3Com?s TippingPoint establishes VoIP Security Alliance

TippingPoint, a division of 3Com since the close of their acquisition last week, has gone from Intrusion Prevention start-up one year ago, to leader of a new security alliance intended to address the emerging voice-over-IP market. The VoIP Security Alliance (VOIPSA) was launched today with 23 members and counting.

VOIPSA will have its first formal meeting Feb. 21, and will begin forming projects and work groups focused on understanding and avoiding VoIP security risks. The group will initiate discussion lists, white papers, sponsorship of VoIP security research projects, and the development of tools and methodologies for public use.

Although TippingPoint initiated the idea, recruited members and will provide administrative services, David Endler, director of digital at TippingPoint and chairman of VOIPSA, said VOIPSA is in no way a TippingPoint group.

"It is an industry-wide group that includes VoIP vendors and service provider space, security vendor and provider space, university researchers and the government," Endler said. "It is very much an open source meritocracy where anyone with the appropriate skill level is welcome to join."

Charter Members of VOIPSA include 3Com, Alcatel, Avaya, Codenomicon, Columbia University, Ernst and Young's Guiliani Advanced Security Center, Insightix, NetCentrex, Qualys, Sourcefire, Southern Methodist University, SecureLogix, Spirent, Symantec, the SANS Institute and Tenable Network Security.

Charter Communications, Comcast, Siemens and Qwest also signed on to participate. So did the National Institute of Standards and Technology and Purdue's CERIAS Lab.

Endler said no formal discussion forum exists today to address VoIP security and that the time to begin addressing these issue is now because VoIP will be rolled out en masse over the next couple of years. "That means a lot more subscribers, but it also means more potential attackers that have their own personal sandbox in which to poke at this technology."

The group's first projects will likely be to create public tools for identifying vulnerabilities, creating documentation to generate a better awareness of existing and potential threats and to develop best practices for deploying VoIP.

TippingPoint has already donated a tool, called a fuzzer, to the group. The technical advisory board will decide if and how to use it and collaboratively enhance it to identify vulnerabilities in VoIP protocol implementations.

VOIPSA plans to distribute more information in March and put out a general call for participation. Endler said VOIPSA is a vendor-neutral, open source group and that anything uncovered as a new security threat or issue will be responsibly disclosed to the vendors affected.

"In order for VoIP to really catch on and be successful, it has to be secure. And that's what this group is trying to accomplish," Endler said. "Because even if your VoIP application is extremely secure and uses the best authentication and encryption, it's a moot point if the underlying infrastructure components they ride on can be compromised."

The group's Web site also launched today. More information can be found at www.voipsec.org.