Securing the voice network

Voice over IP (VoIP) and IP telephony (IPT) are the hot tickets in the current IT industry.

Voice over IP (VoIP) and IP telephony (IPT) are the hot tickets in the current IT industry. 

In the space of two weeks in late May and June 2005, two major European trade shows — VON 2005 and VoIP for Business — have each exhibited a welter of products and services that seem wonderfully compelling.
The basic pitch is that if your company converges its voice and data requirements onto one (IP-based) network, you will cut dramatically the cost of your firm’s voice calls, as well as take advantage of a whole host of current and future business applications that will surely enhance business. Who could put up a strong argument against that?
Before, however, you embark into VoIP or IPT thinking that it’s basically a licence to cut costs, security of your network has to be considered extremely carefully. Indeed it may well be that the modus operandi of some of the leading VoIP and IPT systems are totally counter intuitive to your security protocols.

These days IPT not only encompasses the world of fixed, wired communications, it now covers wireless as well. Each domain has its own security problems. With all IP networks, spam, viruses, denial of service attacks, Trojans etc are a real threat to all businesses and SMEs in particular.

Research by Computer Weekly, late in 2004 showed that only 20% of UK SMEs had not experienced some attack of some form. With IPT, these threats are now extended to a company’s voice service, opening up the prospect of compromise, even breakdowns, in complete communications set ups. For many companies, large and small, a successful attack on an IPT service is a potential business show stopper.

The current VoIP market leader, actually trailblazer, is Skype who has built its business on delivering free peer-to-peer IP telephony software which in less than two years has been downloaded by more than 42 million registered users. Subsequently, Skype has increased its portfolio with the low-cost SkypeOut and SkypeIn services which allow users to make and receive low-cost calls via landlines and mobiles respectively. SkypeOut racked up its millionth user in March this year.

Now while you may argue that 42 million users can’t be wrong, and that your business can’t ignore free or low-cost phone calls, there is one fundamental element to Skype about which many security managers will balk at: it is peer-to-peer. It is very likely that your firm has a clearly defined policy that forbids the usage of any peer-to-peer software such as KaZaA (of which one of Skype’s CEO was a co-founder). Here’s the rub: do you throw out your established security policy to get low-cost calls? 

The other issue is wireless security. Companies such as Sweden’s OptiMobile produces software that enables automatic and seamless handover of voice calls between WiFi and cellular telephony networks.  You basically connect over WiFi (VoIP) in environments with WLAN-coverage and when this is not available, voice calls are automatically switched to the cellular network without interrupting the call and vice-versa. The business advantages of such flexibility are huge but what this means is that the mobile phone could be another potential back-door for attacker getting to your network.

So what’s the best form of protection in the VoIP space? It could well be that the best bet is a managed or hosted service with guaranteed security as part of the service. There are a number of services already on offer—from companies such as Avaya, TeleWare and MCI, where security is built into the solution infrastructure as well as in the application layer. Avaya for one says the advantage here is that you’d get high security with no voice quality degradations.

One company using such a solution with not many security worries is leading law firm Seddons. It implemented a VoIP platform from managed services provider hSo to fundamentally boost the efficiency of its voice and data set up, and has so far gained savings up to 24% of its normal communications costs in the three months ending 31 May 2005. 

According to head of IT Daniel Bentley, security was very much on the agenda in the consideration of the installation but not the key issue. He explains why:  “We’re not a huge team; there are two of us [in the IT department] and in all there are 125 people. I don’t have the expertise to deal with [all of the issues] concerned with VoIP. hSo provided a solution in box; they manage it and they look after it, and I’m happy with that. We were obviously worried about security as a firm but [our] VoIP connection goes to hSo’s POP. hSo deals with [everything connected to the VoIP service], so it is heavily resilient and secure. Security was a general concern but not exactly a not exactly a showstopper; it was important but at the end of the day we were looking at innovative ways of saving the firm money and we looked at all the different avenues of [how we] we would still be resilient if we were hacked etc.”

The message is clear: there are indeed innovative ways for firms to save money through VoIP and IPT. However, without clearly thought-out and well managed services—by whatever source—the cost of lax security may dwarf any advantages from cheaper calls. 





Read more on Voice networking and VoIP