More and more businesses hoping to save money are switching to IP telephony. But what are the security implications?
Regardless of repeated warnings that voice-over-IP (VoIP) technology is particularly vulnerable to hackers and other security threats, more and more organisations are thinking about introducing IP telephony.
Looking at the huge cost savings VoIP can bring, and the fact that the predicted major attack has so far failed to arrive, it is easy to see the attraction. The benefits of VoIP extend far beyond reduced call costs. With telephone traffic travelling over the data network, companies only need to maintain one infrastructure (data) rather than two separate ones, which means lower running costs in the long term. VoIP also makes it easier to integrate phone, fax, and email into a single messaging system, since each of these formats is now carried over the same infrastructure.
But what about those security concerns? VoIP has some high-profile supporters. In 2005 BT announced a partnership with Nortel to provide managed IP services to the Ministry of Defence (MoD) as part of the £1.5 billion Defence Fixed Telecommunications Service (DFTS) between BT and the MoD to build a coordinated infrastructure for the Army, Royal Navy and RAF.
John Anderson, director of BT Government, said at the time that both his company and the MoD tested the technology thoroughly before deciding to implement the IP system. He suggested that new innovations in securing voice traffic could be passed on. "The fact that the lab was set up for the DFTS means there will be benefits from security and reliability for VoIP. The MoD requirements for security could cross over into the commercial world and have benefits for the financial sector, for instance," he said.
Of course, the unusually stringent standards to which the MoD aspires might be over the top for the majority of enterprises deploying IP telephony for the first time. Lawrence Orans, a research director at Gartner, believes that eavesdropping is the single most exaggerated VoIP security threat. "It's technically possible, but practically the risk is low," he claims. "Attackers would need to penetrate the firewall and get to the PBX (private branch exchange)."
Still, fears over security are enough to deter certain organisations from implementing VoIP. Industry sources say that the likes of the Foreign and Commonwealth Office are unlikely to ever consider VoIP due to the security implications. However, for most businesses the threats are far more mundane. Nick Frost, a research consultant at the Information Security Forum (ISF), believes that in future spammers are likely to target VoIP mailboxes with recorded messages. "There's so much information on corporate websites now, and on Facebook about individuals, that can be garnered by spammers using data-mining tools. All those email addresses are being sold as spam lists," he explains. "If people start clearly advertising their VoIP numbers, then it seems reasonable to suspect that the same concept will be developed for VoIP."
Frost admits that there is little if any financial incentive motivating VoIP attackers at present. The most serious current threat to VoIP is a distributed denial-of-service (DDoS) attack. This can affect any device connected to the internet and works by flooding networks with spurious traffic or server requests. While few DoS attacks specifically target VoIP systems, the real-time nature of voice traffic means they have a massive impact. Users immediately experience deterioration in service quality and, ultimately, their IP handsets stop working.
Dennis Mottram, manager of ICT strategy, research and security at Aston University, suggests that organisations follow Aston's example by using a separate VLAN for their voice traffic, so that it can be prioritised in case of any DoS attack. VLANs also need to be properly architected to prevent packets jumping from one VLAN to another. However, even if such measures are taken, there are some hacking tools that can get round them. Additional tools that will help networks in case of any attack are intrusion detection (IDS) and prevention (IPS) systems, which scan for rogue incoming packets, and anti-virus software that can help prevent any known threats from disrupting the network. Some routers can also throttle the inflow of traffic to stop the network from being completely flooded - a technique known as "rate limiting".
Another best practice that needs to be extended to voice is changing the default passwords of all of the system's components. Phones, for example, can become vulnerable if their passwords are not changed regularly, as they offer many points of entry for hackers. In addition, companies should remove all unnecessary applications from VoIP systems, including telnet and web servers. Many IP phones have web servers installed, so that configuration can be managed from the desktop; however, this leaves them exposed to the vulnerabilities of the internet.
Patching is also important. Because VoIP is now just another application that runs on a commercial operating system, it needs to be patched regularly along with the rest of the IT estate. "Enterprises need to make sure that all the firmware of the VoIP system is up to date, as new vulnerabilities are found in VoIP systems every few days," warns Ken Munro, managing director of penetration testing company SecureTest.
