VoIP: Don't forget about security
IP calls could open up your network to a
world of pain
By Danny Bradbury
Published: Tuesday 9 August 2005
VoIP has many upsides but moving your telephony system to a packet-based
network could leave you at the mercy of hackers. Danny Bradbury looks at how to
properly secure a corporate IP telephony system against known and unknown
threats.
Voice over IP (VoIP) calls offer the twin benefits of cost and convenience
but there are dangers associated with moving your telephony system onto IP
networks: it potentially opens them up to hacking, with disastrous results.
Commentators like Paul O'Reilly, director of sales for VoIP EMEA at network
monitoring company NetIQ, say VoIP is really just another application on the
network. This turns security experts such as Mike Murray, director of
vulnerability and exposure at vulnerability management company nCircle, a
strange shade of pale.
"You are now deploying a second computer on everyone's desk in the
whole network," he says, describing the use of IP phones. "Does that
change your security posture? Well, sure it does." Most IT security
departments he knows are already overworked.
VoIP users who don't properly protect their networks can
look forward to attacks such as on-hook listening, where hackers
surreptitiously turn on an IP phone's speaker capability to eavesdrop on your
office.
Running your telephony service over IP makes it one of the most
mission-critical IT applications you own. Most medium-sized organisations can
survive for a while if line of business applications fail but if your
telephones are down, everyone may as well go home. And moving telephony to an
IP network makes it vulnerable to different types of attack.
Denial of service attacks, where someone tries to hit your telephony server
repeatedly with traffic, can theoretically stop a company using its VoIP system
but there are other more insidious attacks, too. "It means that any box on
your entire system that gets compromised can be potentially used to start
tapping phones," says Murray.
VoIP users who don't properly protect their networks can look forward to
attacks such as on-hook listening, where hackers surreptitiously turn on an IP
phone's speaker capability to eavesdrop on your office. Or they could
theoretically eavesdrop on VoIP traffic travelling across the network.
"I'm waiting to see the security tool which is a network packet
sniffer that reassembles packets on the fly," Murray says. Or, if you'd
really like something to keep you awake at night, think about hackers
compromising the phone system and using your VoIP network to make free calls to
external numbers.
Companies have to work out the threat and risk to their voice applications,
says Paul King, Cisco UK's principal security consultant. Cisco breaks VoIP
policy down into four areas: infrastructure, call control, the phones
themselves, and components at the application level. He advocates the use of
application firewalls to check that, for example, communications coming into
its Call Manager application are using the right signalling protocols. For IP
phones themselves, the company uses digital certificates to encrypt traffic and
authenticate endpoints.
NetIQ's O'Reilly adds that security managers should use common sense
practices, such as disabling advanced facilities on IP phones located in public
areas such as the company foyer.
At the call control level, King argues that Cisco's Call Manager
application is protected with intrusion prevention software, and serves as a
secure control hub for the IP phones. That may be true but the company did
patch a major security flaw in the product in July, which could make customers
nervous.
The answer to such problems is to make use of multilayered security. At the
infrastructure level, for example, logically partitioning voice traffic into a
VLAN is a good way to help protect it from attacks that may take place over the
data network.
This logical partitioning is a key security tool for Aidan Hancock, network
manager at UK radio giant GCap Media. The company, formed from the merger of
Capital Radio and GWR earlier this year, uses the firm's nationwide network to
send broadcast signals to regional areas and to handle VoIP information, too.
To secure the network, Hancock puts access controllers in his
infrastructure to separate voice traffic onto its own LAN and uses quality of
service technology to filter out denial of service attacks. Before the
overhaul, the company's network was badly hit by the Blaster worm, which
flooded routers with junk packets.
"QoS [quality of service] is a key enabler when securing the network
because we define certain types of traffic that are most likely to be generated
by worm attacks, rate limiting those right at the edge of the network," he
says. "You can throw a huge amount of junk at the router but quality of
service lets you carry on without dropping any voice packets."
