A survey released today by the Computing Technology Industry Association (CompTIA) has good news and bad news for channel companies hoping to sell voice over IP (VoIP) products into the small- and mid-sized business (SMB) market this year.
The good news is that one third of the 350 SMB organizations polled will upgrade their phone systems this year. The bad news is that only 50% think VoIP technology is safe enough to trust. That's still larger than the percentage planning to upgrade.
But confidence in VoIP pales in comparison to the approval numbers of other networking options: 82% are confident with traditional phone systems; 74% are confident in Ethernet data networks; even wireless networks have the trust of 60% of respondents.
That just makes it even more important that value-added resellers (VARs) make security a top priority in their pitches to SMBs, according to a statement from CompTIA president and CEO John Venator. In this case "SMB" means companies with 500 employees or fewer.
Some of the concern about VoIP comes from generalized concern about threats to IP networks as a whole, Venator's statement said. End users are much more able to absorb a short delay in delivery of email than they are delivery of voice, so every glitch seems larger than it would be with data.
"They are right to be worried, but part of it is because VoIP is the unknown for a lot of them," according to Zeus Kerravala, analyst for the Yankee Group in Boston. "VoIP security encompasses everything from desktop security to network security to the infrastructure to the VoIP server itself. There are a lot more piece parts to worry about than before."
Fear of the unknown is perfectly reasonable, especially when concerns about security for the whole network are growing as quickly as they have been over the last couple of years, according to Sadik Al-Abdulla, director of the security practice at networking and VoIP specialist Berbee in Madison, Wis. "And when you layer voice -- additional assets and value -- onto that network, then it gets even more sensitive," he said.
But many of the IT and business managers involved in VoIP projects are worried about the wrong technology, Al-Abdulla said. "The bulk of many customers' experience isn't with enterprise VoIP," he said of his briefings with customers and prospects. "It's with things like Skype, so their perception is more reflective of the consumer market than the business market."
VoIP servers located behind a firewall, managed locally and talking primarily to devices that are also screened for viruses, hackers and other threats, are just as safe as any other part of the network, Kerravala said.
Customer networks -- especially in SMBs that might not have the resources to upgrade regularly -- aren't always as safe as their managers would like, Al-Abdulla said. But installing VoIP often gives them the chance to redesign the whole network from the ground up and eliminate bottlenecks, antiquated equipment and other headaches they've been itching to ditch.
And the admirable return-on-investment from VoIP often pays for those changes as quickly as it does the VoIP gear itself, Al-Abdulla said. There are some things to keep an eye on and to reassure customers about, however, according to Kerravala, who wrote a guide to the realities of VoIP security for SearchSecurityChannel.com sister site SearchVoIP.com.
- Any endpoint on the network is susceptible to hacks, but unless the VoIP system reaches outside the firewall regularly, there's probably no need for special products like VoIP-aware firewalls.
- The operating system doesn't matter that much. IP PBXs and related servers are built on industry-standard platforms that have a host of protections and vulnerabilities. If it runs on a standards-based product, proper security measures are a must.
- VoIP protocols -- SIP, H.323, MGCP and Megaco -- are susceptible to spoofing, impersonation and eavesdropping as well as buffer overflows, if they're badly configured. In protocols, details matter.
- Toll fraud, spoofing and other hacks are concerns, but more common dangers like viruses are a bigger deal; before you worry about eavesdropping, worry about whether your antivirus is up to date.
- Divide and conquer -- subnet VoIP traffic on virtual LANs so it doesn't collide with data packets, and to separate it from data-net hacking attempts. VLANs don't work with softphones and VLAN tags don't work with windows. Implement quality-of-service on the network to prioritize voice traffic and avoid delays caused by collisions or congestion.
The bottom line: tell your customers VoIP is as safe as you make it -- just like any other IP network. Many of them don't have a security professional on staff, so they rely on their service provider for both reassurance and expertise, Al-Abdulla said.
"Spam and eavesdropping, which is what a lot of them are worried about, is mostly based on consumer voice," Kerravala said. "That has nothing to do with what goes on behind the firewall, where the main concern is managing performance."