Network Communications News (NCN) December 2016 - Page 28

S P E C I A L F E AT U R E IP security Closing the VoIP Security Gap Paul German, CEO of VoipSec, examines the issues around securing VoIP applications. D Paul German, CEO of VoipSec, says the industry needs to up its security game for VoIP applications. espite voice becoming just another application, the security industry has failed to keep up in ensuring the security of this new application. Indeed, there seems to be confusion over where the responsibility for the security role should lay; is it with the VoIP and UC vendor or should it be left to the security functions who provide policies and procedures for all other network applications? In reality, however, this decision has already been made, when as an industry we started deploying email and web applications to deliver a more rich level of communication both internally and externally. It’s time we take stock of the lessons learned during the deployment and widespread adoption of these applications and apply them properly to voice. The voice learning curve Let’s cast our minds back 10 years or so. Of course, at the time, vendors of these web and email applications took into consideration security, but their main focus was always on the primary function of their application server. The lack of focus on the security function resulted in new attack vectors being exploited in ways that no-one had anticipated. The rise in breaches highlighted the need for solutions. There was a recognition that firewalls providing network access control were not sufficient to protect these applications; mainly due to the fact that sources of communications were not always known, so open rules had to be used, which in basic terms removed the very function the firewall was trying to provide. And so, security vendors, many of which new start-ups, stepped up and started to deliver dedicated solutions that would provide targeted security for each of these applications and the enterprise network architecture was updated to include a sanitisation area for these applications, which we have all come to recognise as a DMZ. For both sides, this was a learning curve. Security vendors were gaining information from their customer breaches as well as their own research. In parallel, they began to provide regular updates to their security applications, enabling them to provide their customers with the latest updates to protect against common threats. This has now come to form the basis of the ‘defence in depth’ security models we use today and, although we are seeing this model adapt to our new ways of delivering applications, the very premise that we build walls, with firewalls and inspect our applications flows with proxies, very much remains. Security around VoIP has lagged behind other communication platforms. 28 28-29 IP Security – VoipSec.indd 28 02/12/2016 11:07