Handling current threats such as denial of service attacks is relatively
easy because companies know what they are dealing with. The difficulty comes in
preparing yourself against hypothetical attacks.
Spam over VoIP may not be here yet but it is a future possibility, says the
Internet Engineering Task Force (IETF).
This is because many VoIP systems use the Session Initiation Protocol
(SIP), which provides addresses for IP telephony users in the same way email
servers provide addresses. Just as spammers can use dictionary attacks to harvest
email addresses for spam, so they can harvest SIP addresses from servers within
an organisation, simply by trying to call them and seeing what happens.
The IETF believes VoIP spam would be three orders of magnitude cheaper than
traditional telemarketing both because of speed, capacity and call cost.
However, VoIP spam is unlikely to be a problem right now because many
companies, including GCap, have closed off their VoIP networks to the outside
world. Although you can reach them from a conventional PSTN phone, you cannot
make a SIP call to their internal handsets from an external VoIP system.
This may be effective but it is leading to the balkanisation of internet
telephony services and moves the world further away from the dream of
anywhere-to-anywhere SIP-based VoIP calls.
We are at the same stage with VoIP today as we were with corporate data
networks 15 years ago, when some companies decided not to connect to the
internet for security reasons, according to nCircle's Murray.
"Systems generally seem to move from closed to open, and from being
competitive and isolationist to co-operative," he says. "I would
imagine that VoIP will follow the same model."
But until companies understand the
intricacies of building security into their VoIP networks, things are likely to
remain closed for the foreseeable future.
VoIP handsets: Greater choice means greater
complexity
By Ben King
Published: Monday 1 August 2005
It used to be that handsets came as part of any IP telephony system. But
with the advent of SIP, businesses have a number of options to choose from. Ben
King tells you what to look for in this key VoIP component.
Handsets usually make up more than half the cost of buying a new office
phone system but they generally get less than half the attention.
It used to be that once you had bought a private branch exchange (PBX) from
one company, you had to buy phones from the same people if you wanted advanced
features like voicemail to work. A cheap generic phone might give you a dial
tone but little more.
As session initiation protocol (SIP) becomes more widely adopted for IP
telephony, any compliant IP phone should be able to work with any compliant
PBX, at least for the vast majority of functions. This gives buyers much more
flexibility about the hardware they can choose but it also brings a whole new
set of complexities to the process of choosing phones.
Mark Herbert, CEO of managed services provider intY, which uses
SIP-compliant handsets and PBX from Zultys, says: "Using VoIP, for the
first time you could go to an open standard. You weren't locked into a really
expensive future model. We didn't want to get locked into a proprietary
technology."
"The open standard thing was most attractive - I would never want to
get locked into a single system," he adds. "If the Zultys system was
no good we could switch it out, and still use the handsets with something
else."
Brunel University is providing students with
colour-screen Cisco handsets which display advertising; the Sheraton Hotel in
Krakow, Poland offers room service and wake-up calls to its guests on a similar
system.
Organisations now have a wide range of phones to choose from. New vendors
such as Zultys and Snom have joined the market previously dominated by
decades-old players such as Alcatel, Nortel and Siemens.
The cheapest phones, such as Grandstream's charmingly name Budgetone, sell
for less than £50, while Cisco's mighty 7970 with colour screen sells for $695.
Most major manufacturers have SIP on their roadmaps for some point in the
future but interoperability can't yet be taken for granted. For example, Cisco
phones can work with IP-compliant PBXes but its PBXes won't work with phones
from other vendors.
SIP is coming in the next version of Cisco's Call Manager IP-PBX system,
which should arrive in the first half of 2006, according to the company.
Alcatel offers some interoperability but some phones may need a firmware
upgrade to become fully SIP compliant.
At the moment, says Nigel Jones, general manager at Alcatel, this kind of
compatibility is not the priority for his customers. Many of them will be
looking to install an IP-based PBX to run alongside an existing PBX, and it's
the compatibility between these two that they will value most. "They want
the assurance that they have the functionality from the old world with the new
world," he says.
