VoIP, common sense and security

I recently hosted a voice-over-IP seminar in New York. On the taxi ride from LaGuardia to midtown, my driver mentioned that he was a student taking network classes. When I told him I was going to be speaking on VoIP, he immediately asked, “But is it secure?”

My answer was no, but it’s a helluva lot more secure than the cell phone you were just talking on.

I’ll admit it: Security is a tough issue. It’s a lot safer and more convenient not to do something than to move forward if there is a security issue that can come back to haunt you. Consequently, security has recently become one of the major reasons given for delaying the implementation of VoIP.

The ultimate decision point for all security issues should be how difficult it is to gain access to confidential information, not whether it is theoretically possible to intercept the information. All information can be compromised. Our job is to make sure that the effort required to gain access to the information is several orders of magnitude greater than the intrinsic value of the information. So what are the major security concerns about VoIP and how real are they?

No. 1 on the list is usually the fact that Ethernet is a shared-medium technology. Ethernet switching has negated this concern. Essentially all Ethernet connections are switched, which means that you have a dedicated path to your desktop.

What about sending information over the Internet? I have yet to hear of a documented case of information being pirated while in transit over the Internet. It’s not worth the trouble. Further, most VoIP implementations today are over corporate intranets.

What about sniffing VoIP packets? Possible, but unlikely. One could quite reasonably argue that VoIP is more secure than traditional voice because the transmission protocol is significantly more difficult to decode than traditional digital voice.

Denial-of-service (DoS) attacks? A DoS attack could cripple your VoIP implementation. But keep two facts in mind. DoS attacks occur primarily on the Internet, and, again, corporate VoIP tends to be on an intranet. And you already should be taking appropriate measures to safeguard your servers from DoS attacks for data applications. These same measures work for VoIP.

Voice is intrinsically unsecure, whether it’s VoIP or traditional voice. The greatest risk for voice security is somebody hearing your conversation over the cubicle wall. And tapping into traditional PBXs doesn’t take rocket science.

Ultimately, your organization must decide whether VoIP is sufficiently secure for you to move ahead. But as you make that decision, be sure that it’s a reasonable, fact-based assessment and not an attempt to hide from reality.

Taylor is president of Distributed Networking Associates Inc. and editor/publisher of Webtorials.com. He can be reached at taylor@webtorials.com.