Businesses failing to secure IP telephony

At the RSA Conference, Cisco said the number of businesses deploying IP telephony networks is increasing, but few are thinking about securing them

Businesses are failing to secure their IP telephony networks because of a lack of knowledge, according to one veteran VoIP engineer.

Eric Vyncke, author of LAN switch security: What hackers know about your switches and a distinguished engineer at Cisco, told an audience of security experts on Wednesday that insecure networks could fall victim to hijackers and hackers.

"Nearly nobody is deploying secure IP telephony," Vyncke said, speaking at the RSA Conference Europe 2007 in London. "Why? It's a lack of information."

Vyncke added that, five years ago, a lot of businesses had become deeply worried about securing IP telephony and, as a result, most had chosen not to deploy the technology.

"A lot of customers freaked out," Vyncke said. "They were only receiving one message — that IP telephony is insecure."

At that time, IP telephones could not be authenticated and there was no way to check the integrity of a device. But the technology has since improved, Vyncke said.

The engineer recommended the use of certificates for each phone, but said that the IT department must be able to revoke them if the handset is stolen or returned to the manufacturer.

Vyncke also highlighted potential problems with firewalls blocking encrypted IP telephony traffic. To help prevent that, it is advisable that the signalling and media streams are prevented from diverging, he said.

Vyncke added that two techniques have been developed which could help to solve the problem: the Stun protocol (Simple Traversal of User Datagram Protocol through Network Address Translators) and ICE (Interactive Connectivity Establishment — a wider framework developed by standards body the Internet Engineering Task Force, or IETF).

IT professionals should bear in mind that some IP telephony deployments which run over multiple domains can run into difficulties, said Vyncke. In 10 percent of cases, the firewall cannot see the signalling, he added.

"There are issues with IP telephony," Vyncke said. "But you can secure it."