My other panelist on the session, Bogdan Materna, CTO of VOIPShield, suggested that the answer lies more with the hackers than the systems. Hackers "are about money, not fun," Bogdan said. "And I don't think they see a lot of money in hacking VOIP."
VOIPShield will give you plenty of ideas for things to worry about, if you're so inclined. They've made a splash this year by releasing IP telephony vulnerability reports (at a high level--no details), a move that, Mark Collier noted, "irritates the vendors. Nortel and Avaya especially don't like that kind of publicity." Indeed, VOIPShield came in for some criticism for their handling of the vulnerability announcements, but today Mark Collier defended them, saying, "What VOIPShield did and continues to do is positive for the industry."
Both CTOs on my panel stressed the message that enterprises need to be aware of security threats relevant to VOIP and include them in their overall vulnerability assessments; VOIP threats may not be something that consume a lot of your time and budget today, but you can't afford to ignore them. For now VOIP may be lower on your risk assessment than other types of threats, but you should be prepared to change that view if VOIP systems start to become more of a target.
They also mentioned the need to be aware of what constitutes effective security and what doesn't, for example VLANs. Early on in the convergence evolution, VLAN separation of voice and data traffic was widely promoted as a security best practice. It may not be a bad thing, but Mark and Bogdan agreed that it's not necessarily that helpful either.
That's because the distinction and division between voice and data channels are breaking down. Any voice traffic that originates on a PC softphone will traverse the data VLAN, and there are now hacking tools for jumping between VLANs.
Mark Collier's bottom line: "You do want to use VLANs, they do provide a function. But do not depend on them as a security function."
In response to a question about encryption, Mark said that you can't rely on the idea of encrypting all voice traffic as a way to secure that traffic. Not only can key management become a serious challenge, but encryption will tend to render ineffective third-party systems that are deployed to manage things like QOS or even security systems like intrusion prevention systems (IPS). Because the packets are encrypted, these systems can't correctly understand what they are and therefore can't do what needs to be done to them.
