As if they needed more stress, organizations are facing evolving and increasingly stringent compliance regulations from the Payment Card Industry, as well as Sarbanes-Oxley, HIPAA and others. Here are a few security compliance products that can make the audit process less excruciating.
Here are 10 of the distributor's hottest new offerings winning over solution providers.
New smartphones from Sony, Motorola and the first-ever Twitter-only mobile device -- the TwitterPeek -- headline a busy week for handset makers as the holiday shopping season heats up.
The VoIP Risk Factor
12:00 AM EDT Mon. Sep. 03, 2007
From the September 03, 2007 issue of CRN
Page 1 of 2
Still, as VoIP adoption continues to grow, vendors and integrators are stressing the importance of building layers of security into VoIP deployments. Last November, the SANS Institute, in its annual ranking of the Top 20 security threats, for the first time included VoIP servers and phones, in recognition of the fact that collaboration technologies that weave VoIP into messaging systems provide new pathways for hackers to exploit.
The current generation of VoIP technology has transformed the IP phone into an application that can integrate with other enterprise applications, said Krishna Kurapati, founder and CTO of Sipera Systems, a VoIP security software vendor in Richardson, Texas.
VoIP today also extends beyond the network perimeter and facilitates more open access to the network, but that creates new security risks, according to Kurapati. "You're removing the restriction of being only in one place, but opening up vulnerabilities by doing things like connecting to partners via SIP trunks," he said.
With traditional e-mail-based attacks, hackers have relied on being able to dupe users into clicking on an attachment or link containing an executable file. But since VoIP acts as a client and server simultaneously, a phone can be both the source of an attack and the target, which adds to the challenge of securing it, Kurapati said.
"The big advantage of moving to an IP-based telephony network is integration with applications, which is why you find VoIP systems connected to the data network. But these systems definitely need to be protected as much as any server on the network," said Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider.
In some cases, VoIP security issues stem from existing vulnerabilities in the underlying network infrastructure. For example, the Blaster worm affected deployments of Cisco Call Manager running on Microsoft IIS (Internet Information Services) Web servers, said David Endler, director of security research at Marlborough, Mass.-based 3Com and its TippingPoint security business.
In other cases, the vulnerabilities stem from security issues in VoIP protocols. More of these types of vulnerabilities are being discovered in VoIP, not because of careless developers, but because VoIP is being integrated into other applications such as instant messaging, which increases the attack surface, Endler said. In addition, VoIP "fuzzers," or tools that are designed to root out vulnerabilities by bombarding applications with malformed data, also are being used to automate discovery of VoIP vulnerabilities, he added.
Next: Hacking VoIP
