Voice over IP (VoIP) and IP telephony (IPT) have been
the hot tickets in the IT industry for some time
now.
The basic pitch is that if your company converges its voice and
data requirements onto one (IP-based) network, you will cut
dramatically the cost of your firm’s voice calls, as well as take
advantage of a whole host of current and future business
applications that will surely enhance business. What small to
medium sized business (SMB) could put up a strong argument against
that?
Before, however, you embark into VoIP or IPT thinking that it’s
basically a licence to cut costs, security of your network has to
be considered extremely carefully. Indeed it may well be that the
modus operandi of some of the leading VoIP and IPT systems are
totally counter intuitive to your security protocols.
These days IPT not only encompasses the world of fixed, wired
communications, it now covers wireless as well. Each domain has its
own security problems. With all IP networks, spam, viruses, denial
of service attacks, Trojans etc are a real threat to all businesses
and SMBs in particular. Research by Computer Weekly, has shown that
only 18% of UK SMBs had not experienced some attack of some form.
With IPT, these threats are now extended to a company’s voice
service, opening up the prospect of compromise, even breakdowns, in
complete communications set ups. For many companies, large and
small, a successful attack on an IPT service is a potential
business show stopper.
The current VoIP market leader, actually trailblazer, is Skype
who has built its business on delivering free peer-to-peer IP
telephony software to more than 60 million registered users.
Subsequently, Skype has increased its portfolio with the low-cost
SkypeOut and SkypeIn services which allow users to make and receive
low-cost calls via landlines and mobiles respectively. SkypeOut
racked up its millionth user in March 2005.
Now while you may argue that over 60 million users can’t be
wrong, and that your business can’t ignore free or low-cost phone
calls, there is one fundamental element to Skype about which many
security managers will balk at: it is peer-to-peer. It is very
likely that your firm has a clearly defined policy that forbids the
usage of any peer-to-peer software such as KaZaA (of which one of
Skype’s CEO was a co-founder). Here’s the rub: do you throw out
your established security policy to get low-cost calls?
The other issue is wireless security. Companies such as Sweden’s
OptiMobile produces software that enables automatic and seamless
handover of voice calls between WiFi and cellular telephony
networks. You basically connect over WiFi (VoIP) in environments
with WLAN-coverage and when this is not available, voice calls are
automatically switched to the cellular network without interrupting
the call and vice-versa. The business advantages of such
flexibility are huge but what this means is that the mobile phone
could be another potential back-door for attacker getting to your
network.
So what’s the best form of protection in the VoIP space? It
could well be that the best bet is a managed or hosted service with
guaranteed security as part of the service. There are a number of
services already on offer—from companies such as Avaya, TeleWare
and MCI, where security is built into the solution infrastructure
as well as in the application layer. Avaya for one says the
advantage here is that you’d get high security with no voice
quality degradations.
One company using such a solution with not many security worries
is leading law firm and SMB Seddons. It implemented a VoIP platform
from managed services provider hSo to fundamentally boost the
efficiency of its voice and data set up.
According to head of IT Daniel Bentley, security was very much
on the agenda in the consideration of the installation but not the
key issue. He explains why: “We’re not a huge team; there are two
of us [in the IT department] and in all there are 125 people. I
don’t have the expertise to deal with [all of the issues] concerned
with VoIP. hSo provided a solution in box; they manage it and they
look after it, and I’m happy with that. We were obviously worried
about security as a firm but [our] VoIP connection goes to hSo’s
POP. hSo deals with [everything connected to the VoIP service], so
it is heavily resilient and secure. Security was a general concern
but not exactly a not exactly a showstopper; it was important but
at the end of the day we were looking at innovative ways of saving
the firm money and we looked at all the different avenues of [how
we] we would still be resilient if we were hacked etc.”
The message is clear: there are indeed innovative ways for firms
to save money through VoIP and IPT. However, without clearly
thought-out and well managed services—by whatever source—the cost
of lax security may dwarf any advantages from cheaper calls.