We don't profess to know what all -- or even most -- of these things do, but we're happy just the same to see that the VOIP Security Alliance has released a package of security tools to protect Internet telephony networks.
It's possible to guess from the names what most of the categories are aimed at. VoIP sniffing tools, for instance, capture packets and inspect them. Another well-named tool is fuzzing. This software gauges the reaction when a VoIP system is fed slightly malformed packets. The reaction helps engineers and designers improve security.
This is mostly good, but not completely. The fly in the ointment is that these tools are just as valuable to the bad guys as the good. The vulnerabilities that can be found by fuzzing, for instance, can just as easily be exploited as fixed.
And so goes the battle between crackers and hackers, white hats and black. We have to admit it's fun to watch. Though it involves a different security area, consider the position taken by Immunity, the makers of a Wi-Fi detection tool. The company understands its product potentially is just as valuable to crackers (bad hackers) as good, so they try to sell it only to the upstanding VoIP citizens. That's not too reassuring -- and indicative of a dynamic and interesting market.
Entertainment value aside, everyone agrees that this is a deadly serious business, though some think that the dangers of VoIP may be a bit overhyped. The accepted logic is that the legacy telephone network is "taxi tested tough," as the car ads used to say. Considering its size and scope, it is thought to be relatively secure. VoIP is cheaper, more flexible, but liable to all the slings and arrows that can befall a data network. Indeed, it may be liable to even more, since the potential for social engineering attacks figures to be great in a voice network. All in all, only the most partisan wouldn't concede that VoIP involves a higher level of risk than time-division multiplexed (TDM) networks.
It seems, however, that VoIP vendors and others in the industry are working hard to narrow the credibility gap. Taxonomies of VoIP security tools exist elsewhere. This version -- which is as accessible as something as geeky as this is likely get -- clearly is a step in the right direction.