Voice over IP (VoIP) and IP telephony (IPT) are the hot
tickets in the current IT industry.
In the space of two weeks in late May and June 2005, two major
European trade shows — VON 2005 and VoIP for Business — have each
exhibited a welter of products and services that seem wonderfully
compelling.
The basic pitch is that if your company converges its voice and
data requirements onto one (IP-based) network, you will cut
dramatically the cost of your firm’s voice calls, as well as take
advantage of a whole host of current and future business
applications that will surely enhance business. Who could put up a
strong argument against that?
Before, however, you embark into VoIP or IPT thinking that it’s
basically a licence to cut costs, security of your network has to
be considered extremely carefully. Indeed it may well be that the
modus operandi of some of the leading VoIP and IPT systems are
totally counter intuitive to your security protocols.
These days IPT not only encompasses the world of fixed, wired
communications, it now covers wireless as well. Each domain has its
own security problems. With all IP networks, spam, viruses, denial
of service attacks, Trojans etc are a real threat to all businesses
and SMEs in particular.
Research by Computer Weekly, late in 2004 showed that
only 20% of UK SMEs had not experienced some attack of some form.
With IPT, these threats are now extended to a company’s voice
service, opening up the prospect of compromise, even breakdowns, in
complete communications set ups. For many companies, large and
small, a successful attack on an IPT service is a potential
business show stopper.
The current VoIP market leader, actually trailblazer, is Skype
who has built its business on delivering free peer-to-peer IP
telephony software which in less than two years has been downloaded
by more than 42 million registered users. Subsequently, Skype has
increased its portfolio with the low-cost SkypeOut and SkypeIn
services which allow users to make and receive low-cost calls via
landlines and mobiles respectively. SkypeOut racked up its
millionth user in March this year.
Now while you may argue that 42 million users can’t be wrong,
and that your business can’t ignore free or low-cost phone calls,
there is one fundamental element to Skype about which many security
managers will balk at: it is peer-to-peer. It is very likely that
your firm has a clearly defined policy that forbids the usage of
any peer-to-peer software such as KaZaA (of which one of Skype’s
CEO was a co-founder). Here’s the rub: do you throw out your
established security policy to get low-cost calls?
The other issue is wireless security. Companies such as Sweden’s
OptiMobile produces software that enables automatic and seamless
handover of voice calls between WiFi and cellular telephony
networks. You basically connect over WiFi (VoIP) in environments
with WLAN-coverage and when this is not available, voice calls are
automatically switched to the cellular network without interrupting
the call and vice-versa. The business advantages of such
flexibility are huge but what this means is that the mobile phone
could be another potential back-door for attacker getting to your
network.
So what’s the best form of protection in the VoIP space? It
could well be that the best bet is a managed or hosted service with
guaranteed security as part of the service. There are a number of
services already on offer—from companies such as Avaya, TeleWare
and MCI, where security is built into the solution infrastructure
as well as in the application layer. Avaya for one says the
advantage here is that you’d get high security with no voice
quality degradations.
One company using such a solution with not many security worries
is leading law firm Seddons. It implemented a VoIP platform from
managed services provider hSo to fundamentally boost the efficiency
of its voice and data set up, and has so far gained savings up to
24% of its normal communications costs in the three months ending
31 May 2005.
According to head of IT Daniel Bentley, security was very much
on the agenda in the consideration of the installation but not the
key issue. He explains why: “We’re not a huge team; there are two
of us [in the IT department] and in all there are 125 people. I
don’t have the expertise to deal with [all of the issues] concerned
with VoIP. hSo provided a solution in box; they manage it and they
look after it, and I’m happy with that. We were obviously worried
about security as a firm but [our] VoIP connection goes to hSo’s
POP. hSo deals with [everything connected to the VoIP service], so
it is heavily resilient and secure. Security was a general concern
but not exactly a not exactly a showstopper; it was important but
at the end of the day we were looking at innovative ways of saving
the firm money and we looked at all the different avenues of [how
we] we would still be resilient if we were hacked etc.”
The message is clear: there are indeed innovative ways for firms
to save money through VoIP and IPT. However, without clearly
thought-out and well managed services—by whatever source—the cost
of lax security may dwarf any advantages from cheaper calls.