CNETAsia:
McAfee chief executive George Samenuk called the VoIP platform “the next big area for attack”. Robert Graham, chief scientist from ISS, is equally leery of the resilience of VoIP. Sure everything is unsecure, but that does not mean it cannot be secured. The virus protection vendors create an environement of fear, and then sell a lot of software licenses. Their whole business model is based on the concept of “fear factor.”
I have to completely agree with this. VoIP is wide open and ready for attack. SIP proxies, Class 4/5 softswitches, media gateways — are all blatantly easy to attack. The softswitch platforms are typically built on top of off-the-shelf Unix (Solaris for example) platforms. The two vendors who’s systems I’ve used DO NOT even apply basic Solaris (security) patches or standard security procedures (such as shutting down unused daemon’s, etc.). If that weren’t enough basic DoS attacks can easily degrade VoIP traffic because the fact is that real QoS doesn’t exist yet (not that I have a problem with that). The icing on the cake is that the tools we do have (Layer 4-7 aware switches and routers) haven’t yet been adapted to offer their DoS and other security features specifically for VoIP.
And that’s the easy stuff. The hard stuff ? SS7 itself being vulnerable — but in the case of VoIP the so called signal gateway — the SS7 to VoIP interface — which (with current technologies) is not really redundant. Then there are the SMS vulnerabilities to SS7 which I’m no expert on but I think are widely known …
Beyond the security implications is the longer term issue of the COST of administering the server platforms and dealing with security in VoIP. I think the models we see today for VoIP costs don’t accurately account for OPEX costs like sys admins and operations (systems management tools) like the Opsware products. When folks figure this out you can except to see some major COGS re-calculations taking place.
Just a note — this comes fresh off the heals of a nationwide VoIP engineering plan I just completed for a Tier II ISP with DID origination/termination. Following the planning we did a pilot and full scale production testing and operations … So I’m speaking from real and very recent experience here.
When you think about VoIP think computers — not networks. Because with current technology VoIP systems scale with the addition of computers. A totally decked out nationwide VoIP network is pretty vanilla from a big IP network perspective. On the other hand — the compute platforms are large and redundancy between them complex.
And the worst part ? The divisions of labor are aligned so that lots of management are putting voice engineering and network engineers on VoIP projects but forgetting about good systems engineers and architects (The folks who will apply your security patches, build private IANA non-routeable networks for you, etc.)….