Network Communications News (NCN) December 2016 | Page 28
S P E C I A L F E AT U R E
IP security
Closing the VoIP Security Gap
Paul German, CEO of VoipSec, examines the issues around securing VoIP applications.
D
Paul German, CEO
of VoipSec, says the
industry needs to up
its security game for
VoIP applications.
espite voice becoming just
another application, the
security industry has failed to
keep up in ensuring the security
of this new application. Indeed,
there seems to be confusion
over where the responsibility
for the security role should lay; is it with
the VoIP and UC vendor or should it
be left to the security functions who
provide policies and procedures for all
other network applications?
In reality, however, this decision has
already been made, when as an industry
we started deploying email and web
applications to deliver a more rich level
of communication both internally and
externally. It’s time we take stock of the
lessons learned during the deployment
and widespread adoption of these
applications and apply them properly
to voice.
The voice learning curve
Let’s cast our minds back 10 years or so.
Of course, at the time, vendors of these
web and email applications took into
consideration security, but their main
focus was always on the primary function
of their application server. The lack of
focus on the security function resulted
in new attack vectors being exploited in
ways that no-one had anticipated.
The rise in breaches highlighted
the need for solutions. There was a
recognition that firewalls providing
network access control were not
sufficient to protect these applications;
mainly due to the fact that sources of
communications were not always known,
so open rules had to be used, which in
basic terms removed the very function
the firewall was trying to provide.
And so, security vendors, many of
which new start-ups, stepped up and
started to deliver dedicated solutions
that would provide targeted security
for each of these applications and the
enterprise network architecture was
updated to include a sanitisation area
for these applications, which we have all
come to recognise as a DMZ.
For both sides, this was a learning
curve. Security vendors were gaining
information from their customer
breaches as well as their own research.
In parallel, they began to provide
regular updates to their security
applications, enabling them to provide
their customers with the latest updates
to protect against common threats. This
has now come to form the basis of the
‘defence in depth’ security models we
use today and, although we are seeing
this model adapt to our new ways of
delivering applications, the very premise
that we build walls, with firewalls and
inspect our applications flows with
proxies, very much remains.
Security around VoIP has lagged
behind other communication platforms.
28
28-29 IP Security – VoipSec.indd 28
02/12/2016 11:07