VOIPSA is to release its first completed project an overview of VoIP security threats called the VoIP Security Threat Taxonomy.

We have created for the first time and across the industry… a comprehensive and agreed view to the problem, said Jonathan Zar, VOIPSA secretary and senior director at Sonicwall Inc.

The document, which VOIPSA began work on in March and is now open for feedback, gives a glossary of terms and organizes and describes types of security threats. Essentially, it helps define what the problems, current and future, are.

The first step is getting people to agree what the problem is and get it to the level of granularity to get them to work on it technically, Zar said.

The Taxonomy is expected to lay the foundation to establish user requirements, a set of vendor-neutral best practices and testing for VoIP security, and to provide a context for balancing trade-offs.

VOIPSA also will announce it has grown to 100 member companies from just 20 when it launched earlier this year. New members include major carriers, software and equipment vendors, large users and system integrators. They include Juniper, Nokia, Deloitte & Touche and BearingPoint. That growth is representative of an underlying real issue, Zar said.

Major VoIP attacks have not been widely reported, in part due to limited enterprise VoIP usage to date. Zar would not pin down a specific example of an exploit.

We are aware anecdotally of significant attacks, Zar said. Various technologists have told us that attacks can be quite profound and in some cases are quite simple. Zar’s company has defeated an attack that could have taken down the network infrastructure of a well-known networking company, he said, declining specifics.

VoIP threats identified by VOIPSA include reconnaissance, DoS/DDoS attacks and host and protocol vulnerability exploits, which threat to disrupt not only the VoIP network but also the traditional telephony nework.

Surveillance, hijacking, identify theft, eavesdropping and the insertion, deletion and modification of audio streams are other examples.

Zar said that until now VoIP spam was a focus of concern. But the research reveals that deceptive practices would likely be a much larger problem, he said. This includes false-caller ID, for instance, in which a fraudulent caller could obtain sensitive company or banking information, for instance. False-caller ID breaches have already been reported, Zar said, declining to cite specifics.

VIOPSA’s upcoming best practices recommendations would likely include caller ID filtering and blocking, Zar said.

VoIP quality-of-service requirements will mean DoS attacks will get easier. Service disruption is possible due to delay, jitter and packet loss. And DoS/DDoS attacks have far more targets in VoIP deployments, including IP phones, broadband modems, routers, switchers, firewalls, signaling and media gateways, SIP proxies and location servers.

Zar pointed to the carrier community as being a key driver for security concern. The carriers say, ‘We integrate the equipment of many of these companies, we know there’s gaps in the infrastructure,’ Zar said.

Specifically, the handoff between voice IP packets that travel along the Internet and the traditional public switched telephone network, or PSTN, are not secure. Vulnerabilities exist in voice transport protocols and signaling protocols and architecture.

A multi-vendor component environment doesn’t help either, especially the approach by vendors until now, which has been to improve their own products. We now know that uncooperative optimization won’t suffice, Zar said.

In handoff there needs to be a function that should be deployed in the infrastructure that does this, he said. And we need to work with the Internet folks to cover these gaps.

VOIPSA, however, is not trying to be a standards body, Zar stressed. Rather, it aims to influence design of equipment and software, and what carriers do in terms of deployment and integration. It’s going to translate into recommendations that have meaning and actions for CIOS and R&D and product development, he said. That’s where the gaps will close.

In additional to closing technical vulnerabilities across the VoIP value chain, Zar said VOIPSA also aims to connect technical and policy-making communities.

Just how long it would be before enterprises could be guaranteed secure VoIP is unclear. While business sites can be secure, traffic within today typically is not, he said. CIOs could separate and secure specific traffic, he said, which is not typically done today. But even then, they would not able to fully cover the field of voice traffic. Systems would get better, but even then, they likely would have some very real vulnerabilities, Zar said.

But there is always the cost-risk tradeoff, he pointed out. I definitely think [VoIP] is worth the benefits, particularly in environments that are within the control of your CIO. You might want to take some special measure for highly-sensitive [calls].

VOIPSA’s next project, a list of security requirements, is expected by year’s end.