VoIP: Paying the price for cheap calls

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

VoIP, Gartner

But despite these risks, Collins believes that looking at VoIP and IP telephony as a potential security risk is a misnomer. "VoIP is not a security risk in and of itself. If you're looking at it as a security issue, you've got it the wrong way round. It's no more of a risk than using video-over-IP or calendar management-over-IP," Collins says.

The security issues emanate from people not putting the right level of protection in place not any inherent flaws in the technology itself. "To me, people are the top un-hyped security threat, followed by denial as number two. Too many organisations do risk management by implementing something and finding out what the problems are when things go wrong, but that's more of a psychological issue than a technical one," he explains.

As a result, it is crucial that organisations evaluate the potential security risks before even thinking about implementing any new technology, VoIP included. Mike Gillespie, principal consultant at Advent Information Management, explains: "The secret is not retrofitting security, but designing it into systems from day one. For most people, it's generally about functionality first and security second, but that simply has to change."

A good starting point, says Gillespie, is to evaluate what the organisation intends to use VoIP for and to safeguard it in a way that is commensurate with the impact of any security incident on the business.

"There's no one-size-fits-all approach. It's about implementing controls that are appropriate to what you're using VoIP for and prioritising resources in line with that. So if you're only using it to call a colleague up the road for a chat, it's a very different situation to using it to call a business associate about a top secret takeover, and how you implement your security should reflect that," he says.

VoIP and IP telephony should not be treated any differently to any other part of the organisation's IT infrastructure. The technology should be included in the existing security policy which should specify processes and procedures that are acceptable user behaviour. The policy should also details what practices should be followed in the wake of an incident and the technology that needs to be in place to shield the infrastructure from attack.

The minimum security technology that should be in place includes voice firewalls and content filtering software such as antivirus and anti-spam programs that can undertake deep packet inspection. Encrypting voice traffic is another possibility, while undertaking regular patch management on voice servers is a must. Larger companies that prefer to retain their own VoIP infrastructure in-house rather than use third-party service providers will also need to consider the ramifications of the technology in terms of disaster recovery and business continuity planning.

While it is questionable at this point how many companies would consider removing their PSTN network completely to rely solely on VoIP anyway, should they do choose to do so, they do have choices. "You might need to have a power generator to provide an alternative source of supply in the event of failure, you could go for PSTN fail-over or provide staff with mobile phones so that they can make emergency calls. It's a contingency thing, but you don't have to go overboard. You just have to provide people with options," explains Datamonitor's Williams

In the end it seems that VoIP isn't any more inherently insecure than any other technology. The problem stems from the fact that the potential of VoIP as a revolutionary cost-saving technology has been overhyped — the attention given to security concerns could be seen as a natural realignment. "Some people are saying that, despite the telephony call savings, they won't move to VoIP due to security concerns. But how you secure VoIP should be the same as how you safeguard your data. It just means that rather than having two networks to manage you only have one so rather than making makes life more complex, it could actually become simpler."

Talkback

I was very interested to read Ian Williams’ take on the adoption of internet telephony, and support his view that one of the biggest inhibitors to the growth of VoIP is the question of availability. Telephony "dial-tone" requirements for VoIP will raise the bar for performance and increase the complexity of the network.

I think it can be agreed that network hiccups can be a frustrating phenomenon regardless of when and where they occur. Despite the problems they nurture, however, they seem to have become a widely embedded and accepted facet of organisational culture. Today, if the always-on network is disrupted, few people will even notice. Do you really care if your email took a few minutes to be delivered, or that your browser page did not load? Things inevitably get slow(er) at peak times, but in truth, these performance inconsistencies are considered minor annoyances. Conversely, I don’t think the same would be true if you went to pick up the phone and there was no dial tone. With VoIP, people will notice if a connection takes more than 500ms or if the VoIP phone cannot get an address on the network.

Consider this example; if you were relying solely on VoIP to place an emergency services call, a disrupted internet connection could be potentially disastrous. An extreme example perhaps, but the underlying premise is the same; having your avenues for communication severed, for any period of time, can be a costly and dangerous thing for business. That said, VoIP in itself is not an inherently risky technology. Essentially, it is more a case of network availability. If all of an organisations’ communication devices, such as voice, fax and email, are 100% reliant on a singular network, the availability of that network does become mission critical to the business.

