The Voice over IP Security Alliance (VoIPSA), a new organization to improve public awareness of issues and best practices for security and privacy of voice over IP, has elected its board of directors and announced its early projects.
Security threats to VoIP networks, real and imagined, have become a hot topic as the technology has gained wider acceptance. Although few networks have experienced severe problems, spam and other IP network security threats have the VoIP community on alert.
VoIPSA is made up of more than 50 organizations with new members including Acme Packet, Agilent Technologies, Arbor Networks, Bell Canada, BorderWare Technologies, Cox Communications, Extreme Networks, Foundstone Professional Services, a division of McAfee Inc. and InfraVAST, MCI, Miercom, Mitel Networks Inc., PricewaterhouseCoopers LLC, Samsung Telecommunications America, SonicWALL Inc., Sprint, Telcordia and VeriSign.
VoIPSA has defined several committees to tackle various issues. Security Requirements will define security requirements across the wide range of VoIP deployments, Best Practices will develop best-practice guidelines and tools, while Testing will develop methods to test the security posture of VoIP components and infrastructure. Meanwhile, Security Research will drive the state of security research for VoIP, and Education and Community Outreach will refine VoIPSA’s message to the industry and public at large to raise awareness of VoIP security and threats.
Principals of the group are Chairman: David Endler of TippingPoint; Treasurer: Anne L. Coulombe of Enterasys Networks; Secretary and Education/Outreach Chair: Jonathan Zar of SonicWall; Best Practices Committee Chair: Jeffrey Stutzman of PricewaterhouseCoopers; Security Requirements Committee Chair: Andrew Graydon of BorderWare Technologies; Security Research Committee Chair: Ofir Arkin of Insightix; and Testing Committee Chair: Brian Tolly of Spirent Communications
The group has decided its first project is to develop a “threat taxonomy,” which will define and categorize all the different kinds of threats and document security requirements for VoIP networks.
“We are looking at currently understood problems and what people imagine will be future problems,” says Zar. The group will organize its work based on “what people know about technologically possible [threats], how to organize that in a systematic way so people can deal with it,” he adds.
Zar emphasizes VoIPSA seeks to work collaboratively with the many groups developing security technology. “We’re not trying to say that we know all about the problem,” Zar says. “We’re not going to duplicate what other groups are doing but will do a lot of outreach to other groups.”
