Manage Learn to apply best practices and optimize your operations.

VoIP: Security Fear Factor

The time is ripe for midmarket firms to jump on the Voice over IP bandwagon. But security remains a giant hurdle.

For years, midmarket CIOs have eyed with envy larger companies' embrace of Voice over Internet Protocol, or VoIP, technology. After all, VoIP can be a good way to cut costs and add flexibility to telephony.

VoIP bridges the gulf between landline and cell phones and lays the foundation for the nirvana of unified communications. Imagine the productivity boon when workers can route important calls to whatever devices they are using at the time while relegating others to voicemail. "I can be on a train from D.C. to New York, plug my cell into my laptop and it's like I'm sitting in my office," says Adam Hansen, director of security at Sonnenschein Nath & Rosenthal LLP, a Chicago-based law firm.

And then there's VoIP's dark side: tossing dial-tone efficiency into the scary realm of security threats associated with networked PCs, servers and the Internet. The simple fact is that the proprietary nature of traditionally pricey private branch exchanges (PBXes), and the protocols they run, makes them hard to hack. But when voice runs over the same protocols as data, a little hacking knowledge in one realm can go a long way in another.

Editor's Note

To view our complete multimedia package, visit our VoIP security and converged networks supercast.

Midmarket CIOs must weigh these security risks against VoIP's tremendous upside. Yet it's not a matter of choosing or not choosing to adopt the technology. There are ways to minimize risk, such as taking a PBX-VoIP hybrid approach. According to executives who have either made the VoIP move or are in the process, the most important thing is for CIOs to do their homework and set expectations. With VoIP, Hansen says, CIOs need to "find the proper way to deploy it."

They better find it quickly, too. Many midmarket companies are just now deploying VoIP. That's because this segment has lagged large enterprises and very small companies when it comes to VoIP adoption, says Zeus Kerravala, senior vice president of global enterprise research at Yankee Group Research Inc. in Boston. There are a few reasons. Large enterprises typically have capital expense budgets to finance technology updates -- that is, they're more able to spend money to save money.

Most big enterprises upgraded their PBXes, typically with IP-capable versions, during the Y2K scare. Since then, many have run VoIP pilots or even moved big chunks of their infrastructure to VoIP, says Stan Schatt, vice president, networking, at ABI Research in Oyster Bay, N.Y.

Meanwhile, startups may have launched with VoIP infrastructure. If not, they still won't have much legacy telephone gear that needs to be ripped and replaced. "For very small companies, VoIP is a no-brainer," Schatt says. "They have less existing infrastructure and most have such terrible calling plans that VoIP saves them money from day one."

A lack of resources coupled with existing infrastructure has kept many midmarket companies from adopting VoIP. But times are changing. Capital expense budgets previously bogged down by Y2K work are now being freed up to update antiquated communications gear. So it is midmarket companies that represent the next frontier for VoIP adoption.

The good news is that midmarket CIOs can learn from early adopters and address VoIP's frailties from the outset of a rollout. Chief among them: security. The bad news is that many companies fail to address VoIP security. A recent survey by the National Computing Centre in the U.K., entitled Benchmark of IT Strategy 2007, found that only 15% of the 190 organizations responding had implemented VoIP security. Meanwhile, 40% said they have addressed the security of their Wi-Fi networks. This is a rather large gap in what should be a holistic security approach.

Security exposed

VoIP security is paramount not only because of the risk to mission-critical telephony communications, but also for compliance reasons. "The two biggest concerns are reliability and eavesdropping," says Peter Thermos, CTO of Palindrome Technologies Inc., a security consultancy in Red Bank, N.J. "The latter is particularly an issue because of all the regulatory issues in the financial sector."

Security experts say VoIP's common H.323 protocol, in particular, is a tempting target for those who might want to practice packet inundation, basically flooding the pipe, and call hijacking (or redirecting calls). The hackers' motivation might be mischief or foul play, but that doesn't matter if you're trying to place or receive an important call. Nobody really needs a denial-of-service attack degrading connection quality or bringing down the system entirely.

VoIP devices are vulnerable to the same weaknesses as their underlying operating systems. As Windows or Linux goes, so goes VoIP. This means desktop and server operating systems need to be kept up to date, well patched and protected by the usual phalanx of antivirus, antispam and other security software.

