Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.

Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

VoIP Is Scary

Mark Hall Today’s Top Stories

or Other Networking and Internet Stories

January 17, 2005 (Computerworld) --

Imagine that you deliver an application with 100%, instant-on availability. Security is rock-solid. Costs are dropping. Users never complain. And anytime you upgrade, even if you buy software and gear with new features from a different vendor, user acceptance is always immediate and training virtually nil.

That's your phone system. And VoIP threatens to break it by opening your phone network to the profusion of security hazards your IT environment faces.

That's not to say our POTS (plain old telephone service) is unbreakable. One of the legends of hacking is Cap'n Crunch, who got his nickname from decoding the audible signals on phones by using a whistle from a box of the cereal. The hackers who followed in his footsteps didn't break into POTS for the free long-distance service. They did so to access the computers connected to it. But they don't need POTS any longer; they've got the Internet now.

So users have been able to ring you up when their systems have crashed after someone let loose variants of the SoBig or Klez viruses on your network. But with VoIP, users might not even be able to do that, since its infrastructure is vulnerable to the same attacks by the world's bottomless pit of sociopathic hackers.

VoIP security isn't just important. It's everything. Steven Harris, an analyst at IDC, sums it up simply: "Security is a precondition to a deployment of VoIP."

That's a tough precondition, given that VoIP technology is built largely on Linux or Windows, uses Web application servers, runs over the IP network and, in some cases, uses the browser as an alternative to a handset. Is there anything in that list that doesn't have gaping security holes in it? The list doesn't include the VoIP application. And research firm Gartner claims that about three-fourths of the security attacks in 2005 will strike at the application level. If you think VoIP apps won't be favorite virus targets, you're wrong.

Edwin Mier tested VoIP products from Cisco Systems and Avaya last year for Network World, one of our sister publications, and concluded that while security is "possible," it's so complex and vendor-specific that only the bravest and the smartest will deploy it widely . He left out the foolhardy.

So, why on Earth would any sane IT manager want to get involved with a project as risky as VoIP? Well, your CFO likes it, for one. IDC, among others, is telling him that 20% savings on telco charges "is common." For companies that run up millions of dollars per month in phone costs, that kind of savings can be very compelling.

But compelling enough? Mike Hrabik, chief technology officer at Solutionary, which does security risk management in Omaha, says IT managers need to be aware that VoIP systems must be patched for security as often as your app servers. However, he warns, some VoIP vendors lag as much as 30 days with patches for the OEM systems they deploy, leaving your phone network vulnerable even after you've patched the IT side.

Hrabik, whose company uses VoIP for internal and some branch-office connections, thinks cost savings are nice, but the best reason to use VoIP is to deliver more-productive applications, such as integrating both voice mail and e-mail so users can get all of their messages from any device -- cell phone, laptop, PDA or whatever. For a company with a large field sales and support organization, that kind of application could generate more dollars in sales than it saves in telecommunications costs.

Combining substantial cost savings with a significant productivity boost might indeed be worth the risk of jumping into the shallow end of the VoIP pool to get comfortable with the technology.

Jim Vale, a product manager at network management and analysis firm Network General in San Jose, says there are some basic ways to design a secure VoIP network. First, conduct a comprehensive vulnerability analysis of your network and of the VoIP gear before you attach anything to your network. Next, segment your VoIP traffic, which isolates security problems and has the added benefit of dedicating that segment for streaming protocols used by voice. Also, apply quality-of-service rules for your IP traffic, assuring priority for streaming data. Dropped calls and poor aural performance can be indicators of a security problem. Finally, monitor like crazy.

Rolling out VoIP only to save money isn't worth the risk. Coupling savings with a powerful application might make it worth a very careful try. But just barely.

Mark Hall is a Computerworld editor at large. Contact him at mark_hall@computerworld.com.

VoIP Goes Mainstream

Stories in this report:

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

	VoIP Is Scary
	Sticky Security

"Security people can talk until they're blue in the face about the dangers of unsecured Windows PCs and how they..." Read more...

"Apple may be the darling of the hipper-than-thou crowd, but when it comes to climate change, it has one of..." Read more...

Read more Networking posts or See all Blogs

	XP SP3 cripples some PCs with endless reboots
	Microsoft to patch four bugs on Tuesday
	Web attack worm on a rampage
	More top stories...

	Microsoft grows DAISY for blind computer users while Adobe wilts
	Leopard at six months: Does it live up to the early hype?
	Mozilla shipped worm with Firefox add-on

5 easy ways to commit career suicide

Mistakes such as putting down co-workers or burning bridges when you resign are surefire ways to darken your career prospects. Here's how to avoid them

Opinion: Get ready for these 6 game-changing technologies

Hype and promises abound in the IT world, but these six breakthroughs really will change your life, says author and former IT manager John Brandon.

What brain drain?

Baby boomers are retiring and taking their knowledge with them. Why do so few in IT seem to care?

Tales from the crypt: Our first computers

Computerworld editors share stories of their first PCs, including some classics and some real clunkers -- then we ask readers to share their early-PC tales.

Windows Vista A to Z

Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.

IT Careers 2010

Four years from now, the IT field will be a vastly different place. Will you be ready?

All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone

See your link here

Unified Communications

Unified Communications
Computerworld presents a new webcast, compliments of Cisco.

Go to the webcast

Advancing the Economics of Networking

Get this white paper now!
(Source: Juniper Networks) Read this white paper to discover how to easily reduce capital and operational IT expenses. Aging network systems and old habits have dictated how businesses spend their IT budgets. As a result, a large percentage, if not a majority, of IT dollars are being spent to merely "stay in the race" and keep pace with the competition.

Download this white paper

Computerworld Executive Briefing: Automating Network Management

Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP.
(Source: Computerworld) This briefing looks at the basics of network management, which tend to get lost in the dizzying array of products and processes. It also examines new tools that are on the way to help IT executives deal with management in the new era of automation. Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP.

Download this executive briefing

White Papers

Read up on the latest ideas and technologies from companies that sell hardware, software and services.

	License Optimization: Get to One Version of the Truth
	Gaining Insights Through Analytics
	Butler Technology Audit Report

View more whitepapers

XenServer FREE trial
Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration.

Request free trial now

Columnist Bert Latamore digs deep to analyze the latest networking trends.

Click here to read the latest column by Bert Latamore

IT Service Management: Metrics That Matter

Download this whitepaper and learn about the metrics that matter most toward improving operational results, and which two controls any organization can adopt that will put them on path to high performance.
Download this white paper now!

See more Whitepapers more

Networking Know-How
For tips and best practices on building anything in the network, see Sandra Gittlen's weekly column.

Click here to read the latest column by Sandra Gittlen

	Networking
	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10