The surfacing of a pair of flaws in Cisco's CallManager IP telephony servers last week raises the hot-button issue of how to secure enterprise VoIP networks from attacks. But one industry expert says the threat of an attacker or virus taking down a businesses IP PBX or VoIP network is more phantom than menace.
"There is a lot of hype about IP telephony security threats," says Lawrence Orans, principal analyst with Gartner, in a recent interview. For organizations that don't have network or security team members who are knowledgeable about voice/data convergence as well as security, "then IP telephony security can sound pretty scary," he adds.
Best practices for securing VoIP networks include disabling unnecessary services on devices running call control software, running VoIP gear along with firewalls and intrusion prevention systems, and keeping up with software and security patches and updates for VoIP hardware, software and server operating systems.
One Cisco VoIP flaw identified last week involved the potential for denial-of-service attacks to be launched against a CallManager server. In addition to upgrading CallManagers with software fixes, the vendor says that taking steps to more tightly control what kinds of traffic can access a CallManager server is another good precaution.
"By using access lists and rate limiting to control access to the Cisco CallManager, the risk of successful attack is greatly reduced," Cisco said in its bulletin last week.
While holes can and will pop up in VoIP gear from all makers of IP telephony gear, from Cisco, to Avaya, 3Com and Nortel, "the bottom line is that IP telephony attacks are rare," Gartner's Orans says.
Converging voice and data allows for cost savings on administration and network maintenance, and provides potential productivity benefits of voice-enabled applications and unified messaging. "Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans."