If your customers are planning to exploit the incredible power, flexibility and cost savings offered by VoIP, there are two things they need to know: VoIP people don't think like IP people; security is going to be a nightmare.
Recently, I spoke with experts in VoIP from around the world. This elite group represents VoIP subsidiaries and working divisions of something like 94 per cent of the planet's telecom service providers. I got called in to provide an in-context and out-of-context view of VoIP and security. I began with a couple of easy, soft-pitch questions. Or so I thought.
"How many of you use penetration testing as means to maintain the integrity and continually test the security of your VoIP networks?" I asked. Not one hand went up. I thought there might be a language problem, so I rephrased the question: "How many of you have a dedicated staff of security people whose sole job is to stress the network to find problems before the customer does?" Again, no hands were raised.
After recovering from my shock, I asked, "Why don't you?" The most common response was, "Why should we?"
That's when I retreated to the security basics. I talked about how denial of service and distributed DoS can paralyse VoIP, and about data-transfer integrity, and asked, "What are you doing about this?" They shrugged.
The VoIP community has not travelled with us for the last 25 years and learned the lessons of virtual venom and online conflict. Their biggest concerns are quality of service and billing accuracy.
Historically, the endpoints of communications have been dumb. One lesson the IP world has learned is that complexity breeds insecurity; dumber is securer. But the world the VoIP crowd is building uses endpoints that are much smarter. Therefore, the VoIP version of security is bass-ackwards from the IP approach. And you're planning on bringing VoIP into your enterprise? Hmmm.
Next, I asked this group of now-nervous VoIP leaders, "Can any of you tell me where your VoIP and data networks meet, converge, talk to each other, share facilities?" Silence. I rephrased the question: "How do your VoIP and data networks talk to each other?" Still sort of blank stares.
One guy chirped, "Ah, ... they don't." Incredulous, I asked a number of people whether their VoIP and data networks were completely isolated from each other, and the consensus was that they were disparate networks.
I whipped out a Sharpie, ran to the flip chart and scribbled some clouds, cylinders and routers. After several Pollock-esque flourishes, someone called out, "Mine connects there." Somebody else said, "Sure, it has to connect here and there and there to make it work." It was just that they apparently had never been asked the question in a security sort of way.
Over the next several hours, we learned a great deal. The communications world is moving toward VoIP but does not have the security expertise it needs inhouse to meet the real-world stress it will encounter. I learned a lesson I should never forget: I assumed these people were security-clueful, and I was wrong. They learned, I hope, that the threats the VoIP industry is going to face will be merely variants of what it has already seen more than once. I also hope they carried away something more important: an awareness that security must be designed in from the beginning and that the next generation of VoIP gear must have a more aggressive security posture than the current one.
Schwartau is a security writer, lecturer and president of Interpact, a security-awareness consulting firm. He can be reached at firstname.lastname@example.org.