Voice over IP (VoIP) may be gaining ground in the consumer market, but companies are taking their VoIP deployment one step at a time, generally using the technology within the confines of the enterprise network.
Businesses are not too concerned about VoIP security either, according to industry experts. And as long as VoIP communications are within the bounds of the company network, security is a no-brainer, they say.
“[Over] the past two or three years a lot of [businesses] have applied VoIP to specific areas [of operation],” said Phil Edholm, chief technology officer, Nortel Networks, headquartered in Brampton, Ont.
He said companies used VoIP for trunks, where security was actually pretty easy (you can encrypt the trunk VoIP over the wide area network). “Then they began applying it to telecommuters and, of course, security was easy because they use IP-VPN technology for those users when they are outside of the office.”
While companies switching to VoIP raise certain issues – such as overall return on investment, server efficiency, network reliability and mobility – security is not a big concern right now, the Nortel executive said.
He said as the technology is used exclusively within the enterprise 99 per cent of the time, standard network security tools such as firewall, intrusion detection and encryption have been sufficient to protect VoIP communication.
Telecom service provider Primus Canada Inc. in Toronto, secures VoIP communications the same way it protects its Internet service. Primus offers VoIP services – dubbed TalkBroadband – to Canadian businesses and consumers.
“The security of VoIP has not been a big concern of our customers,” said Matt Stein, vice-president, new technologies and services at Primus. Stein said VoIP is subject to standard Internet-type threats. “We take action against those things as we always have, because we are also an ISP.”
According to Stein, encrypting VoIP communications would be the next level of security for VoIP. An industry standard called secure real-time protocol (RTP) would provide for the encryption of voice traffic over IP, he said.
And Nortel’s Edholm predicts that as businesses start to engage in full IP-to-IP communications externally, security will become a bigger concern.
To prepare for this eventuality, the security requirements committee of the VoIP Security Alliance (VoIPSA) consults with industry players – telcos, vendors and businesses – to determine and formulate recommendations to address the actual and eventual security issues around VoIP. VOIPSA is an alliance of security vendors, service providers and industry leaders dedicated to promoting IP security research, education and awareness.
“One reason for the formation of this group was to sit down and determine what the issues with VoIP [are], what the solutions would be and how we would implement them,” said Andrew Graydon, chair of VoIPSA’s security requirements committee.
According to Graydon, businesses tend to be very concerned about security when it comes to IP-to-IP communications outside of the enterprise. Eavesdropping, call intercept, denial-of-service, hijacking and spam over Internet telephony (SPIT) are the most common threats identified with full-blown VoIP implementations.
But the relevance of these threats to a VoIP-enabled enterprise depends largely on how the company uses the technology, said Graydon, who is also vice-president for technology of Mississauga, Ont.-based Borderware Technologies Inc.
“We found that there needs to be a lot of education on VoIP itself,” he said, adding that in implementing any VoIP security measure the “basics” need to be covered first such as determining a company’s specific requirements from a VoIP system and the objectives for adopting the technology.
Security experts believe SPIT is potentially one of the most imminent threats associated with VoIP, once the technology becomes a widely used form of voice communication. SPIT could be compared with telemarketers that hound traditional telephone subscribers. When a purely VoIP end-to-end communication transpires over the open Internet, IP addresses become publicly known and spammers could use these addresses to send out voice spam.
“Can you imagine how much easier it’s going to be – from the technology perspective – if they can upload an audio file to a server and have that server send it out to 30,000 [IP] phones in a second?” said Graydon.
“As soon as we hit [full VoIP] implementation in North America and Europe…the spammers can just change the script by two or three lines and we are going to get a deluge of voice spam, and it will be more annoying than e-mail because you have to listen to it.”
And this can be an enticing venture for attackers since the cost of making a VoIP call and sending out spam is essentially zero, according to Edholm.