It's true that SIP is still in the early days of its development. Some of
the standards for the more advanced SIP-related features are not yet fully
baked, so it's too early just to assume that any SIP-based handset will work
with any SIP-based PBX. More advanced features are particularly likely to
suffer from compatibility issues.
Sadly, it's these features which make up much of the rationale for
switching to VoIP for many companies. "You can't sell it on cost at the
moment," says intY's Herbert. "But if you have home workers they can
be part of the call centre group. It brings them right into the system - it
works really well."
Other simple applications might be an internal directory - the ability to
look up anyone in the company from a conference room phone, for instance. The
range of possible uses for these devices is almost limitless. Brunel University
is providing students with colour-screen Cisco handsets which display
advertising; the Sheraton Hotel in Krakow, Poland offers room service and
wake-up calls to its guests on a similar system.
Choosing which features a business needs will be an important part of
making a handset and PBX choice. If they just want a phone to speak into, then
the very simple, low-end handsets might do the job very well.
If they are looking to deliver sophisticated XML-based apps to the phones,
or even use them to replace PCs entirely, then the higher-end options will do
better.
However, businesses should consider the future, too. XML-based apps might
not fit into this year's budgets but two years down the line they may do.
John Delaney, principal analyst at research company Ovum, says: "If
you are just investing in IP to save money, then you might go for the cheapest
devices. But you have to consider the longer term potential to bring out new
and innovative communication services."
Of course, wireless VoIP phones are becoming increasingly popular. They
appeal to many companies for employees such as desktop support workers, who are
constantly moving from desk to desk and would otherwise have to use a mobile.
So-called soft phones which run on a PC are also taking off as they mean a
company doesn't have to pay for a separate handset at all.
Many companies may end up using systems from several different vendors but
this brings a separate set of problems.
Managing different desktop phones won't be as hard as keeping track of
smart phones, laptops and PDAs but it will be harder than managing existing
phones - particularly as sophisticated new devices will require more regular
firmware upgrades.
Some firms are building enhanced internet-based management consoles onto
their phones, to make this task simpler but with multiple vendors, the headache
will increase.
Margaret Hopkins, associate at research company Analysys, says:
"Manageability is something that is still being addressed in the context
of SIP. There are bound to be ongoing upgrades."
The coming of SIP, and greater interoperability and choice in the phone
market will mean an end to the exaggerated prices PBX vendors have charged in
the past for their high-end fully featured phones.
Sadly that freedom isn't as total as it
might first appear. Greater choice brings greater complexity, and IT managers
will have to think carefully about the features they want from both handsets
and PBXes when making their IP selections.
Pru calls in VoIP to improve customer
service
By Steve Ranger
Published: Tuesday 21 June 2005
Financial services giant Prudential plans to cut its costs and improve
customer service with a major rollout of voice over IP technology.
The company outsourced its voice and data networks to BT in November last
year and is now in the process of moving its call centres over to VoIP
technology.
Prudential UK's CIO John Worth told silicon.com: "What we've done is
outsourced our voice and data network to BT and taken the opportunity to
transform the network at the same time."
Worth said Prudential will be one of the first organisations with call
centres in multiple locations - including one in Mumbai - to move to VoIP:
"It's a big and interesting step for us and the industry.
The first call centre will move over in July to August on a pilot basis. If
that is successful the next stage is rolling out its Cisco technology to the
others in the latter part of the year.
"The main advantage will be in terms of customer experience. What we
felt VoIP could give us is that the customers will be left holding on the line
for less time and there is more chance that [it will be answered] by someone
who can deal with their policy details," Worth said.
Prudential plans to check the number the customer calls in on against the
numbers in its policy records to direct the call to the right operative more
quickly, so that less calls will be answered and then handed over to other
people in the organisation.
"It is very important that people are kept waiting for as little time
as possible," Worth explained.
