VoIP 2005: Better watch what you say

Voice over IP implementations will increase significantly in 2005, primarily as a cost-saving measure. Be afraid. Be very afraid.

Saving pennies on VoIP could cost your enterprise the whole enchilada. Voice over Internet Protocol offers many benefits and appears inevitable for enterprises, but before you jump into it with both feet -- as many enterprises are expected to do next year -- it's crucial to consider quality of service, manpower and, importantly, security issues.

IT departments may soon be feeling pressure to roll out VoIP across the organization as beancounters recognize the cost-savings of voice technology's inexpensive equipment and wiring and without the additional expense of overseas long distance charges. If your organization is considering a wide scale deployment, make sure IT and your management team are aware of the repercussions of a hasty rollout.

"There are several drivers for enterprises to roll out VoIP: cheaper initial investment in new and renovated offices; new applications such as soft phones that allow extension of phone systems beyond physical boundaries; and a platform that takes advantage of integration of voice, instant messaging and video conferencing," said Irwin Lazar, a senior analyst at the Burton Group in Midvale, Utah. "The other big driver is that there really isn't a choice anymore, non-IP phone systems and services are disappearing."

Despite the numerous benefits of the technology, manpower will be among the big issues for IT.

"Issues related to VoIP are the same as for networks -- you'll want the same people to manage both," said Andre Yee, president and CEO of NFR Security Inc. in Rockville, Md. "They'll be managed under a common architecture."

For IT departments already strapped for time this won't be welcome news.

"How will they handle being the phone company, in some cases doubling the number of devices they need to maintain?" asked Rick Fleming, CTO of Digital Defense Inc. in San Antonio, Texas.

But there may be an option both beancounters and IT can live with.

"Outsourcing VoIP design, implementation, and management functions, like network security, is the wisest option for most organizations," said Nick Brigman, vice president of product strategy at RedSiren Inc. in Pittsburgh. "The technology is rapidly evolving and there are many pitfalls whose resolution can dominate internal resources. Companies may find it in their best interest to bring in an expert to handle these issues in the near term, with the option of bringing support in-house down the road."

VoIP makes use of data lines to transmit packets of information like any other network. However, underlying differences in how voice and data networks prioritize delivery may impact VoIP quality. The focus on data networks is on reliability of transmission, not timely packet reassembly.

"Given that data networks place a priority on ensuring that 100% of the data is delivered, even if it's slow or out of sequence, it's possible, and even probable, that VoIP may suffer during heavy network congestion," Fleming said.

"The natural tendency for overworked IT personnel is to make do with the limited resources they have and just piggyback the VoIP network on top of the existing data network," said Brigman. "It's very risky and ultimately won't work. Users expect consistent flawless performance every time they pick up the phone. To ensure success, the performance and incident response capabilities must be integrated and the criteria for data must elevate to that of our phone systems."

SpIT it out

Spam over Internet Telephony [SpIT] may also present problems.

"As spam has become a problem for e-mail, there's a similar concern for VoIP," said NFR's Yee. "You can easily stream spam to an entire organization with fairly inexpensive equipment. Moving forward, this will become a greater issue."

Calling SpIT an adaptation of an already known threat to an emerging technology, Brigman said new attacks are expected. "Luckily, the continued advances made in reducing spam can be used to control the unwanted messages and potential carriers of malicious code and phishing schemes of SpIT."

And you can't talk about deploying VoIP without considering the security concerns.

"VoIP adds another large-scale attack vector to your network," said Digital Defense's Fleming. "All it takes is one attacker breaking into one system to access all VoIP data and all network data."

Of primary concern are security flaws in two VoIP protocols, the Session Initiation Protocol [SIP] and H.323. Those vulnerabilities can lead to denial-of-service attacks and the ability to execute arbitrary code on the affected devices. The Computer Emergency Response Team [CERT] has issued advisories on both H.323 and SIP. Flaws have also been reported in specific vendor implementations of VoIP equipment.

"We will see problems very similar to what we've seen in other applications like Windows, Unix and other operating systems where vulnerabilities can be exploited to execute code," said Gerhard Eschelbeck, CTO of Qualys Inc. in Redwood Shores, Calif. "Security flaws will be found and announced that allow worms to spread in a similar way for VoIP." Such automated attacks could tap phone calls or cause widespread denial-of-service attacks.

"The recovery from such an attack may take days and the unavailability of telephone infrastructure for an enterprise for such a period may be fatal," Eschelbeck added.

Other security concerns include toll charge fraud and identity fraud. Good information on securing VoIP is available from NIST.

Dig deeper on Patches, alerts and critical updates

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close