VOIP Security on the Back Burner

Computerworld - So far, most users implementing VOIP seem to be primarily concerned with issues such as interoperability with data networks, voice quality and latency, rather than with security, analysts say.
"Security is not an issue that's been on the forefront," says Jeremy Duke, founder of Synergy Research Group, a market research firm in Westlake Village, Calif.
"It's more of a 'Be aware and don't forget' sort of issue right now," says Elizabeth Ussher, an analyst at Meta Group Inc. in Stamford, Conn.
"When we advise clients, VOIP security is sort of like a yellow light to be concerned about," she says.
One reason for that attitude could be that companies have only now begun slowly rolling out VOIP services and are therefore preoccupied with simply making it work, say analysts.
VOIP allows users to make phone calls over IP data networks. It promises lower operation and management costs than traditional circuit-switched telephone networks because it allows businesses to route voice over their existing data networks.
But getting it to work to enterprise standards can be a challenge, say users and analysts.
For one thing, data networks have had difficulty providing the quality of service and level of reliability that users have come to expect from traditional telephony.
It's also not easy to connect VOIP with existing phone networks. For example, some network technologies, such as network address translators and most existing firewalls, aren't very VOIP-friendly. Firewalls that aren't VOIP-aware can keep VOIP calls from getting through.
As a result, companies are grappling with how to make VOIP work to enterprise standards rather than worrying about security, says Chris Neal, an analyst at Sage Research Inc. in Natick, Mass.
In a recent focus group organized by Sage, "quality was the issue that kept coming up again and again," Neal says. "In this particular group, nobody was really concerned as much about security."
But that indifference is not universal by any means.
"We are constantly looking and re-evaluating where our exposures in this environment are," says Charles Chambers, manager of network planning and development at the University of Houston. "Because this is such a new area, there's not a lot of best practices and security guidelines."
Most VOIP deployments so far have been in small enterprises, but large organizations are moving to adopt it aggressively as well, with about 40% of them currently testing it, according to research from Meta Group.
According to Synergy, the worldwide market for IP telephony, including IP phones, grew 21% year over year to $171 million in thesecond quarter of 2002.