The move to Voice over Internet Protocol (or VoIP) telephony continues to gain momentum. Enterprises embracing VoIP can expect to realize substantial cost savings by utilizing the Internet and bypassing long-distance providers. Many organizations are also on the record touting impressive gains in employee efficiency brought about by VoIP.
But a move to VoIP entails some serious security risks as well. It opens up the floodgates for hackers to infiltrate phone conversations and steal confidential data. And spammers can target the system with massive denial-of-service (DoS) attacks. Before making the move to VoIP, enterprises would do well to thoroughly acquaint themselves with the security issues surrounding this new technology. In-depth planning is essential.
Just how mainstream has VoIP become? Having passed through the “early adoption” phase, VoIP is emerging as one of today’s top IT concerns for business:
· Two-thirds of the Global 2000 are expected to implement VoIP by 2006, according to Deloitte Services LP (eWEEK, December 4, 2004).
· In a survey of 500 IT professionals released earlier this year, the Computing Technology Industry Association found that 73 percent of the respondents said they use or plan to use convergence hardware and software over the next 12 months (“Voice-over-IP Offers Greatest Productivity Gains,” February 9, 2005).
· Gartner Inc. expects the market for VoIP services to continue to expand at double-digit rates in 2005 (“North American Business VoIP Services Emerging,” March, 2004).
While the idea of eliminating long-distance charges has motivated many enterprises to explore VoIP, there are other benefits to consider as well. For example, early adopters cite the advanced features of VoIP, such as unified messaging (enabling users to receive voice mail and email in one place), three-digit dialing among offices, Web conferencing, and multiple call-forwarding options.
Some companies find they no longer need a staff member dedicated to voice and supporting PBXs.
Other companies find that VoIP enables them to move beyond their older, out-of-date telecom infrastructures.
For companies that are on the fence regarding VOIP, some vendors offer hybrid IP telephony systems that let customers upgrade incrementally to convergence and leverage their investments in existing equipment.
Security front and center
As the recently formed VoIP Security Alliance has observed, advances in information technology typically outpace the corresponding security requirements, which are often tackled only after these technologies are widely deployed. Such is the case with VoIP today. Now that VoIP deployments are becoming more widespread, the technology is proving a more attractive target for hackers, increasing the potential for harm from cyberattacks. Moreover, the emergence of VoIP application-level attacks will likely occur as attackers become more familiar with the technology through exposure and easy access.
And the consequences of an attack can be staggering. Successful attacks against a combined voice and data network can cripple an enterprise, halt communications required for productivity, and result in irate customers, lost revenue, and brand impairment.
That’s why the VoIP Security Alliance plans to disseminate knowledge of VoIP security risks through discussion lists, white papers, and research projects. The group hopes to spur adoption of VoIP by promoting best practices for companies that adopt the technology, and by warning organizations of threats to VoIP, including spam and DOS attacks. The group is currently in the process of developing projects that will ultimately lead to VoIP security testing tools and methodologies.
VoIP’s unique requirements
With enterprise interest in VoIP heating up, Gartner has found that CIOs and network managers are acutely concerned about securing VoIP, so that it provides the same level of security as traditional time division multiplexing (TDM) devices and the public switched telephone network (PSTN). In a recent report (“Voice Over IP Communications Must Be Secured,” November, 2004), Gartner predicts that IP communications will continue to be less secure than TDM communications through 2006; that DoS attacks will regularly be used to disrupt VoIP communications by 2008; and that the next year will see convergence-specific viruses/worms begin to attack VoIP-specific equipment.
As Gartner points out, securing voice communications is technically different from securing more traditional data streams. Issues include surrounding guaranteed bandwidth, delay, jitter, packet loss, and the timely delivery of signaling messages.
Also, when securing VoIP, enterprises need to take into account both traditional IP threats and VoIP-specific threats. As Gartner notes, “the massive adoption of industry-standard protocols leaves VoIP vulnerable to generic protocol and vendor-specific vulnerabilities.” Moreover:
“Securing VoIP streams and maintaining quality of service (QOS) requires a delicate balance. It would be easy to use a combination of traditional IP security techniques, payload and signaling encryption. While this combination would produce secure VoIP communications, the delay could degrade communications to the point that they are not understandable.”
Another issue with VoIP is that few organizations have engineered their data networks to provide the power necessary to keep VoIP phones running when the power goes out.
In addition, Federal Trade Commission Chairman Deborah Platt Majoras recently warned that telemarketers could use VoIP to send massive numbers of voice messages to consumers, a technique known as SPIT, for “spam over Internet telephony.”
Bottom line: you need to determine what your tolerance is for delay in voice communications, and understand that voice communications is only as secure as your overall network.
While VoIP technology is now stable enough for enterprise rollouts, many organizations are taking a go-slow approach. And that’s not surprising, as Bob Hafner, Gartner’s director of research, told NetworkWorld recently. The holdup, he said, is that each company must justify the costs of a convergence project and judge whether the potential productivity enhancements and cost savings outweigh the costs of ripping out working telecom gear.
At the same time, CIOs and network managers are rightly concerned about the best ways to secure VoIP. After all, VoIP is vulnerable to many types of malicious activity, including viruses, worms, IP spoofing, password attacks, and man-in-the-middle attacks. By making security a primary consideration, enterprises will be better positioned to experience the full benefits of IP, while ensuring network security and preserving business continuity.