End-user companies eager to move to voice over IP (VoIP) are right to be worried about security, but according to integrators who specialize in VoIP, the companies often defend against trivial threats while ignoring more serious ones, and pay scant attention to factors that can ruin a voice network faster than any bit of malware.
Firewalls and up-to-date antivirus profiles can counter the mundane risks, but VoIP adds new vulnerabilities to the data network, and can put several times more pressure on network bandwidth than network designers plan -- setting the stage for disasters from bad performance and external threats.
In smaller organizations, for example, the one or two IT people working on a migration worry more about preventing jitter and dropped calls than they do about security, according to Bob Beler, president of Information Systems Group Inc. in Rolling Meadows, Ill.
Small- and medium-sized business (SMB) customers that do worry about security tend to focus on Skype and other consumer-oriented VoIP applications that can be banned from the network, according to Sadik Al-Abdulla, director of the security practice at networking and VoIP specialist Berbee in Madison, Wis. In a survey released last month by the Computing Technology Industry Association (CompTIA), one third of end-user organizations polled said they would migrate to or add VoIP systems this year. But only half of all respondents think VoIP technology is safe enough to trust, compared to 82% for traditional phones and 74% for Ethernet. Most of those risks can be countered with firewalls and up-to-date antivirus profiles, along with the kinds of network security built into enterprise-class VoIP systems, which match data-network security levels, he said.
However, VoIP networks have more vulnerable points -- and some attacks that degrade performance even without actually cracking through access controls -- that are an even bigger threat to VoIP systems than to data networks, according to Adam Gray, chief technology officer at security and open-source integration provider Novacoast Inc. in Santa Barbara, Calif.
"Every system we've tried -- most of them running on Windows boxes with terminal services enabled -- we've been able to take down with DoS attacks," Gray said. "Running critical infrastructure on Windows is a mistake; it's just too hard to defend."
It's a myth that analog phone lines and PBX systems can't be tapped just as effectively as VoIP networks, however. "Five dollars of hardware is all it takes," Gray said. "They're still running on two-wire copper phone lines from a provider. Put on a recorder and you're done.
"For VoIP you have to have a sniffer and be able to rebuild that stream of traffic," Gray said. "You need access to the stream, but it's not really that difficult. It's really not."
Larger organizations usually have a more sophisticated approach to security, but tend not to connect the need for network security with the need to keep a VoIP network running at an acceptable level of performance, Beler said.
"Some companies don't have a tool to track jitter, or a MOS score, which is the true measure of latency in the real world," Beler said. "Some companies don't even know what a MoS score is."
Different people, or even different groups, handle security for servers, applications, telecommunications and other IT assets, Beler said. The team responsible for a VoIP migration will usually focus on the number of PoE ports they need for each phase of the install, and how to manage internal budgeting and not campaign for a large-scale upgrade in network security.
"The security people still largely think about the threats from the outside world and what to do about perimeter protection," Beler said. "They don't have full visibility of what's running on their network, which changes -- sometimes quarter by quarter, year by year."
"Pest apps" like those eat up bandwidth and introduce vulnerabilities the IT department might not know about, and for which the VoIP migration team will not have planned.
"A VoIP call takes 35Kbit/sec. Most companies will plug in a switch, the right number of ports to operate, and say they're good to go," Beler said. "But what happens when you're on a good call and decide you need two other colleagues on that call, too? You conference them in, then each of those calls require 35Kbit/sec, too."
An expanding mesh of conference calls and teleconferences can make many times the connections -- and require many times the bandwidth available -- on a network provisioned on the assumption that each internal VoIP phone would make one call at a time, often outside the network, he said.
Without a comprehensive ability to see and control how the network is used, that kind of bandwidth creep, combined with traffic from pest applications, can degrade a VoIP network into unusability, often with no obvious indications of what's wrong, Beler said.
Encrypting VoIP traffic, protecting servers, keeping logs, and putting in access controls can all help protect a VoIP network, but not against all intruders or bad planning, Gray said.
"Your best stance is defense in depth, with layers of security. Know when someone's accessed your system so you can respond," Gray said. "In your analog system there are no tools. You physically have to check all the wires in your system and that's pretty ugly."
"ROI, cost reduction, is the driving force behind VoIP decisions in most accounts," Beler said. "What people don't take into consideration is that you may have to go through a little pain first. I've seen that in companies that have migrated to IP, they plug in a switch, plug in a phone, and then Monday happens and somebody isn't able to finish their conversation. And everybody wonders what happened."