow VoIP calls to cross through firewalls without compromising security. ICE uses a variety of mechanisms to discover the internal IP address schemes of networks to which two VoIP endpoints are attached, and so allows VoIP calls to pass through NAT firewalls.

Microsoft and Cisco have begun cooperating to potentially add ICE capabilities in their software and hardware. But even so, ICE is only a draft, and its ultimate acceptance may be years away. So VoIP-aware VPNs will be needed for the foreseeable future.