As well as improving customer satisfaction the new network should cut
costs: "Over the period of the deal we found this was going to cost less
than running the networks internally," Worth said, predicting a five to 10
per cent saving over the life of the deal.
The new infrastructure will also open up the potential for homeworking in
"the fullness of time", he said.
Instead of staff coming into a call centre they could work from home with
both data and voice piped to them. "It gives us a lot of
flexibility," he said.
The network developments follow moves by Prudential to introduce a layer of
service-oriented architecture middleware across its underlying systems to
provide a new front end for the customer service team, again aimed at improving
the customer experience.
Previously when a customer called into a call centre with a query on a
policy the call centre operative would have to go into the contract engine for
that type of policy.
The contract engine, a green screen-style application, was hard to read and
if the customer had another query on a different policy they would have to
close down that content engine and go into a different one, all of which was
time-consuming.
The 4Front application which Prudential has developed now gives staff an
easier-to-understand view of the content engine and the ability to answer
multiple queries without opening up lots of different systems.
And Worth said the work is unlikely to stop
there: "Like any financial services company we've got a huge amount of
legacy systems and work processes that we are looking to simplify, perhaps
through using middleware."
Leader: Fear BT
It's got one thing the other VoIP players
don't...
Published: Thursday 16 June 2005
BT's Bluephone was launched
yesterday, under the brand name Fusion - a
landline/mobile combination that will use GSM when one is out and about, and
broadband when at home. Is this the start of the IP revolution? And should the
likes of Skype and Vonage be quaking as the behemoth that is BT wades into
their market?
On the pricing front, it seems the IP players win hands down. For consumers
looking at VoIP who have no relatives living abroad, the per-month fee or free
PC-to-PC calls offered by Vonage and Skype are likely to be cheaper and less
complex to work out.
BT isn't being generous with their free minutes bundles and those using the
VoIP service to call other mobiles will end up paying mobile-to-mobile rates.
Unless you're one of those dwindling number of people who purely call landline
to landline, the service promises one-handset convenience - but not much else.
So, in some ways, Niklas Zennström et al shouldn't need to think twice
about the new boy in the field.
But don't be placing your bets so soon: BT could still come out of this the
winner. The incumbent may be late to the party, it might not have the best
offering yet but BT has one key thing that Vonage and the rest don't - a huge
existing customer base to market it to.
BT said yesterday it will be pushing the service to its 1.5 million-plus
residential customers and is fairly likely to do the same with its wholesale
customers in time. Meanwhile the vast majority of those people don't know their
Skype from their elbow.
BT has slapped its brand - a familiar if not loved brand - all over VoIP.
For the non-techie, it's all a bit advanced - 'just imagine, we can make
telephone calls over the internet!' - and therefore a little scary. Going with
a telecoms stalwart like BT is one way to chase those technology demons away.
And BT is playing up to that. While Skype's website sells itself as
"internet telephony", BT is couching the consumer in a big fluffy
world of friendly terms. Fusion isn't VoIP, it's an "intelligent mobile
service". That's not a wireless router in your living room, no - it's a
"home hub".
So, once again, BT sweeps all before it and Skype is doomed? Nope.
VoIP may be odd to most people now but it's
just a matter of a few short years before it will be the norm and your granny
will be doing price comparisons on her IP service provider. And if BT doesn't
rethink its pricing strategy, those self-same grannies will happily go off to
Skype or whoever is cheapest.
Quocirca's Straight Talking: Telecoms
regulation explained
How does it affect businesses?
By Quocirca
Published: Thursday 16 June 2005
Quocirca's Elaine Axby demystifies the often complicated world of
communications regulation - and explains why it's more important than ever for
business users to shop around before choosing service providers.
The telecoms regulatory 'machine' is a vast one; UK regulator Ofcom's
budget alone exceeds £100m and most telcos and larger internet service
providers employ swathes of people across Europe, hoping to influence their
national regulators and the European Commission.
To understand why this area attracts so much attention and the likely
impact on business users, we need to look at some recent history and appreciate
the mechanics of how the regulatory process works.
