VoIP mistakes mirror early Wi-Fi deployments
Voice over IP, where voice calls are broken up into packets and passed around a corporate network together with the organisation's data traffic, can provide enormous benefits for companies -- such as cheaper international calls -- but they also increase the risk of a security breach.
Sven Radavics, sales director in Australia and New Zealand for WatchGuard, said that early users of VoIP technology are making similar mistakes to those companies that were quick to deploy wireless networks.
"People get excited about technology because they see the benefits. They rolled out [wireless] then sat back and realised that the network was now going out through the windows and roof without any checks and balances in place. That is what I am starting to see with VoIP -- people are busy deploying it but they haven't really run it by the security policy and haven't thought about the issues," said Radavics.
Neal Wise, partner of Sydney-based security consultancy Assurance.com.au, said that because VoIP needs to be "lightweight", it is not encrypted, which adds to the risks.
"People are looking at the benefits and not considering the risks of VoIP. Because VoIP tries to have a quality of service (QoS) like real telephony, there is pressure to keep it as lightweight as possible, which unfortunately threw out stream-based encryption as part of the scenario," said Wise.
Earlier this year, Nick Jones, a research vice-president for Gartner, warned that VoIP services required some ports on the corporate firewall to be left open, which could give hackers an opportunity to penetrate a network.
"There are lots of concerns about security on VoIP… Your security people may not realise they are opening their network. You can't use deep packet inspection. You just have to open up ports and hope everything is okay," said Jones.
However, such warnings seem to be falling on deaf ears.
Geoff Harders, group manager of IT operations at the Australian Trade Commission (Austrade), told ZDNet Australia that the organisation has been using VoIP for around two years and expects to eventually move all its users to the new technology.
According to Harders, Austrade already invests in the security of its data network and does not see any additional risks in deploying a VoIP service.
"Because we need to be mindful about security of our data, voice is just another form of data we have to carry. There is nothing special we need to do for voice other than what we are already doing in relation to data," said Harders.
Harders also dismissed any concerns about having to leave certain ports on the firewall open to allow for VoIP traffic: "In the majority of cases we don't see that as a particular risk and think we will be able to deal with that appropriately," he said.
This attitude is questioned by Ted Barlow, chief security officer at security firm McAfee, who argues that although it is possible to secure VoIP, any technology that uses networking protocols is vulnerable to an attack.
"Like wireless, you can deploy [VoIP] properly if you design the architecture in the right way, authenticate the users and put in certain levels of protection. You can do that with VoIP as well… Anything on the network is fair game," said Barlow.
Barlow said that whenever a new service is added, the risks increase: "Whether it is your mobile device or phone, if it is connected to the network you are open to attack. There is always a trade off between new features and functionality and security. It is the age-old trade off and you have to balance that," he said.
But Austrade's Harders said his main concern is "redundancy" and believes there are easier ways to exploit a network that through vulnerabilities exposed by VoIP.
"One of the main concerns is making sure you have built an appropriate amount of redundancy in your network… It is much easier for somebody to hang a couple of alligator clips to our main distribution frame and listen to what is going on compared to VoIP where everything is broken up into packets," said Harders.