VoIP Security, an interim status
Voice over IP (VoIP) is, from the day it had been introduced, a cool technology. The security implications of using VoIP were ignored, either because of ignorance, or deliberately, for a long time.
This situation is now changing due to a wealth of information, which is now becoming available for those who are interested in the technology and with the security of it. The understanding that security is a crucial part of any deployment of VoIP is gaining more grounds. For example:
- Media coverage
- The Voice Over IP Security Alliance (VoIPSA)
- SANS Top 20 Internet Security Attack Targets now includes VoIP
- Various books (for example, Hacking Exposed VoIP by David Endler and Mark Collier. Disclaimer: I was the technical editor of the book).
- Various articles and guides available on the Internet, etc.
That said I still fear it is still not enough.
Although the mind set is changing, I still do not see it being reflected with the deployments of VoIP inside enterprises (and sometimes even at the carrier level).
How come? It is since VoIP is still regarded as a shiny new cool toy, which you can show off. But mostley because vendors would like to make customers think it is easy to deploy with no much hassle to it (and security is a big hassle).
So how is this going to change?
Like every other technology that took a big hit from its security issues and implications, VoIP will get its share as well. Media coverage, publicized incidents, and bad noise will force customers and vendors to take this into a more serious account when thinking of deploying VoIP, publishing RFIs and RFPs, demanding security as a pre-requisites, deploying VoIP, and most importantly building more secure VoIP products.