Networks That Talk Back

With broadband Internet connections able to handle steadily increasing amounts of traffic, the notion of using the same lines to transmit telephone communications via the computer sounds like the perfect moneysaver. But the technology still has security problems that must be worked out before it can become the standard way that businesses make calls, according to technology experts.

Helen McGrath, vice president of product marketing with AT&T, says that any use of what is called VoIP (voice over Internet Protocol) "carries with it all of your existing LAN security issues," and administrators must address the same trio of concerns--confidentiality, integrity, and availability--that they do in any data network.

With corporate data networks constantly under attack, even well-secured IP phone systems incur risks that traditional phone systems are immune to. Pascal Luck, managing director of Core Capital Partners, a Washington, D.C., venture capital firm that invests in VoIP ventures, explains, "Once you put everything on an IP network and you expose IP addresses, suddenly your voice network now looks like a data network, and you become vulnerable." He says it's critical for VoIP networks to hide their topologies--particularly the Internet addresses that identify servers that could be targeted by network hackers.

Hacking is not yet a major threat, says Luck, but as the technology becomes more widespread, so will the threat. A new paper from the National Institute of Standards and Technology (NIST) points out the vulnerabilities that hackers could exploit, such as ways to surreptitiously use a packet sniffer to find the IP addresses of particular extensions. This would allow an attacker to locate the packets sent or received by a targeted phone.

Reg Foulkes, chief technical officer of global security solutions for Computer Sciences Corporation, says that IP-based "intelligent phones," which interact with a network to, say, browse the Web, are a likely target of attack. "Think of them as self-contained computers with their own operating systems," he says. "They are subject to direct attacks" such as viruses and hack attacks, or even denial-of-service attacks, which would shut down the phones in addition to the network. "Imagine having a denial-of-service attack and your only phone system is VoIP," posits Foulkes. "How are you going to call for help?"

In fact, anything that might delay or interrupt the transmission of a call may be the biggest threat to VoIP's future. Bill King, manager of technical marketing in Cisco's voice technology group, agrees that VoIP transmissions are "sensitive to delay and jitter." But he and McGrath both argue that security technologies are widespread enough to protect VoIP. Says King: "Organizations that have incorporated security measures in the form of firewalls, intrusion detection or intrusion prevention systems, antivirus packages, and so on have already gone a long way towards protecting VoIP applications."

VoIP offers cost savings, but AT&T's McGrath points out that some types of IP telephony can have high setup costs, so companies often don't have the "economic trigger" to roll out full-blown VoIP systems unless they are opening a new facility. Other considerations, says Cisco's King, include how old the company's equipment is and whether management is trying to implement newer functions that don't work on the current systems.

So is VoIP worth the expense and the risk? A lot of organizations seem to think so. The Yankee Group's 2004 Enterprise Communication Spending Survey of educational organizations and governments showed that 33 percent of education respondents and 19 percent of government respondents said that VoIP was their top budgeted communications project for this year, while another report from a coalition of airline-industry sources says that 13 percent of airports already have VoIP in place and another 60 percent plan to introduce it in the next two years. And Infonetics Research, which covers the data networking and telecom industries around the world, predicts that expenditures on IP voice products and services will double this year from last.

@ The NIST report on VoIP and other VoIP reports are at SM Online.