Sometimes-connected devices, such as cell phones running Windows CE, the Palm OS, and Symbian OS, must also be up to date. These devices don't typically run the antivirus and security updates that guard desktop devices. CIOs must ensure that all desktop and mobile devices are running the latest updates of their respective operating systems. Again, the argument is for sound, solid network hygiene across devices and operating systems.

VoIP Vendors and Integrators

With the emergence of VoIP in business scenarios, a bevy of startup pure-play security companies like Sipera Systems Inc. have cropped up as legacy vendors scurried to adapt. Ditto networking gear vendors.

"Traditional security companies are stepping in and picking up VoIP -- look at Enterasys and Tipping Point, and then there are the pure IP security providers," says Charlotte Dunlap, an analyst at Current Analysis Inc. in Sterling, Va.

Zeus Kerravala, senior vice president of global enterprise research at Yankee Group Research Inc. in Boston, recommends CIOs talk to Cisco Systems Inc., Juniper Networks Inc. and Checkpoint Systems Inc. about their traditional network security needs. "As you start doing more business-to-business VoIP, you can start checking out the specialty security providers," he says.

It may seem counterintuitive, but for many midmarket companies it may make sense to let the telcos do the heavy lifting in any migration. The Tile Shop Inc., for example, is relying on Qwest Communications International Inc. to move its 41 stores to VoIP. The work began after 14 months of negotiation, says Keith Cooney, IT manager at the Plymouth, Minn.-based retail chain. "We think we'll realize savings simply on the long distance charges," he says.

For those who don't like the idea of their carrier being their VoIP integrator, there is another route: Pundits think managed services providers will play a growing role in providing VoIP capabilities for midmarket customers.

Security experts expect phone phishing incidents to increase as more companies adopt VoIP. In these incidents, the attacker sends a spoofed email telling the recipient to call a number to reactivate a bank or credit card account. Companies should periodically remind employees to fend off such pleas and never respond to unsolicited email from seemingly real financial institutions.

Several midmarket executives advised keeping the security bugaboo in perspective, stressing that traditional telephony had its own security issues. "Traditional voice was a lot easier to get to," said Bob Glaze, CTO for the city of Oakland, Calif. "Any technician could get into your basement with a headset and listen. That's harder to do with voice in data packets."

Glaze estimates his VoIP enablement project is about halfway done. When completed, VoIP will cover 115 locations ranging from small recreational centers to fire and police departments. The project, which started with pilots in 1998, has already saved money. "For what we were spending on Centrex" -- Centrex switches reside at telco providers that are rented out to customers -- "we did a license with Enterasys and ShoreTel for six years of service including maintenance," Glaze reports. (ShoreTel Inc. provides VoIP-enabled PBXs, and Enterasys Networks Inc. provides a range of VoIP hardware and security products.)

He acknowledges that, on the security front, denial-of-service issues were a concern. One way to allay the fear is to segregate voice from other data traffic. "We subnetted it so voice is separated out from data traffic and has a QoS [quality of service]," he says. "Our pipe is split so voice gets the priority."

Implementers also need to be wary of promised "silver bullet," all-in-one security solutions. Before even bringing in a consultant, a CIO should examine the network as it exists and at least generally assess future needs, Thermos says. "If you can come up with five to 10 security requirements, you can go out to vendors and mandate that they have these controls in place if they want to deploy in your environment." (See sidebar.)

A hybrid solution

With 700 lawyers in 10 U.S. offices and an office in Brussels, Belgium, Sonnenschein Nath & Rosenthal must provide secure access to documents and data. Hansen and staff looked at some pure-play security point solutions and other options, only to stay with incumbent security supplier IBM Internet Security Systems. (IBM bought ISS, an Atlanta-based provider of network protection, intrusion detection and monitoring tools and service, for $1.3 billion last year.)

Sonnenschein Nath & Rosenthal now uses ISS's preemptive protection platform to secure some 3,000 devices on its network. "If you buy a bunch of point solutions, costs go up," Hansen says. "We have to find the proper way to deploy it, so we pushed [security] closer to the actual wire than at the operating system layer."

