Leading computer security and telecommunications companies said they are joining forces to raise awareness of threats to VOIP (voice over Internet Protocol) technology.
The VOIP Security Alliance will disseminate knowledge of VOIP security risks through discussion lists, white papers and research projects. The group hopes to spur adoption of VOIP by promoting best practices for companies that adopt VOIP, and by warning organizations of threats to VOIP, including spam and denial of service (DOS) attacks, according to Dave Endler, director of digital vaccine at TippingPoint, a division of 3Com.
The new group is the first cross-industry association that is focused on VOIP security. It includes players in the VOIP market, such as Avaya and Alcatel, security technology vendors Symantec, as well as TippingPoint.
One goal of the group is clear up misconceptions about the technology, which allows voice conversations to be transmitted over the Internet. One misconception the group will try to dispel is that deploying VOIP is the same as deploying traditional data networks, Endler said.
"There's this idea that you don't need to do anything different after you install VOIP applications," he said.
However, VOIP introduces new requirements for IP networks, including a higher premium on quality of service so that voice conversations are intelligible, and on the privacy of voice data sent over the network, Endler said.
Deploying VOIP also raises the stakes for network outages, including DOS attacks, because organizations lose voice as well as network services in such attacks, he said.
"Imagine not being able to dial 911 -- or imagine a 911 call center (that uses VOIP) inundated with VOIP spam," Endler said.
The group will research and distribute information on VOIP vulnerabilities and promote VOIP security tools.
For example, the VOIP Security Alliance is backing research into VOIP security tools, including a "fuzzer" for SIP (Session Initiation Protocol), a VOIP communications protocol. The tool will be able to test SIP for weaknesses and vulnerabilities that could lead to attacks, Endler said.
The group will also promote best practices for deploying VOIP, such as configuring VOIP gear and separating voice data from other data on so-called "converged networks," he said.
Membership to the VOIP Security Alliance is dominated by companies, but is open to individual researchers and university research groups, as well as VOIP enthusiasts who are experts in the technology, Endler said.
While many leading VOIP players have already joined, some major players in the space, including network gear maker Cisco Systems and Juniper Networks, are not listed as members.
But Endler says the group can succeed even without the backing of major technology vendors by becoming a reliable source of information and advice on VOIP security issues. He likened the group to the Open Web Application Security Project, a volunteer group that produces tools, documentation and standards for Web application security.
Individuals interested in joining the VOIP Security Alliance or subscribing to a VOIP security discussion list can visit the group's Web site: www.VOIPsa.org.