Voice over Internet Protocol (VoIP) is currently all the rage in IT circles, with many vendors falling over themselves to provide this new alternative to traditional phone calls. However, questions surrounding the security of VoIP, and what customers can and should do about it, have risen along with talk of its promise.
They were a hot topic at last month’s VON (Voice on the Net) Mexico show in Mexico City. VON Canada will take place in Toronto April 3-5.
The first thing to realize is that VoIP is a protocol, not a technology. You can use it on a private network, or a public network, or both. The second thing to realize is that because it sends information in data packets, and because it can access a network from any number of points, it represents security challenges far above and beyond that of a traditional phone call.
Normally, in the old world of telephony, voice would never get near enterprise systems. A call would go to the time division multiplexer (TDM), then the private branch exchange (PBX), then over copper wire and out through the provider. Telcos were secure, with extensive regulations on who could touch the switch, and how.
Things are different with VoIP. Aside from signaling its IP address when using the protocol, a company has to send a physical voice/data packet. Ports in the network have to open to allow those media packets through. That creates a gaping hole in a network. If people are smart enough, and interested enough, they can get into the core.
And voice, unlike email, is a real-time application. If the packet doesn’t [arrive] there will be jitter. With VoIP, an enterprise cannot allow for latency in the network that a typical data firewall might provide.
Victor Bozzo, vice-president Americas sales for NexTone, speaking at the show, said that “one approach is to open only designated pin-holes in the network specific to that call-back, and when the call-back is done the pin-hole is closed.”
The bigger picture, however, is that there is the possibility of specific VoIP attacks that are more sophisticated than a traditional hacker attack on a firewall.
And, according to Andrew Graydon, chief technology officer for BorderWare in Mississauga, Ont., one of the reasons why we are not seeing attacks is because the numbers, at present, don’t warrant it.
“There are 3.2 billion e-mail boxes in the world, and only 3.5 to 4 million SIP phones. Also, an application like Skype is peer-to-peer, which limits exposure.” A peer-to-peer network provides significant security, but obviously reduces the accessibility offered by a traditional call. At present securing multiple points in a VoIP environment is a challenge, and enterprises are right to be concerned.
Aisha Umar, director of unified communications for Microsoft in Canada and Latin America, clearly thinks that a vendor-based approach provides the most consistency and security.
Speaking at VON Mexico, and specifically addressing VoIP-enabled messenger applications, Umar commented that shutting down consumer applications can actually lead to a riskier, uncontrolled environment. “Consumer-based messenger applications, despite not being licensed for enterprises, are also not designed for it and could be dangerous.”
BorderWare’s Graydon sees a future with multiple secure extranets, stating that “You will begin to have peering relationships not only internally to your network but also externally to your network as well. And this is already happening in the carrier space.”
Private Ethernet networks also have security issues. The way around them may not be to focus on the transport layer. The encryption wars will continue, but there is something to be said for focusing on the usage mode.
Christian Szpilfogel, director of strategic business at Mitel, agrees that VoIP is much more than a phone call. Also interviewed while at VON Mexico, Szpilfogel commented that “Customers need two levels of security: one inside the firewall, and then another layer of security for customer access. It is really a question of how safe a customer wants to be.”