Not all security issues originate from outside the network. A growing number of threats are coming from inside networks. In fact some security analysts have found that there are more successful attacks coming from within than outside your network. Cyber criminals working inside a company can steal the identities of coworkers on a large scale. Usually these criminals are difficult to spot. They don't look like criminals.
This concept is not lost on crime syndicates who equip members of their organizations with fake identification and send them to apply for and obtain jobs in Fortune class corporations. Once inside, these criminals have access to the inside of networks -- on the "soft" side of the firewall, and from there can unleash an array of internal attacks on a company's computer network in an effort to steal identities.
Other times such syndicates direct their efforts towards the corporation and in some cases are able to steal money from banks and other financial institutions. When they are caught it is often too late to get the money back.
Internal and external hackers are always looking for new ways to get confidential information they can use to make money from. Techniques such as VoIP eavesdropping allow a hacker to listen-in on phone calls. Conversations with banks where PIN codes are used can be saved for later analysis. Think of unprotected VoIP networks as a hacker gold rush.
VoIP encryption is one way to deal with the problem and if you read Internet news sites like TMCnet you probably have noticed a growing trend by companies to encrypt voice packets. The problem is that encrypting voice packets in a way that an enterprise cannot unencrypt them causes problems for law enforcement agencies as well as the corporation. Skype is an example of a product that cannot be centrally unencrypted. HIPAA and Sarbanes Oxley are two laws that require corporations to record certain employee conversations in order to be in compliance with the law.
Phil Edholm the CTO of Nortel Networks told me a while back how concerned he is about peer to peer encryption of SIP messages as these messages can contain viruses and other malicious code. Encrypting SIP messages on a peer to peer network can lead to absolute disaster if you aren't careful. If all of these problems aren't bad enough, there are issues relating to latency caused by encryption you also have to deal with.
Encryption -- unless centralized is a bad idea for enterprise VoIP. In this world where security is so important to all of us, any sort of p2p VoIP security protocol that governments can't break is bad news for the population as a whole. Rich Mendoza the Managing Director of SIP Solutions at BorderWare tells me that the firewall, not encryption is going to have to deal with VoIP security issues and you know what? He thinks we will need specific firewalls for various applications such as e-mail. If Rich is correct, the more applications you have the more firewalls you will need.
As Rich tells me, general purpose firewalls don't generally do the deep packet inspection needed to protect organizations using VoIP. He goes on to say that service providers aren't in the packet censorship business this is why we have desktop applications for antivirus, anti-spam and anti-spyware (he forgot anti-adware -- how can anyone live without this?) We need endpoint applications to protect VoIP calls.
BorderWare's sells firewalls so they are obviously biased towards firewall use. Their appliances sit behind your general purpose firewall and when deploying you just open up ports 5060 and 5062 on your general firewall so that the VoIP firewall can handle the job of dealing with the VoIP traffic.
Another application of these firewalls is deployment by service providers to their customers so that the softswitch is segregated and customers can't get to other customers on the same softswitch.
This past December 2004 I wrote the following about VoIP E911 in Internet Telephony Magazine:
I have said it before and I will say it again if we don't get our act together soon as an industry we will have some serious headaches to contend with. The positive press friendly to VoIP that we witnessed for a year will vanish the moment someone is injured or worse because there is a problem with VoIP and E911 connectivity.
The current state of 911 over today's VoIP providers is not good. The incumbents aren't as much of an issue as the newer carriers who transfer 911 calls to lower priority administrative lines in PSAPs. E911 over VoIP can be much better than PSTN 911. We need to come together as an industry and discuss the challenges and standards issues and make sure that e911 over VoIP becomes a reason to adopt and not a reason to pass on VoIP.
I consider this a stumbling block that needs addressing on our way to achieving VoIP 2.0. Companies like Vonage, who use technology from an innovative company called Intrado, are taking bold steps to ensure the safety of their customers. They should be commended for their efforts and others need to follow.
Few service providers listened. These providers are now scrambling to meet the FCC deadline for 911 compliance.
Now I'm at it again. I am telling you that if you are a service provider or an enterprise putting VoIP on your network. Understand the security implications of not having a VoIP aware firewall in the mix. Understand full well what you are doing.
If you are unsure, come to Internet Telephony Conference & Expo this October to learn everything you need to know to roll our VoIP safely and securely. We have extensive and in-depth education on this topic. Remember that if a 911 call doesn't work on your network because of some sort of attack, someone will be held responsible. The same goes for sales calls and revenue that may be lost. Be sure you know as much as you can and do as much as you can to ensure a successful and secure VoIP deployment.