If you're talking over your IP network right now, then voice-over-IP should be at the top of your security priorities for next year.

Securing enterprise IP voice hasn't been on most organizations' radar screens, mostly because VOIP so far hasn't been a popular target of attackers or bug hunters, nor have many organizations torn out their traditional voice systems altogether, anyway. But security experts say it's time to make VOIP security a priority.

For one thing, the cat's out of the bag: VOIP hacking tools, that is, are widely available now. "There had not been widespread availability of those tools until now," says Dan York, best practices chair for the Voice Over IP Security Alliance (VOIPSA) and director of IP technology for Mitel. "Now there will be more interest in [VOIP]...and the cool kids will start hacking VOIP."

David Endler, director of security research for TippingPoint, and co-author of a new book called Hacking Exposed: VOIP has released over 20 VOIP hacking tools that he and co-author, Mark Collier, CTO of SecureLogix, wrote while researching the book. The tools cover everything from denial-of-service to adding audio to active IP calls.

"There's not a lot of research here yet. VOIP is still a nascent market," Endler says. "VOIP is following the same path as other technologies. It was considered a killer app, and it was widely deployed and security wasn't addressed until afterward," he says.

"Today, attacks are just on a network and VOIP is this collateral damage," he says.

But Endler expects all that to change in '07. "There are going to be more attacks targeted at VOIP." VOIP is basically just another app running over the IP backbone, so it's susceptible to most network-based attacks. The main ones associated with VOIP are denial-of-service and sniffing or intercepting traffic.

But the big black hole in VOIP security is with the Session Initiation Protocol (SIP) trunking area, says VOIPSA's York. SIP trunking basically lets you bypass the PSTN and use your Internet connection to link to a VOIP service provider, for instance. "A lot of new startups are rushing to provide SIP trunking, but not looking at security," he says.

That leaves endpoints wide open to attack, he says. There are plenty of these types of attacks going on right now, he adds. "And there are tools out there for attacking SIP endpoints."

But Lawrence Orans, research director with Gartner, says while the focus has been on SIP security, enterprises are really still mostly implementing proprietary signaling protocols in their IP telephony systems. "You need to secure the proprietary signaling in firewalls and IPSes," Orans says. "There should be more focus on firewalls and IPSes better protecting PBX servers."

And remember, that the Windows server your Cisco Call Manager application runs on has holes of its own, too, aside from the holes VOIP hacker tools can poke in VOIP applications. "Any VOIP system runs on the same vulnerable components" that viruses and worms target, TippingPoint's Endler says.

That means attacks against management interfaces, call control systems, and voice frames, York says. One way to protect voice content is encryption: "Confidentiality is one thing that's big in ensuring phone calls are secure...basic encryption solves a lot of that."

VOIP may be where Oracle databases were security-wise a couple of years ago, says Nicolas Fischbach, senior manager for network engineering/security at Colt Telecom. "[It's] a key system, not patched because it's too critical, no hardening because of laziness or 'it always worked like that,' so it's also easy to own," he says. "But things are going to change."

— Kelly Jackson Higgins, Senior Editor, Dark Reading