The adoption of internet protocol (IP) based telephony
by organisations is a growing trend, thanks to the promise of free
phone calls through the convergence of voice and data networking
technology.
Indeed, according to
David Endler, director of security research at
networking supplier 3Com's TippingPoint division,
voice over IP (VoIP) technology "is about to
hit critical mass". Analyst firm Frost & Sullivan predicted
VoIP would make up 75% of all voice traffic by this year, and
market research firm InStat has forecast that the number of IP
phones sold will increase nearly five-fold, from 9.9 million in
2006 to 45.8 million by 2010.
Although organisations seem to be embracing the potential
savings and flexibility of VoIP, it appears they are not always
prepared for the challenges involved in deploying and managing the
technology. Research by Vanson Bourne on behalf of software and
services company Compuware, has found that 73% of European IT
executives are still worried about the quality and reliability of
the technology.
The research findings show the main worries about adopting VoIP
technology involve quality of service (QoS) and security 39% of
companies fail to profile the performance of telephony applications
over existing IP networks prior to implementation, and so are
unable to anticipate the effect its adoption will have.
Compuware's global director of performance solutions, Michael
Allen, says too many companies take the technology for granted, and
at the same time underestimating its strategic importance.
"VoIP is a well proven technology now. Most of the IT directors
we surveyed have plans to move over to it, if they have not done so
already - if only because it is all the networking suppliers sell
nowadays," he says.
"When moving to a new office, for example, it is more than
likely the organisation will want a modern telephony
infrastructure. But it can be easily forgotten just how much we
take telephone communication for granted having had traditional
telephone systems for so long. Voice is a high-profile application
and users just will not tolerate degradation and jitter on a
call."
Allen says the survey revealed that a major reason call quality
suffers is that 72% of IT departments only look at overall network
usage, rather than examining the individual behaviour and usage of
each application, including voice.
This could lead to poor call QoS, even if the organisation is
using class of service management tools on a
multi-protocol label switching (MPLS) network,
because IT departments will not have the necessary insight into
application performance.
For example, if there is a large lag on a VoIP call due to a
problem at one of the network nodes, it may go unnoticed even
though call quality is suffering because VoIP does not necessarily
generate a large volume of traffic.
This approach is also reflected in IT managers' reactions to
problems - 46% admitted to simply throwing more bandwidth at
network utilisation problems rather than probing to get to the
heart of the problem.
Alliance & Leicester, the UK's seventh biggest bank, handed
its voice and data communications to BT Global Services in December
2006, in a deal designed to transform and converge the company's
networking infrastructure.
The infrastructure refresh will begin a phased implementation
lasting three years and affecting its contact centre, branch, ATM
and corporate network, with the aim of driving savings and
efficiencies through the deployment of VoIP in future.
Chief technology officer at Alliance and Leicester, Darren
McKenzie, says networking technology is now mature enough for a
large enterprise like Alliance & Leicester to look at taking it
on. "We have been tracking it for some time, and when we were sure
it was advanced enough for our needs through the immense amount of
due diligence testing that we did in labs, we made absolutely sure
it would lower costs and add simplicity to our network needs," he
says.
"We have had to get guarantees to prioritise voice in our plans.
But we are not buying technology, we are fundamentally buying a
service."
Using the latest packet switching technology over an MPLS
virtual private network (VPN) has given McKenzie the assurance he
needs that the network linking Alliance & Leceister's 1,800
staff and 250 branches will transmit both quality data and voice
traffic more reliably than the legacy local and wide area
networks.
Gavin Megnauth, IT director at Shaw Trust, is just over a year
into a four-year contract with supplier Affiniti for a VPN covering
Shaw Trust's entire 1,300-strong user group and enabling free VoIP
calls, new rich-media services and more effective network
management tools. The charity, which represents people who are
disadvantaged in the labour market owing to disability, ill health
or other social circumstances, is hoping the VPN will deliver up to
30% cost savings by increasing bandwidth, performance and
reliability.
Megnauth says QoS issues are a key consideration for the
charity. "We were quite lucky in that our existing networks had
sufficient bandwidth to accommodate the extra needed for VoIP," he
says. But the charity did encounter some instances where devices,
like Skype phones installed independently by remote users, had
eaten up bandwidth and affected call quality for other users and
applications.
"If the call quality is poor it is really disappointing from a
user perspective, given they have to go through training on a new
phone system. And although we remedied any such problem quickly, it
has left a slightly bitter taste in the mouth and cost more in
start-up costs," Megnauth says.
But he acknowledges that the savings on call charges between the
organisation's 65 offices sites will see a return in the long
term.
"There are ready-reckoner tools available now that are better
than they were a few years ago that help you plug in how many calls
are made and how much bandwidth you would use to discern cost more
clearly," says Megnauth.
"But because of the potential security issues with unauthorised
devices and applications like Skype competing for bandwidth, we
decided to get a consultant in to do full penetration testing." But
for a charity, he says, security is not as great an issue as it
might be for a bank, for example.
According to Lawrence Orans, research director at analyst firm
Gartner, whether you decide to use the expertise of a managed
service provider to migrate voice onto your data networks or not,
most data infrastructures are perfectly capable of prioritising
voice over the network. The problems arise in the overlapping areas
of security and traffic monitoring and detection, he says.
"The voice team has typically not had to worry about security,
and security teams have not historically had to worry about voice,"
he says. "IP-PBXs (private branch networks) are usually not subject
to denial of service attacks because they are behind the firewall,
but when you send voice outside of those boundaries problems can
arise."
Orans says security will be higher on the VoIP agenda in 2007
because companies will begin to open up session initiation protocol
(Sip) gateways for application-layer control of voice traffic and
make them accessible on the internet.
This will contribute to the lower costs associated with VoIP,
but it will also expose organisations to a wide variety of threats
they are not necessarily aware of because many still do not see
VoIP handsets as computing devices in their own right.
And according to web security firm ScanSafe, "The result is that
both VoIP devices and servers will be subject to the same
vulnerabilities as any other computer, including denial of service
attacks, theft of service, fraud and phishing attacks."
Zulfikar Ramzan, senior principal researcher in the advanced
threat research group at Symantec, says phishers have now developed
more sophisticated attacks than the traditional e-mails directing
you to a website to enter personal details.
"For example, we have seen phishing attacks that use e-mail to
get you to call a specific phone number or even use the phone to
contact you in the first place," he says.
These so-called voice phishing or "vishing" attacks exploit VoIP
and so can be conducted cheaply enough for phishers to see a
sufficient return on their investment, says Ramzan. At the same
time, there have not been many reported cases of such attacks, so
it is not clear whether they will escalate.
IP service optimisation system supplier Allot Communications
advocates the use of deep packet inspection technology to add to
the QoS and security arsenal of an organisation deploying VoIP.
David Schwartzman, director for cellular solutions at Allot,
says throwing more bandwidth at VoIP services is often not solving
the true problem, which can only be uncovered by knowing what
packets are travelling across your network. "Just looking at port
numbers is no good. Deep packet inspection is the prerequisite of
any action taken on the network," he says.
Measures to safeguard against any kind of attack using VoIP
services should already lie within an existing data network's
firewall, intrusion detection system, anti-virus and authentication
infrastructure. But deep packet inspection tools can help identify
an attack and configure access protocols to protect the network, as
well as make sure critical voice traffic is given the priority
required.
"Deep packet inspection does not take care of the security
threats out there, but it can work with other third-party
management tools to be a critical element in better managing
traffic across your network that includes voice," says
Schwartzman.
VoIP case
studies
www.voip.org.uk
Comment on this article:
computer.weekly@rbi.co.uk