Companies form security alliance for VOIP

Leading computer security and telecommunications companies said they are joining forces to raise awareness of threats to VOIP (voice over Internet Protocol) technology.

The VOIP Security Alliance will disseminate knowledge of VOIP security risks through discussion lists, white papers and research projects. The group hopes to spur adoption of VOIP by promoting best practices for companies that adopt VOIP, and by warning organizations of threats to VOIP, including spam and denial of service (DOS) attacks, according to Dave Endler, director of digital vaccine at TippingPoint, a division of 3Com.

The new group is the first cross-industry association that is focused on VOIP security. It includes players in the VOIP market, such as Avaya and Alcatel, security technology vendors Symantec, as well as TippingPoint.

One goal of the group is clear up misconceptions about the technology, which allows voice conversations to be transmitted over the Internet. One misconception the group will try to dispel is that deploying VOIP is the same as deploying traditional data networks, Endler said.

"There's this idea that you don't need to do anything different after you install VOIP applications," he said.

However, VOIP introduces new requirements for IP networks, including a higher premium on quality of service so that voice conversations are intelligible, and on the privacy of voice data sent over the network, Endler said.

Deploying VOIP also raises the stakes for network outages, including DOS attacks, because organizations lose voice as well as network services in such attacks, he said.

"Imagine not being able to dial 911 -- or imagine a 911 call center (that uses VOIP) inundated with VOIP spam," Endler said.

The group will research and distribute information on VOIP vulnerabilities and promote VOIP security tools.

For example, the VOIP Security Alliance is backing research into VOIP security tools, including a "fuzzer" for SIP (Session Initiation Protocol), a VOIP communications protocol. The tool will be able to test SIP for weaknesses and vulnerabilities that could lead to attacks, Endler said.

The group will also promote best practices for deploying VOIP, such as configuring VOIP gear and separating voice data from other data on so-called "converged networks," he said.

Membership to the VOIP Security Alliance is dominated by companies, but is open to individual researchers and university research groups, as well as VOIP enthusiasts who are experts in the technology, Endler said.

While many leading VOIP players have already joined, some major players in the space, including network gear maker Cisco Systems and Juniper Networks, are not listed as members.

But Endler says the group can succeed even without the backing of major technology vendors by becoming a reliable source of information and advice on VOIP security issues. He likened the group to the Open Web Application Security Project, a volunteer group that produces tools, documentation and standards for Web application security.

Individuals interested in joining the VOIP Security Alliance or subscribing to a VOIP security discussion list can visit the group's Web site:

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about 3Com AustraliaAlcatel-LucentCiscoJuniper NetworksSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Paul Roberts

Latest Videos

More videos

Blog Posts