Telecoms markets have been opened up across Europe since 1999 and
competition has developed. In the UK, large business users have benefited but
competition has been slow to filter through to smaller businesses and outside
major population centres. Regulation sets out to allow as much freedom as
possible for operators to put together innovative services for customers whilst
forcing BT to open up its network and give new entrants wholesale services to
allow them to compete. Both of these concepts - reducing retail regulation and
improving wholesale services from BT to its competitors - have a bit of a
chequered history.
Historically, all of BT's retail services for business and residential
consumers have been subject to regulation. Today this regulation is applied to
a relatively narrow set of BT's services. Other services such as national and
international virtual private networks and data services such as frame relay
are free of retail regulation, as are all international calls for businesses.
The freedom given to BT should allow it to be more competitive and other
suppliers should respond.
On the wholesale side, progress has been made in giving BT's competitors
access to the incumbent's network but getting that access is often dragged down
into trench warfare that takes years to get anywhere. For example, BT has been
obliged to offer its basic line rental on a wholesale basis for almost three
years now but any large scale competitive offers have had to wait for a final
'fit for purpose' wholesale offer available in January this year. Why the
delay? You might well ask. BT would say it takes time to get these things to
market. Competitors would say the offer isn't good enough - often it's the
operational process such as ordering and fault reporting which give the biggest
problems. Ofcom continues to work with industry to get these processes right.
The question therefore is: have business users got a better deal as a
result of this deregulation? In many ways, yes - there's clearly much more
choice and a better deal for many, particularly in the larger enterprise space.
But it's still not good enough - the Communications Managers Association in its
response to an Ofcom consultation in February this year clearly says
competition isn't working. Ofcom's own research indicates that businesses think
that regulation does hamper negotiation when it comes to big contracts and BT
still gains between 40 and 70 per cent of such contracts, depending on the
types of services tendered for.
What should buyers of telecoms services be looking for now? Certainly, you
should keep under very strict review your calls budgets - smaller businesses
could very likely benefit from moving all of their calls to one of the newer
calls providers. Since the deregulation of international business calls last
year, these should be cheaper too - again, shop around. Smaller businesses
should also start looking at potential alternative suppliers for line rental
services, although the savings aren't huge - around 10 per cent seems a typical
figure.
Voice over IP (VoIP) services are also fast gaining ground and here
businesses need to lobby Ofcom to get its act together. There is a regulatory
discussion going on about IP and so-called 'next generation networks'. Despite
a huge amount of business interest in VoIP - Quocirca research towards the end
of 2004 found that more than 90 per cent of businesses are either using it
already or think they will at some stage - the regulatory discussion in next
generation networks is rather tentative. Regulators are unsure as to how to
match new networks with the traditional regulatory model and how in the long
term they might be regulated.
There might still be further deregulation of retail markets - but don't bet
on it in the near term. BT is still restricted in its ability to offer
discounts across the full range of services but further deregulation here will
need more consultation, so don't expect much more progress until 2006.
On the mobile side, there is virtually no regulation of retail prices paid
by consumers. The wholesale price paid by other operators for calls to mobile
phones has been strictly regulated for the past few years, and has driven these
prices down. An area of concern remains the price of mobile calls made abroad,
the so-called 'roaming' prices. Regulators have struggled for years to find a
way of addressing high charges for roaming.
The underlying problem is the need to bring down the wholesale prices
operators charge each other but here regulators can only affect the prices
being charged in the home country and this doesn't benefit the home subscribers.
Ofcom could force mobile operators in the UK to reduce the prices they charge
overseas networks but it has no power to get overseas operators to do the same
so that prices for consumers in the UK can come down. This issue is now being
studied at the European level but it's been slow progress so far and there is
no easy solution on the cards.
So what should IT managers do to use the regulatory regime to their
advantage? Certainly, contribute wherever possible to the regulatory debate to
ensure that user needs are at the forefront of regulators' thinking, in
particular in the IP world. The regulator also needs to be encouraged to make
some effort to improve information available to customers - an increasingly
competitive market also has a propensity to add to greater confusion and less
clear offers.
