VOIP: Don't overlook security

Computerworld - Corporations that are implementing voice over IP (VOIP) technologies in a bid to cut communications costs shouldn't overlook the security risks that can crop up when the voice and data worlds converge, users and analysts say.

Most users implementing VOIP these days are primarily concerned about voice quality, latency and interoperability. All are fundamental quality-of-service considerations that companies need to deal with before they can even begin justifying the move to VOIP.

But some security organizations are cautioning users about the dangers of unsecured VOIP services. For instance, in an August 2001 paper on its Web site, the Bethesda, Md.-based SANS Institute warned of privacy- and authentication-related issues stemming from VOIP services and urged users to apply the same precautions they've used to protect their data services.

"With the convergence of the voice and data worlds, the real similarities of the security concerns will become apparent," the SANS report said, urging users to take measures such as encrypting voice services, building redundancy into their VOIP networks, locking down their VOIP servers and performing regular security audits.

Without a sharp focus on security as well, VOIP will never make it into corporate use, say users and analysts.

With VOIP, voice traffic is carried over a packet-switched data network via Internet Protocol. VOIP networks treat voice as another form of data but use sophisticated voice-compression algorithms to ensure optimal bandwidth utilization. As a result, VOIP networks are able to carry many more voice calls than traditional switched circuit networks. VOIP also enables enhanced services such as unified communications.

Voice as Data

Securing voice traffic on such networks isn't very different from securing any data traffic on an IP network, says David Krauthamer, director of IT at Advanced Fibre Communications Inc. (AFC), a Petaluma, Calif.-based manufacturer of telecommunications equipment. AFC is using limited VOIP communications internally and may use it for external communications as well.

"VOIP security needs to be handled in the overall context of data security," Krauthamer says.

But there are some aspects of VOIP networks that users need to pay close attention to, says Christopher Kemmerer, an analyst at NexTiraOne Inc., an integrator of voice and data networks in Houston.

In a VOIP world, private branch exchanges (PBX) are replaced by server-based IP PBXs running on Microsoft Corp.'s Windows NT or a vendor's proprietary operating system. Such call management boxes, which are used both for serving up VOIP services and for logging call information, are susceptible to virus attacks and hackers. Break-ins of these servers could result in the loss or compromise of potentially sensitive data, Kemmerer says.