VoIP has to a great extent avoided the wrath of hackers, crackers and other malware distributors. However, that good fortune is no reason to relax, said two CTOs who sat on an Interop panel,  Security Vulnerability in VoIP Products and Standards, this week in New York City.

The panelists -- Bogdan Materna of VoIPshield and Mark Collier of SecureLogix -- say that exposure to hackers and crackers will be limited as long as VoIP is primarily an internal communications tool. In the long run, however, enterprises should construct their systems with security in mind, since the day will come when hackers see stronger profit potential and go after the platforms. Materna and Collier both are CTOs and vice presidents of engineering of their firms.

Clearly, the industry is at an early phase in which crackers haven't seen a big enough payday to get motivated. "In reality, it's been pretty boring lately," aid Collier. Despite the fact that things are going well today, potential dangers lurk from two directions: Crackers can launch denial of service (DoS) and other attacks against the underlying data structures just as they do to non-voice data systems. They also can go after the real-time elements of the VoIP platform.

The generic attacks are well understood and can be addressed by architecting systems carefully and employing firewalls, intrusion detection and intrusion prevention systems and other widely available tools.

The more specific attacks may be aimed at the Real-time Transport Protocol (RTP), which could be potentially devastating. The RTP protocol controls how audio and video packets travel through an IP network in real time. Materna's fear is that the universal use of RTP has created a monoculture reminiscent of Windows' control of the desktop. In such a scenario, a successful exploit would be far more devastating than a successful initiative against a protocol relied upon by only a portion of the traffic. Such a monoculture is likely to intrigue crackers. Said Materna:

It is a class of exploits and vulnerabilities that can in the future cause big problems, but we haven't seen it yet.

A key to keeping things safe once crackers take aim is to do a proper assessment before rolling out a VoIP project. Judging the overall condition of the network and beefing up standard security infrastructure carries the side benefit of helping compliance initiatives, the panelists said. Proper assessments will uncover structural problems such as badly designed virtual local-area networks (VLANs) and poor separation between the voice and data elements of the network.

The panelists addressed encryption. Encrypting all voice communications would alleviate any concern. In reality, however, such widespread encryption may not be necessary until the crackers take full aim at the application. Encryption brings with it key management and latency issues and can make it difficult to work with third-party service providers who must do things such as examine packets to maintain quality of service levels, Collier says. In any case, it is necessary to encrypt both the data packets and the control stream that carries the keys.

The panelists seem to understand that no dramatic action is likely before a need arises. However, the panelists clearly think that good engineering practices can make such attacks less likely.