From a commercial perspective, it pays to shop around. Over the next year
or two, alternative suppliers should be able to offer a better deal on a wider
range of fixed services, incorporating line rental and calls. BT's announcement this week of a converged
fixed/mobile service, 'BT Fusion', might lead to
more packages of this type being available for businesses.
Those operating on a pan-European level should find some greater
consistency in the services enabled by regulation - the obligation on incumbent
operators to rent lines to competitors is gradually spreading out to most of
Europe, for example. However, don't expect an explosion of line rental offers
in the very short term - alternative providers are still finding lots of
problems with operational issues and are somewhat wary of promoting large scale
take-up.
The regulatory regime does matter -
enabling competition allows innovation to develop, and prices do come down.
It's a hard slog however, and choice puts an obligation on customers to check
out what is there.
Leader: It's time for VoIP to prove itself
Needs to be secure and stable to impress
CIOs...
Published: Thursday 2 June 2005
Analysts are saying voice over IP will be mainstream in enterprises within three years and the technology is ready for the big time.
'So what's new?' you might ask. After all, the technology has been hyped
for at least five years.
What's new is the fact the market is - admittedly after much build-up -
growing out of the early-adopter-only stage.
Even the more cynical agree that whether VoIP takes off is not a question
of 'if' but 'when'. It could take up to 10 years, according to some, before it's
an accepted part of organisations' IT. But it will happen.
This opens up a whole new arena of questions for the technology. No longer
is talk just of its potential and promise.
At an industry conference this week, the focus was on real-life case studies,
return on investment, the business case, best practices and security - the same
issues that occupy CIOs and IT directors for any project they undertake.
VoIP has joined the ranks of ordinary IT and is thus subject to the same
scrutiny as a web server or database. The issues of stability, performance and
security are now front and centre, alongside the age-old motivator of cost
savings.
The technology's clearly got the name
recognition - now it's got to prove itself as a valuable tool for businesses.
Leader: The VoIP evolution
Rate of change is picking up speed...
Published: Friday 15 April 2005
Technological change is rarely sudden. More often it's a gradual, continuous
process – an evolution, one might say.
When it comes to sending voice packets over Internet Protocol networks –
aka IP telephony or, more often nowadays, voice over IP or VoIP – it's no
different.
Years ago when VoIP was first hyped, the pragmatists said not to get too
upset, it's not as if one day you'll pick up your telephone and it will stop
working. When VoIP takes hold, they said, you may not even notice. It'll be on
the back end and you'll continue to make calls in a familiar way at work or at
home – they'll simply be routed in a new way.
Now that, as silicon.com has argued, VoIP has come of age, we're seeing the rate of VoIP evolution pick up speed.
This week saw a number of new developments.
The reigning 'softphone' Skype launched two new paid-for features, bring the VoIP application to the level of competing, though technically
quite different, services from Vonage and AOL. Skype users can now buy phone numbers for others to call them on and use
voicemail like the rest of the telephony world. These are added to the ability
they've had for some time to call standard telephones from their computers.
On the business front, Colt Telecom announced a VoIP service billed on a
flat fee basis. This not only simplifies billing but means companies, at least
according to Colt, can say goodbye to buying and maintaining PBX systems, if
they so choose.
A key to VoIP's development has been the relative lack of regulation
compared to what the telecoms incumbents face. More and more industry figures
have come out against regulation. This week, Icann chairman Vint Cerf joined in a chorus which already includes (predictably) Skype CEO Niklas Zennstrom.
But it's not all good news. The VoIP
evolution has its share of challenges to overcome – including the dreaded
security concerns, which Cisco, Juniper and IBM are facing with claims some of their VoIP equipment have
denial-of-service vulnerabilities. It's all for
the best, though. If Darwin is to be believed, the most adaptable of the
species will survive and pass on their traits to the next generation.
