Phone service is abruptly cut off at a Wall Street brokerage after a hacker launches a full-scale denial-of-service attack, flooding the firm’s voice servers with registration requests. An Internet worm makes its way from a retail giant’s data network to its voice network, shutting down call centers and costing millions in lost revenue. An imposter enters the phone network of a top government agency and makes away with classified information by spoofing his caller ID.

Sound far-fetched? According to security experts, such scenarios are not only plausible, they may be inevitable as companies and government agencies around the world scrap

their traditional circuit-switched phone systems and move to voice over IP (VoIP). By sending voice calls over the Internet, companies are saving millions of dollars and gaining flexibility to provide multimedia services at the desktop. But they are also exposing their voice systems to all of the hazards that now plague data networks, including worms, viruses, denial-of-service attacks, spam over Internet telephony (SPIT), eavesdropping and fraud. And they are increasing their vulnerability to attacks against the rest of the network by creating new openings into critical infrastructure, networks and systems.

CIOs ready to take the plunge with VoIP need to understand that data firewalls alone won’t protect them. They need only look to the past to remember the state of the Internet 10 years ago, when security was usually an afterthought. That was before the Nimda and Sasser worms and countless other threats came to haunt them. To head off attacks on their voice networks, IT executives need to devise a plan that includes voice encryption, authentication, VoIP-specific firewalls, and the separation of voice and data traffic. They also need to ensure redundancy in case of power loss (most traditional phone networks already require backup, but the systems will need to be expanded with VoIP). And they will have to physically secure voice servers and other equipment from intruders.

Traditional private branch exchange (PBX) phone systems have their own vulnerabilities, and in the past hackers have broken into large phone and voice mail networks. But VoIP expands vulnerability, offering more opportunities for hackers to gain access. In a recent 93-page report on VoIP security, the National Institute of Standards and Technology notes that in most offices there are many more points to connect to a LAN than there are points to connect to a PBX box. "Based on the history of attacks on various Internet services and things we’ve seen, it’s inevitable that there will be attacks on VoIP networks," says Rick Kuhn, a computer scientist at NIST and coauthor of the report. "Eventually, someone will find a way to take advantage of it."