The flexibility and openness of SIP have made it a key building block for VOIP services, but SIP also makes carrier and enterprise VOIP networks vulnerable to crippling attacks that could bring services down for days, according to the latest report published by Light Reading's VOIP Services Insider
SIP & VOIP: The Coming Security Crisis explores the vulnerabilities of VOIP networks to outside attacks and surveys available SIP security solutions, examining likely geographic expansion and providing an in-depth evaluation of the technology relative to its competition. It examines factors that vendors should address to promote growth, including technological and marketing issues. Additionally, it offers a detailed case study and provides a comparative analysis of some of the top companies in the SIP security arena.
SIP is subject to the same types of attacks -- including viruses and denial-of-service (DOS) attacks -- that affect email communications, but a successful attack through SIP is likely to have a larger impact on the affected network, notes Denise Culver, research analyst with Light Reading's VOIP Services Insider and author of the report. "SIP enables voice traffic to traverse VPNs, potentially carrying with it all of the things a hacker might want to attach to such a message," she says. "While those in the email security world have had more than a decade to contend with these issues, SIP security vendors are trying not only to address the issue of securing SIP messages but also to ensure that SIP can successfully traverse a firewall at all."
A big part of the problem with SIP is that vendors have rushed products into the market that don't make use of all the security measures recommended in the protocol standard, Culver adds. The standard's flexibility is also an issue in making networks vulnerable to security breaches, she says: "Until vendors reach a point at which interoperability is not just a requirement but actually something they recognize in terms of the security it provides across SIP itself, the protocol will remain inherently flawed."
Other key findings of SIP & VOIP: The Coming Security Crisis include the following:
- Although SIP is widely considered the standard protocol for VOIP services, it doesn't traverse firewalls, creating problems for users and security vendors.
- Attention placed on eavesdropping at the SIP phone level isn't driving users to encrypt SIP, even though eavesdropping presents a viable threat.
- While the cost of securing SIP networks is widely debated, everyone agrees that much more will be spent over the next 12-18 months to keep networks secure.
SIP & VOIP: The Coming Security Crisis provides critical data and analysis for a range of industry participants, including:
- Suppliers of SIP security product needing independent market analysis of the SIP security sector
- VOIP network operators and enterprise network planners evaluating deployment of SIP security products and the risks posed by potential security breaches to their networks
- Investors needing a better understanding of the scale of the opportunity that SIP security presents, and which types of companies are best positioned in the sector