Therefore, the bigger picture for rolling out VoIP is not whether or not companies can protect themselves from any specific security attack; rather, it is more a case of investing in the network infrastructure to ensure your data network is capable of handling the increased complexity.

via Facebook 16 August, 2005 12:59
Reply

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Moley

@kevinmchapman. OK, I acknowledge that 'most' was a gratuitous throwaway comment as an afterthought and too presumptuous. As to proof, as you...

2 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
Jack Schofield

@BrownieBoy > Works really well for thieves.... >> Nice attempt to deflect the argument by tossing in a point that's totally >> irrelevant, even...

3 hours ago by Jack Schofield on AMD Ultrathins to challenge Intel Ultrabooks
raskolnikof

fantastic that the so called piracy bills have been withdrawn. however, these anti-democracy supporters are still in the shadows so lets be alert...

4 hours ago by raskolnikof on SOPA, Protect IP support wavers in face of online protest
Tony Douglas

Please God no; teach them anything you like - thinking rationally, the uses and misuses of data, what data is and what it's not - but leave the...

6 hours ago by Tony Douglas via Facebook on Kids are the future. Teach ’em to code.
BrownieBoy

@Jack, > Works really well for thieves.... Nice attempt to deflect the argument by tossing in a point that's totally irrelevant, even it were...

21 hours ago by BrownieBoy on AMD Ultrathins to challenge Intel Ultrabooks
bootlegger

Make that 13 people now - I got refused today at Manchester airport. I thought I was up to date on this legislation - I knew of the EU ruling from...

24 hours ago by bootlegger on UK airport body scans will not be opt out
tinycg

Don't forget to check out apps like GoodReader or SlideShark either, they're indispensible for people on the go in presentation situations. Best...

1 day ago by tinycg on Four top iPad apps for people on the move
TerryRK

Well it seems there is something a number of us agree on. Why is the Ubuntu Unity launcher so ugly? I thought perhaps it was something to do with...

1 day ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
Freebies202

Duplicate comments are not made intentionally. Its very good to know that now you are keeping check on this problem because sometimes a commenter...

2 days ago by Freebies202 on Microsoft fixes blog comments, speeds up blogs with open source
kevinmchapman

"the very significant number of users" and "many (most) of us" - you have no evidence for these statements. It is a fact that most users are saying...

2 days ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
Marg Menzies Harrison

Another grammar faux pas is the improper use of "you". When sitting down down in a restaurant, for example, I get cringe when the waitress...

2 days ago by Marg Menzies Harrison via Facebook on 10 flagrant grammar mistakes that make you look stupid
zdnetukuser

And NOW, folks, for Canonical's next trick... Kubuntu is late. Here's a pencil. Draw your own conclusions. cf.:...

2 days ago by zdnetukuser on Linux Minterface
Moley

@kevinmchapman. The discussion here reflects the very significant number of users who really do like the traditional menu system and who wish to...

2 days ago by Moley on A tale of two distros: Ubuntu and Linux Mint
kevinmchapman

Er, no... It is an efficient means of finding the application/file/setting you need in one place. The icons are a simply a fallback for when you...

2 days ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
TerryRK

Isn't the provision of a text based search an admission by the developers that the mass of icons approach does not work? I don't need to use a...

2 days ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
kevinmchapman

"Unity and GNOME 3 both abandon the old text-based cascading menus in favour of a graphical icon-driven system." Point truly missed. Both use a...

2 days ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
TerryRK

whs001 - Thank you, I'm glad you liked the article. I absolutely agree with you on your first point. I should perhaps have made it clearer that...

2 days ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
Dennis Nilsson

If we allow corporate interest to dictate the way our government circumvents due process against foreign entities then we should accept the same...

2 days ago by Dennis Nilsson via Facebook on ACTA stumbles in Germany
GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

2 days ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

3 days ago by JCB33 on ACTA stumbles in Germany