Dial VoIP For Vulnerability

1 2 Page 2
Page 2 of 2

Emergency services aside, Ashton says he believes VoIP is safe if installed with care. "There will be hacker attacks down the road, so it pays not to cut corners," he says. "If there is one thing I could get fired for, it would be if The Washington Post reported that our public safety system has problems."

VLANs, firewalls and gateways can keep intruders out of the VoIP system, but they don’t protect against internal hackers. To add another layer of security to a VoIP system, users should encrypt the "packets" just as they do with data networks. Encryption is important regardless of the protocol being used. (The two main protocols are Session Initiation Protocol, or SIP, and H.323.)

Many VoIP experts now believe that SIP is gaining momentum as the industry searches for common standards. In its basic form, however, SIP traffic is "clear text," which means that voice traffic is vulnerable to "packet sniffers" looking for caller IDs or passwords. According to Chris Rouland, CTO at security firm Internet Security Systems, it’s as easy to intercept unencrypted VoIP calls as it is to use an iPod. By downloading software off the Internet, hackers can intercept calls "with a simple click," he says. In order to protect caller IDs, phone addresses and account information, VoIP users need to encrypt SIP traffic.

Even so, VoIP observers say, encryption isn’t yet standard practice. "There’s a lot of unencrypted VoIP traffic out there," says Good Harbor’s Cressey. That’s largely because encryption can be cumbersome and expensive. At Kirkland & Ellis, Novak says he spent three months working out encryption-related problems that affected VoIP call quality. In addition to extensive testing and tuning, he is now using a suite of monitoring tools that sample the VoIP network every 30 seconds and alert him if quality has dropped off.

Calculate Your Risk

For O’Connor and Lynch at WPI, migrating to VoIP involves careful calculation of how much risk they are willing to take. For example, while they are comfortable with the idea of administrators, instructors and students using VoIP for basic phone service, they have decided not to include campus security phones on the network. "We are leaving all security phones and kiosks on the copper systems, which have a higher level of reliability," says O’Connor.

O’Connor and other early VoIP adopters say with the current state of VoIP technology, organizations need to decide early which security risks are not worth taking. These may include phones for security and emergency services. "Essential telephone services, unless carefully planned, deployed and maintained, will be at greater risk if based on VoIP," according to the NIST report.

At WPI, O’Connor and Lynch are experimenting with "soft phones" (ordinary PCs with headsets and special software configured to make VoIP calls) for students and faculty who are studying abroad and need to communicate with the school from areas such as Namibia and Thailand. Soft phones offer a way to keep in touch from remote places at lower costs. In a recent test of the soft phones, in which the students and faculty at a facility in Australia made calls over their laptops, O’Connor says he was pleasantly surprised by the quality of service.

Others, however, might not want to take that risk. The NIST report discourages the use of soft phone systems where security and privacy are a concern. "Worms, viruses and other malicious software are extraordinarily common on PCs connected to the Internet and very difficult to defend against," the report states.

The NIST report also warns that even if those deploying VoIP systems follow all of the recommendations by installing firewalls and intrusion detection systems and encrypting their voice traffic, they will still need locks and security guards to make sure attackers don’t get access to the servers.

Heller agrees. "It’s important with VoIP that you don’t forget about the actual physical security of your voice servers," he says. While his legacy PBX system was housed in two large cabinets, the VoIP system uses a total of 50 voice servers to achieve complete redundancy. They are located in locked facilities, and only a few select people have access.

"VoIP has a lot of advantages, but there is no question it puts your voice system at greater risk," says Heller. "You’ve got to watch out for new dangers."

Senior Writer Susannah Patton can be reached at spatton@cio.com.

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Discover what your peers are reading. Sign up for our FREE email newsletters today!