And so Hansen isolated virtual LANs within each geographical location and guaranteed QoS to the port level. The network shares the same switch but runs different LANs off it. All the various sites use IP to communicate with each other with the same QoS, but in these cases traffic goes from router to router and passes data on the same connection.

"We have a framework of security that we implement, and if possible we avoid point solutions," Hansen says. "If I can come back to ISS, who I've had forever, and say, 'Here's what we're doing and what we need.' Sometimes we have to wait, but we end up getting what we want." The law firm also uses a lot of gear from Avaya Inc.

Sonnenschein Nath & Rosenthal also limits exposure by taking a hybrid approach to VoIP and traditional PBXes. Indeed, many midmarket companies use VoIP internally but still connect to the outside universe through standard PBXes.

The Gay Men's Health Crisis (GMHC), a New York-based advocacy group, took this route recently. The organization has deployed a hybrid VoIP solution for about 200 full-time employees and some 250 PC seats for part-time or volunteer workers. For special events like AIDS Walk New York, when considerably more volunteers get involved, GMHC must scale up quickly. "I had to consider burst capability," says Dave Tainer, director of information systems at GMHC, which relies on gear from Cisco Systems Inc. and is using a $1.1 million grant from the city to completely modernize its infrastructure.

"There are two ways to do VoIP; you either connect to a SIP trunk or connect to a standard T1/PRI," Tainer says. "We decided to do T1 PRI. So we have VoIP internally but to the external world we present as a PBX." (PRI refers to Primary Rate Interface, a commonly used Integrated Services Digital Network technology.) He acknowledges that the pure VoIP road would have led to more cost savings on monthly charges, but "security is still kind of iffy in that area."

Yankee Group numbers indicate that this hybrid model is popular among companies that have deployed IP-based communications gear or plan to do so within two years. A recent survey showed that fully half of the 302 respondents, which ranged in size from midsized to large enterprises, have already deployed some IP gear, or use hybrid or IP-enabled PBX gear. Of these, 30% said they run pure IP-based PBX equipment. The remainder run either managed IP PBXes or hosted IP PBX or IP Centrex implementations. Among the total organizations surveyed, 86% said they have already deployed IP-based communications solutions. The rest say they plan to do so in that two-year window.

"So far, [VoIP is] definitely an inside-the-firewall protected asset," agrees Scott Jenkins, CEO of The EBS Group, a Lenexa, Kan.-based systems integrator that helps midmarket companies with their database and collaboration systems. "We had a California branch and those people, in order to be on our VoIP, had to VPN in. Or we sent them a VoIP phone, but they had to go through a secure VPN tunnel into our network." The bulk of his customers have similar setups.

The truth about VoIP

While cost savings appears to be the biggest carrot for VoIP adoption, other implementers say not to believe all you hear about rock-bottom prices. "This is not purely a money play," Hansen says. "Everyone talks about how much you'll save, but the telco vendors know the game better and are very savvy. Maintenance costs don't necessarily go down. Line fees don't necessarily go down. The handoff [of voice traffic] to the Internet may save some money, but not as much as you'd think."

The real benefit of VoIP, in his view, is the variety of extremely useful capabilities not available with hard-wired PBX systems. In particular, Hansen is a big fan of soft phone capabilities that let him use his laptop and cell phone to work with all the comforts of headquarters, no matter his actual location.

VoIP can also ease disaster recovery scenarios. "With a traditional PBX frame, a disaster means you're done until you can reroute and bring a new frame in," Hansen says. "You are tied to proprietary vendors. With the IP handoff, you can redirect things from here to there a lot faster and easier."

While cost savings might not be all they're cracked up to be, the same goes for VoIP security. Yankee Group's Kerravala says CIOs must remain rational, as opposed to hysterical, about security issues. "Much of VoIP in the enterprise is still in testing phases, and I'm not sure security issues come to the fore," he says. "In production environments, security has a role, but most VoIP is used for calls within their walls so you don't have to worry too much about long-distance spoofing. What they do have to worry about is availability of the system, and that's where you see activity around security."

He counsels clients of all sizes to focus on security basics across the network. "If you have good fundamental network security, you'll be fine."

Barbara Darrow is a Boston-area journalist. Write to her at

Dig Deeper on Small-business infrastructure and operations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.