For those who embrace it, VoIP offers its users local and long-distance phone service at a fraction of the cost of analogue voice communications. VoIP also promises to deliver a whole world of new features to the workplace that tie together voice and data. Forget about caller ID - imagine a phone that ties the incoming caller ID directly to your customer database, automatically pulling up customer accounts on your support representative's desktop.
But chief information officers and chief security officers tread carefully when considering alternatives to the existing phone infrastructure. While getting an e-mail bounced back to them might make customers wonder if you are having server troubles, getting a phone call to your headquarters dropped might make them wonder whether you have gone out of business.
According to Matthew Kovar, director of security solutions and services at the Yankee Group, the first thing CSOs should understand about VoIP security is that they already know a lot about it.
"Voice is just a different application that's going to run over IP infrastructure, so all the vulnerabilities that exist in your other IP applications also exist in this application," said Kovar.
Among the key exposures of VoIP systems, he added, are traditional hacks such as snooping (intercepting and decoding VoIP traffic) and packet spoofing (impersonating a party in a VoIP exchange to collect data).
The challenges of VoIP have made virtual private network (VPN) technology the choice for most CSOs.
Using VPN, companies can encrypt wide-area VoIP traffic from remote offices and send it over VPN tunnels, keeping that voice content secure. Using VPN also eliminates the need to open ports on the corporate firewall to allow VoIP traffic through.
The landscape is changing with hardware manufacturers such as Cisco Systems and Check Point Software Technologies adding SIP and H.323 support for their existing firewall products. Smaller players such as the Swedish company Ingate are marketing firewalls designed specifically for VoIP traffic.
In the end, CIOs and CSOs will have to become convinced that reliable answers exist for the security questions posed by VoIP before the technology will take off.
"It's a question of whether customers feel comfortable with IP issues that may interrupt phone networks, and right now they just don't have enough experience with the technology," said Kovar.
This was first published in December 2002