Carl Weinschenk spoke with Eric Winsborrow, chief marketing officer, Sipera Systems.
Weinschenk: You suggest that the security landscape is fundamentally changing. How so?
Winsborrow: I'm seeing a couple of things. First of all, security around unified communications actually is becoming an issue in and of itself in circles where people do VoIP. At IT Expo in Florida, when there were panels on SIP security, it was a packed room. A lot of people wanted to hear independently what the issues are. That is happening in any show I go to. It is the first time I've seen them discussing it as a separate topic.
Weinschenk: So real-time communications is becoming the topic of the day.
Winsborrow: I think the big question is why is this happening. Why is there a transition to a conversation about anytime, anywhere IP security? The risks are increasing for the same reason they increased on the data side. You are taking a proprietary and isolated island of VoIP [and connecting it to others]. Back in the 90s when VoIP was starting, it really was just trying to replace 100 years of Ma Bell. Vendors created voice LANs. Each was in its own world; each was its own little island.
Weinschenk: From the security perspective, is the move to VoIP a revolution or an evolution?
Winsborrow: If you think about what started growing when the data world started, think of SMTP or Web services. It started opening up to the Internet. But they also were vulnerable protocols. Now you've got enterprises taking what for several years were isolated VoIP deployments and creating unified communications. SIP trunking created an IP-based protocol for real-time communication. The first movement is opening the network, and one way to do this is trunking.
The other way it is opening is to mobile users. Now people are working at home and extending IP phones into the home. The final thing people are doing is starting to use softphones on laptops. Each of those essentially extends the network beyond the nice closed environment, because using laptops with softphones has risks that are not just to the voice network. Hackers can go after data. The other big thing in unified communications is now we have Microsoft coming in with OCS. It's a huge deal and revolutionized the way of approaching user-centric communications. They are approaching it as they approached Office. Anytime Microsoft comes into an industry, you prick up your ears. They are going after things the way they have always done it, just with this new angle.
Weinschenk: Where does the Session Initiation Protocol fit into all this?
Winsborrow: People don't want to just be stuck with one vendor's stuff. They want choices. Microsoft is coming on in a much more open fashion. There are their softphones or third-party SIP phones. The only way to do that and make it more open is to pick a protocol that everyone is going to use. That's SIP. Cisco recently released SIP products. Avaya has SIP; Nortel is moving into the high end. The rest will come soon. Now it's mainstream in vendor releases. SIP was actually created in the 90s based on SMTP and HTTP. Those are nice, but were developed in a world where not nice things are done. SIP is the SMTP of voice, and can be victimized by hacking, phishing and spoofing.
Weinschenk: Is the emergence of SIP a good thing?
Winsborrow: The good news is that it is open and easy to program. The bad news is that it is open and easy to program. Many people are aware of this and ask if they are at risk in the SIP world, and the answer is yes. The answer is don't stop, but take precautions. It just used to be port 80. Now there are two to the power of 16 ports for media. You can't use traditional means like firewalls.
Weinschenk: At the highest level, what should people do?
Winsborrow: I think the best thing they can do is follow VoIP separately. It is completely different than data because it's real time. Having said that, the analogies I brought up to the data industry are valid. They just manifest themselves differently. The answer is that you have security best practices for data. Now it is time to start applying them to VoIP and unified communications.
Weinschenk: More specifically, what can be done?
Winsborrow: There are really several things you can do. First is to perform a unified communications vulnerability assessment to identify VoIP risks. Do penetration testing if you can. Find experts like us - VIPER - or other experts in SIP and VoIP, and do vulnerability assessments. Employ strong policies that touch on what kind of devices are on the network, who has access, and whether or not the company wants to do encryption. The third thing is to police the connection points. Just like data, you need SIP versions of firewalls. Minimize the number of open ports. Create policies and make rules around them. The fourth thing is to apply some level of security using devices that do DPI.
Weinschenk: This sounds familiar.
Winsborrow: It is just as you do for e-mail traffic or Web traffic. It's the same for VoIP. The only difference is that this is real time. E-mail can be delayed by a few minutes, but with voice you can't do that. There are a bunch of other security best practices. For example, keep patches up to date. When Cisco, Avaya [and other companies] announce updates, well, update your systems. Install a good system around security. You want to enforce strong authentication and encryption. Make sure users are real users, not some robot. You want secure APs, both wireless and wired. You may want to use a VLAN to keep data and voice separate.
Weinschenk: Are there any silver bullets?
Winsborrow: I won't call it a silver bullet but they may be the Golden Rules. Number one is to raise the risk profile in security groups around unified communications. The reasons unified communications was low priority don't exist anymore. The second golden rule is to look for people focused on real-time security, not those who see it as a feature of some broader solution. Just like in the data world, there is a whole industry - the Symantecs, McAfees and Check Points of the world - people who live and breathe security. You want to mitigate risks.