VoIP faces same security risks as overall network

Industry players have quelled security fears, urging companies to protect IP telephony traffic the same way they would secure their IT infrastructure.

SINGAPORE—Security concerns about voice over IP (VoIP) have made headlines in recent weeks, but industry experts have played down the fears. They note that how a company protects its IP telephony traffic is the same as how it secures its corporate network.

Tim Crowley, research manager for IP services at IDC Asia-Pacific, noted that misconception about security could retard the adoption of VoIP, despite the fact that attacks on VoIP are still uncommon today.

Gartner has also rebuffed the security hype, dismissing it as scare tactics by security vendors to fuel fears and sell more products.

CIOs who have security concerns and have refrained from running their voice calls entirely over IP networks, can take steps to better secure their network.

According to Christian Hentschel, Asia-Pacific director of operations, advanced technologies sales, Cisco Systems, companies should approach security for VoIP applications in the same way as they do for their corporate network.

On an IP infrastructure, voice is treated like any other data packet that runs across the network, he said. "There's no difference (on the IP network) whether you protect voice or data," he said.

Hentschel noted that voice traffic is exposed to the same threats, such as viruses and worms, as data networks, and it can be protected using the same tools, such as firewall and anti-virus detection.

"I understand there are concerns, but our view is IP telephony is still more secure than traditional phone systems, because of its design and integration with the overall network," he explained.

According to Andrew Coward, CTO of Juniper Networks, enterprises should not have to manage security for IP telephony separately from their overall network security.

"People expect to be able to protect everything, not just VoIP, and they don't want to have to implement separate components," Coward said, in a phone interview with ZDNet Asia.

The lure of VoIP
Security concerns or not, the deployment of IP telephony among enterprises has continued to grow.

According to IDC figures, VoIP revenues for the Asia-Pacific region (excluding Japan) totaled US$3.6 billion last year. The market is projected to grow at a compound annual growth rate of 15 percent, topping US$7.4 billion in 2009, Crowley said. The research firm does not track this market by the number of VoIP lines deployed.

Businesses are still drawn to the cost savings that VoIP offers, particularly international telephony services, Crowley said. Compared to two separate infrastructures, one network for both voice and data traffic require fewer resources to support, he said.

A Singapore-based Cisco customer, for example, expects to reduce its overall communications costs by about 30 percent over the next six years. The country's National Trade Union Congress has also doubled its number of calls to about 50,000 a month since installing close to 400 Cisco IP phones earlier this year.

"And as the VoIP equipment market moves to standards-based development, the number of new functionalities in networks is set to increase," Crowley said. "More applications will be within the reach of the enterprise."

He added that there is increased demand for advanced IP telephony applications that will boost business productivity, including unified communications and enterprise-class applications, such as CRM (customer relationship management) and ERP (enterprise resource planning).

"Enterprises are starting to look at these new applications as another reason, beyond cost savings, to think about deploying a VoIP solution."

According to Hentschel, Cisco shipped 1.8 million IP hardware and software-based phones last year, a 70 percent increase over 2003. The growth rate, he noted, is significant.

"It took three years to ship our first million units," he said. "It took just another year for that figure to reach 3 million, another eight months to reach 4 million and then six months to hit 5 million." Today, Cisco moves an estimated 10,000 units a day. In the Asia-Pacific region, the company has shipped close to 400,000 IP phones in the last two years alone.

Any company that purchased a telephone system in the last six to 12 months would probably not have bought one that does not have IP telephony capabilities, said Juniper's Coward.

"Whether or not they are using those functionalities isn't the question, they just expect them to be available…and no PBX vendor would sell a system today that wasn't capable of supporting VoIP," he said.

A PBX, or private branch exchange, is a traditional telephone switching system that connects telephone extensions within an internal network as well as to external telephone networks. Contemporary PBX systems use digital modes for routing calls, and may include support for both traditional analog phone lines and Internet ports (IP phone lines).

While the majority of IP calls today are carried and supported by a company's IP networks within its local and global offices, Coward predicts that carriers will soon begin to sell IP telephony capabilities directly to enterprises.

"So the enterprise will be able to place a VoIP call to its customers through the carrier, instead of using a traditional leased line that comes through the PBX," he explained. "Businesses can achieve much cost savings because they buy only one IP port that covers both phone and data communications. The only analog circuit left (within the network) serves as a backup."

"One of the things that have delayed the delivery of such (carrier) services is the difficulty in ensuring QoS," Coward said. "But that's been changing over the last 18 to 24 months."

One component that has helped improve IP-based call quality is multi-protocol label switching (MPLS). Established by the Internet Engineering Task Force (IETF), the standard allows packets in an IP network to contain routing information. This would allow specific packets such as those carrying voice and video, to receive guaranteed bandwidth as they move across the network.

So voice and data traffic "do not meet" even though they are carried through the same IP port, Coward explained.

It helps to reduce latency and "jitters", Crowley added, ensures that VoIP traffic remains "voice quality".