VoIP Toolkit

VoIP: Paying the price for cheap calls

Tags:
VoIP

Cath Everett ZDNet.co.uk

Published: 08 Aug 2005 17:10 BST

But despite these risks, Collins believes that looking at VoIP and IP telephony as a potential security risk is a misnomer. "VoIP is not a security risk in and of itself. If you're looking at it as a security issue, you've got it the wrong way round. It's no more of a risk than using video-over-IP or calendar management-over-IP," Collins says.

The security issues emanate from people not putting the right level of protection in place not any inherent flaws in the technology itself. "To me, people are the top un-hyped security threat, followed by denial as number two. Too many organisations do risk management by implementing something and finding out what the problems are when things go wrong, but that's more of a psychological issue than a technical one," he explains.

As a result, it is crucial that organisations evaluate the potential security risks before even thinking about implementing any new technology, VoIP included. Mike Gillespie, principal consultant at Advent Information Management, explains: "The secret is not retrofitting security, but designing it into systems from day one. For most people, it's generally about functionality first and security second, but that simply has to change."

A good starting point, says Gillespie, is to evaluate what the organisation intends to use VoIP for and to safeguard it in a way that is commensurate with the impact of any security incident on the business.

"There's no one-size-fits-all approach. It's about implementing controls that are appropriate to what you're using VoIP for and prioritising resources in line with that. So if you're only using it to call a colleague up the road for a chat, it's a very different situation to using it to call a business associate about a top secret takeover, and how you implement your security should reflect that," he says.

VoIP and IP telephony should not be treated any differently to any other part of the organisation's IT infrastructure. The technology should be included in the existing security policy which should specify processes and procedures that are acceptable user behaviour. The policy should also details what practices should be followed in the wake of an incident and the technology that needs to be in place to shield the infrastructure from attack.

The minimum security technology that should be in place includes voice firewalls and content filtering software such as antivirus and anti-spam programs that can undertake deep packet inspection. Encrypting voice traffic is another possibility, while undertaking regular patch management on voice servers is a must. Larger companies that prefer to retain their own VoIP infrastructure in-house rather than use third-party service providers will also need to consider the ramifications of the technology in terms of disaster recovery and business continuity planning.

While it is questionable at this point how many companies would consider removing their PSTN network completely to rely solely on VoIP anyway, should they do choose to do so, they do have choices. "You might need to have a power generator to provide an alternative source of supply in the event of failure, you could go for PSTN fail-over or provide staff with mobile phones so that they can make emergency calls. It's a contingency thing, but you don't have to go overboard. You just have to provide people with options," explains Datamonitor's Williams

In the end it seems that VoIP isn't any more inherently insecure than any other technology. The problem stems from the fact that the potential of VoIP as a revolutionary cost-saving technology has been overhyped — the attention given to security concerns could be seen as a natural realignment. "Some people are saying that, despite the telephony call savings, they won't move to VoIP due to security concerns. But how you secure VoIP should be the same as how you safeguard your data. It just means that rather than having two networks to manage you only have one so rather than making makes life more complex, it could actually become simpler."