July 18, 2005

Voice-over-Internet-Protocol, or VoIP, is rapidly becoming the standard for business phone systems. However, some IT executives still harbor concerns about this relatively new technology. But sources as diverse as Network World magazine and the US Department of Defense have shown that voice calls can be carried just as securely, if not more so, over an Internet Protocol (IP) network as on any other traditional communications infrastructure. To understand exactly how IP measures up as a secure foundation for voice communications, News@Cisco recently spoke with Don Proctor, Cisco Systems' senior vice president of its Voice Technology group, about Cisco's efforts to provide the industry's most comprehensive security for IP-based voice communications.

How does Cisco uniquely address VoIP security?

Don Proctor: First, we are working on several fronts to ensure a secure network environment. We call our initiative the Cisco Self-Defending Network, which takes a new approach to network security by addressing it on a comprehensive, system-wide level. One our most recent innovations for building the Self-Defending Network is an industry initiative called Network Admission Control, or NAC. NAC, which is a first of its kind in the industry, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses and worms while providing a strong foundation for secure voice applications.

Cisco also offers specialized security tools at each level of our VoIP, or what we call IP Communications, system. At the infrastructure level, a Cisco IP phone automatically sets up a virtual LAN for voice communications whenever it is plugged into the network. By logically segmenting the network in this manner, policies can be more easily established to protect voice traffic against the effects of network worms and virus outbreaks. At the call control level, Cisco CallManager is very well protected because software resides on a special "hardened" server. Also, the Cisco Security Agent offers strong, integrated defense against known and new types of attacks. At network endpoints, strong Cisco authentication and policy enforcement technologies ensure that rogue devices are prevented from disrupting services. And Cisco IP phones support standards-based digital certificates and voice and media signaling encryption, so that hackers can neither listen in on conversations nor record the digits being dialed on the phone. At the application level, systems being used for contact centers, Web collaboration and other functions all come with integrated security features, such as secure operating systems and anti-virus software.

Security is central to all Cisco technologies, from infrastructure to advanced systems such as IP telephony, wireless LANs, and storage networking. As the only vendor to provide an end-to-end security program to its customers, Cisco is well equipped to offer comprehensive security across an organization's desktops, servers, and interconnected networks.

A lot has been reported about the lack of security in VoIP, or IP telephony, systems. As the leader in VoIP, how does Cisco view these concerns?

Don Proctor: Certainly, any organization deploying mission-critical voice or data applications should carefully evaluate its security needs, but recent independent tests have shown that Cisco's integrated, system-based approach to security makes IP phones and IP telephony as secure as traditional phone networks; in fact, in many ways they are the most secure communications technologies available today. The Cisco Self-Defending Network strategy allows organizations to leverage their existing investments in routing, switching, wireless and security platforms to create a system that will help them identify, prevent and adapt to both known and unknown security threats, and Cisco IP communications products are an important part of this strategy. Customers who follow secure IP telephony best practices are extremely well protected. For example, denial of service (DoS) attacks are increasing in both frequency and severity and can come from either inside or outside of an organization. By implementing coordinated security at multiple locations and layers in the network, organizations can create environments where the effects of these attacks are minimized or eliminated. And, Cisco, in concert with other VoIP leaders, has made great strides addressing emerging security issues through membership and active participation in standards bodies.

What are some examples of how Cisco is leading the industry in VoIP security?

Don Proctor: Cisco customers who take advantage of the full complement of our security technologies find that they have an extremely secure IP communications system that is far superior to anything previously available. For example, the media encryption option in Cisco CallManager 4.1 provides an integrated solution to voice privacy that delivers far greater protection than traditional telephony systems. And with Cisco Unity 4.0(5), Cisco is the first to extend this encryption capability to protect the privacy of voicemail messages. By implementing security at multiple levels, an organization can build an environment where a single weakness or vulnerability is far less likely to create a failure. In fact, our security approach has earned approval of some of the most demanding customers in the world. The advanced security capabilities built into Cisco's IP Communications platform recently garnered Cisco the US Department of Defense's PBX 1 certification, giving our VoIP technologies the green light to be deployed in a wide variety of US government agencies.

How does Cisco respond to new hacking tools or recently discovered vulnerabilities?

Don Proctor: As we all know, the rapid pace of change in information security presents a moving target. Cisco works hard to stay on top of industry trends and invests heavily in security research and testing. Cisco also has a very proactive method of advising and mitigating security vulnerabilities in existing products that is unique in the industry. Cisco believes in being honest and aggressive in both remediation and notification, which in turn helps build credibility.

How is Cisco working with others to make VoIP more secure?

Don Proctor: Cisco actively participates in several standards bodies that are working on VoIP security. These include the Internet Engineering Task Force (IETF), the International Telecommunication Union (ITU), and the Session Initiation Protocol (SIP) Forum. Cisco has made significant progress with these organizations to proactively enhance VoIP security and address industry concerns. Under the auspices of these working groups, considerable strides have recently been made on creating open standards for technologies related to user authentication, secure signaling, and the protection of media in distributed and multi-vendor environments. By collaborating with others in the industry, Cisco is helping to ensure the evolution of next-generation communications security.

What should organizations that are considering implementing Cisco IP Communications do to ensure that they will have the most dependable network security?

Don Proctor: By following a few simple guidelines, organizations can take advantage of the security benefits of Cisco IP Communications. The first step is ensuring the security of the existing network infrastructure. An application—whether it is a voice application or a data application—is only as secure as the underlying infrastructure. The Cisco Self Defending Network resources can help organizations create a secure foundation for their IP-based telephony systems. [http://www.cisco.com/go/selfdefend] Second, customers should work with authorized Cisco channel partners to ensure that the most up-to-date security elements, such as firewalls and intrusion prevention, are in place and that they are making use of the comprehensive security tools that are a standard part of the Cisco IP Communications portfolio. [http://www.cisco.com/go/ipcsecurity]. Finally, organizations should follow Cisco's recommended best practices to keep their security systems up to date and to ensure that their operational methodologies are consistent with their security needs.