By Sathya Mithra Ashok
Many Middle East enterprises are contemplating or actually implementing VoIP . However, not so many pay attention to securing the application sufficiently. Encryption of VoIP traffic, along with a responsive network, can defend the enterprise better from all threats.
|~|bjarne200.gif|~|Bjarne Munch, principal research analyst with Gartner.|~|Voice over Internet Protocol (VoIP) is becoming pervasive in Middle East enterprises. Even with regulatory restrictions on the use of VoIP across international lines, the application over the network is becoming extremely popular in the region. The result is that there are very few large companies not thinking about their VoIP future.
“There is a whole lot of work going on with VoIP across enterprises, in the Middle East and the larger EMEA region. Companies are picking up on the technology. They are implementing it in scores in order to cut costs as well as attain performance incentives,” says Bjarne Munch, a principal research analyst with Gartner.
“However, too little attention is being paid to the potential painpoints of the system. Most enterprises in the region are yet to put in place a comprehensive security strategy that goes with and supports the VoIP system,” Munch adds.
Security is often seen as the least of an IT manager’s or even a business’s concerns when getting a VoIP system to work for them.
The main reason for this attitude is that few are aware of the potential threats that could visit a VoIP implementation.
These threats included Denial of Service (DoS) attacks, viruses and worms apart from hackers accessing the system and using unprotected information.||**|||~|paul200.gif|~|Paul Compton, security product marketing manager, Nortel EMEA’s enterprise networks division.|~| First steps
While the first layer of security would be protecting physical assets connected with VoIP (such as the servers), encryption comes in as the second line of defence. Encryption prevents hackers or eavesdroppers from using any traffic that they might manage to intercept.
“Most enterprises put in separate VLANs for voice and data. But apart from that fundamental step, enterprises often do not take efforts to add additional levels of security to transactions over VoIP,” adds Gartner’s Munch.
According to Munch and most VoIP vendors, additional security elements on VoIP are necessary as digital criminals are as real a threat here in the Middle East as anywhere else in the world.
“It is true that there are fewer attacks of such nature on a random scale. Today’s hackers and eavesdroppers know where they want to hit and can be highly specific. Large enterprises, therefore, run a reasonable risk of being targeted and should protect themselves from entry by such intruders,” says Munch.
Encryption constitutes the initial step to adding security layers to VoIP traffic. Such encryption comes in two forms – one, the device level encryption and two, SIP level or signalling encryption.
“Avaya VoIP phones come with device level encryption which is switched on by default so users do not have to worry,” says Roger El-Tawil, channel and marketing director at Avaya Middle East and North Africa.
“When enterprises in the region purchase any Avaya solution they do not have to worry about turning on encryption security. All traffic between the phone and the servers are coded and this makes it difficult for hackers to read if they manage to get their hands on the voice packet,” stresses El-Tawil.
Most VoIP phones on the market come with inbuilt device encryption so all the IT manager or infrastructure manager has to do is ensure that it is turned on by default or at least switched on before implementation is carried out.
Almost all of these devices are now built on the SRTP (Secure Real Time Transport Protocol) standard.
“SRTP has grown to become the most widely used encryption standard among almost all VoIP vendors,” explains Ahmed Etman, the security business development manager at Cisco.
“This is largely because it fulfills the objective of an open platform that can be easily integrated across various software systems,” he says.
As a result of this flexibility, SRTP has been adopted and used in most products of major vendors in the VoIP arena. Such vendors include Cisco, Avaya and Nortel.
Recently, Phil Zimmerman, the man behind PGP (Pretty Good Privacy) the encryption standard used for e-mail, came out with his version of an encryption standard for VoIP called, not surprisingly, ZRTP (Zimmerman’s Real Time Transport Protocol).
While ZRTP has been on offer for over a year now, vendors and users alike are yet to warm up to it in a big way. The standard was launched at a time when SRTP was already gaining ground and was supported by most vendors.
Additionally, many companies believe that ZRTP is not as open a platform as SRTP and as far as they are concerned, could entail proprietary lockdown for IT managers and organisations.
On the signalling side, many commentators predict that soon VoIP phones will work on the same SSL encryption that is used on browsers.
Paul Compton, security product marketing manager, for Nortel Europe, Middle East and Africa’s enterprise networks business says: “Phones will go through a transformation and in the future we will see most of them work on the SSL encryption that is proving so popular on the internet today.
This will come with an increasing convergence of devices where phones will become a unified screen to the net in terms of voice and data.”
As Etman from Cisco reiterates, such IP based encryption is already available on devices and it’s just a matter of time before it becomes widely accepted and more users begin using it.
||**|||~||~||~| The internal threat
Encryption becomes a doubly important security measure for enterprises when one considers that firms can never know where threats are really going to appear from.
“More than 50% of any attacks in an enterprise can come from its internal employee base. This need not necessarily be a malicious attack by an ex-employee. It could be someone still on your payroll who is just looking for a bit of fun or has angst against, for example, his line manager,” says Compton.
Whatever the primary reason for the attack, the enterprise stands to suffer if its voice traffic is unencrypted while flowing through internal networks. And this, quite scarily, is the case among the majority of organisations in the Middle East.
“Almost all traffic outside the enterprise, especially when done over the internet, tends to be encrypted,” points out Nortel’s Compton.
“Within a company, that is not often the case. Based on requirements, traffic from certain departments within an organisation can be encrypted. For example, if there is an R&D section working on highly confidential tasks then traffic to and from that section could be encrypted. Enterprises can work around points like that in order to build an open as well as secure environment,” Compton goes on to explain.||**|||~||~||~| Working in tandem
Encryption alone is far from being the end of the road for security measures on VoIP.
“VoIP encryption is not as important as keeping in place a responsive network – an infrastructure that is capable of preventing and responding to threats whatever they might be,” explains Gartner’s Munch.
According to him, encryption on VoIP can actually be ignored if the enterprise has an effective, self-protecting network that covers traffic from end to end.
“An intelligent network is one that covers an enterprise across the entire process of information transaction. It covers access, detection, prevention and threat removal. We work with our partners in order to enable our networks to add required encryption to traffic based on preset parameters,” says Chris Moore, regional director ME and Africa for Extreme Networks.
A lot of security vendors continue to stress on the idea of security as a strategy, instead of point level encryption solutions, in order to ensure a better defended system.
“Encryption is often an illusion. It gives the idea of security. But there is no point just building encryption on the traffic over VoIP when other facets of the network are left open to attack.
It is essential to provide for proper coverage of the network from end-to-end. It is also equally critical to put in place efficient monitoring systems which are able to pick up and respond to threats in a proactive manner.
If all that is not done, then we are talking an enterprise which is truly unprotected to the outside world,” says Patrick Hayati, regional director, ME and Mediterranean for McAfee.
The bottomline is that, selective encryption on VoIP can work, helping organisations to secure the most important resources and protect them from all forms of threats, both external and internal.
This, combined with a self-protecting network, can ensure an enterprise enjoys all the benefits of VoIP without any of the hassles.