Traditional telephony experts 'don't get VoIP security'

Corporate managers charged with implementing Voice over Internet Protocol (VoIP) could compromise security unless they look at the platform as an Internet service rather than traditional telephony, vendor Check Point argues. The security company's local country manager, Scott McKinnel, told ZDNet Australia&nbsp while voice and Internet technologies were converging, experts from two camps had differing priorities when it came to approaching implementations.

Corporate managers charged with implementing Voice over Internet Protocol (VoIP) could compromise security unless they look at the platform as an Internet service rather than traditional telephony, vendor Check Point argues.

The security company's local country manager, Scott McKinnel, told ZDNet Australia&nbsp while voice and Internet technologies were converging, experts from two camps had differing priorities when it came to approaching implementations.

McKinnel said in implementing VoIP-based systems, traditional telephony experts would "try to address the primary concerns as they would see them in a telephony world -- which are latency, PABX and voice-mail functionality, quality of service, things of that nature."

Security was not a business driver in that context, according to McKinnel, and so the telephony gurus probably didn't have expertise in securing IP-based networks.

"They haven't even had encrypted voice circuits," he said, "let alone anything more sophisticated than that ... there's never been a shared network infrastructure".

Further, he said, users trusted their telephones implicitly. "Even in senior IT management, they're not going to sit there and wonder if their telephone is secure. We're not conditioned to think like that," he said.

However, McKinnel continued, Internet security experts could show their telephony counterparts the way.

"The way we protect VoIP is consistent with the way we protect all other [Internet-based] protocols," he said.

The view parallels what some say should be the government's attitude towards VoIP regulation.

Vint Cerf -- known as the 'father of the Internet' due to his role in developing the TCP/IP protocol -- recently went on record with his opinion on the subject.

Although VoIP appeared to be traditional telephony, he said, "VoIP is really just another application on the Internet. Nothing special about it."

Checkpoint addresses VoIP security as part of its unified security architecture, according to McKinnel. The latest version of that architecture -- named NGX -- has recently been released after a complete re-write of the code.

McKinnel said by examining whether live VoIP communications were compliant to industry standards such as H323, MGCp, SIP and SCCP, his company's software could detect attempts at hacking such as the one that recently claimed the scalp of Telecom New Zealand.

In the case, a hacker gained access to the telco's voice mail system and divulged the contents to Computerworld New Zealand&nbsp. A similar mechanism was used to the one that several months ago exposed hotel chain heiress Paris Hilton's mobile phone addressbook to the world.

According to McKinnel, Check Point was also looking at limiting the ability of VoIP applications to carry malicious data. He clarified that even if VoIP software was adhering strictly to standards, malicious binary information could still piggyback on connections.

Furthermore, the security vendor's software also attempts to restrict access to VoIP applications and conduct check to make sure only legitimate usage was allowed.

In the end, the Check Point chief agreed the challenge securing VoIP services was similar to many challenges in the ICT environment. "The first thing is user awareness," he concluded.