Education education education
However, Jon Collins, service director at analyst firm Freeform Dynamics, points out that as relatively few companies have so far rolled out VoIP, a more pressing security concern is "protecting employees from themselves" through education about social-engineering attacks. "I believe more organisations are in a preparatory phase rather than fully up and running, at which point the threat will, of course, become more substantial," he says. "But we are seeing considerable interest in organisations adopting VoIP. For example, in some research we conducted back in April, voice was a significant driver for reviewing existing network equipment, second only to the wireless network itself."
David McCaskill, section manager for global security solutions at pharmaceutical giant Procter & Gamble, agrees that more businesses are planning VoIP implementations today than were two years ago, but he cautions that VoIP penetration is still proceeding at a snail's pace. "The problem is that VoIP lacks a headline-grabbing killer application," he explains. "Without that, enterprise VoIP adoption will mirror that of instant messaging: slow and steady, driven by cost savings and productivity gains without regards to security.
"A few organisations will strategically roll out VoIP, but I would guess that only a handful of them will holistically apply security as part of that implementation," he predicts.
HOW IT WORKS
Voice over Internet Protocol (VoIP), also described as IP telephony and internet telephony, refers to the routing of voice conversations over the web or through any other IP-based network. Voice information is transported in digital form in discrete packets rather than by using the traditional phone system, which is known as the public switched telephone network (PSTN). When these chunks arrive at the destination server, they are re-assembled in real-time, allowing two or more people to carry on a conversation.
One of the big attractions of VoIP is its ability to help cut telephone bills, precisely because calls travel over the data network rather than the phone company's network. Voice mail, caller ID and call forwarding are typically part of a VoIP package. You may also be able to choose phone numbers with local area codes outside your geographic location.
The number of types of VoIP technologies is huge, thanks to different protocols and standards, individual vendor approaches, and varying customer needs. Cisco, Avaya and Alcatel are the dominant vendors in the high-end VoIP arena. Small businesses wanting to save on long distance calls by plugging their VoIP phone into the back of a broadband router or using an analogue terminal adapter (ATA) to connect a regular phone to the router are served by providers such as Vonage and Sipgate.
A star of the VoIP world in recent years has been Skype, a PC desktop client that allows users to establish a voice connection with other subscribers free of charge, regardless of location. Other companies, for example Fring and Truphone, have ambitions to bring quality VoIP calls to the mobile phone.
Many businesses now run VoIP using SIP (session initiation protocol), a lightweight protocol that has gained in popularity recently. SIP was designed to help overcome some of the incompatibility issues that have prevented systems from different vendors from interoperating properly. While the H.323 protocol is seen as the established top dog in the VoIP world, many vendors see SIP as the way of the future and are aggressively promoting products that support it in their VoIP offerings.
VoIP does have some disadvantages, though, and its adoption in the business world has not been as rapid as many commentators predicted. Some broadband connections may have less than desirable quality. When IP packets are lost or delayed at any point in the network between VoIP users, there will be a momentary drop-out of voice. This is more noticeable in highly congested networks or where there are long distances between callers. But technology has improved the reliability and voice quality over time and will continue to do so.
CASE STUDY: IRWIN MITCHELL
Irwin Mitchell is one of the largest law firms in the UK, with nearly 2,000 employees across the UK. The firm also has offices in Spain and has been growing rapidly. However, from an IT management point of view, the company was a victim of its own success - its rapid expansion was placing an unacceptable level of pressure on the firm's IT infrastructure.
Irwin Mitchell's call centre, based in its Sheffield office, can handle up to 6,000 calls a day. "The centre provides a first point of contact for the firm and, as a result, it is imperative to ensure it is up and running and available at all times," says Gary Thomas (pictured), the company's head of IT operations. The firm's move into new, purpose-built offices represented a chance to overhaul some of the more dated IT systems, and the company decided to migrate to a voice-over-IP (VoIP) telephony system. "The criticality of the call centre to the business meant we needed some way of constantly monitoring the performance of our telephone systems," says Thomas. "We couldn't afford for issues such as jitter or call manager replication issues to impact on call quality."
Irwin Mitchell deployed NetIQ AppManager for VoIP, a system-monitoring solution that claims to simplify VoIP management. The firm uses the tool to effectively monitor call quality.
In the space of just one week, the NetIQ solutions picked up four separate failed disks in different locations, including Spain. One of the disk failures occurred on a call manager system, and, if undetected, might have caused severe disruption. Thomas claims that this number of disk failures in a short period of time is unusual, but insists that all the failures were identified quickly and could be corrected before they had an impact on IT or telephony performance. "NetIQ allows us to respond much more promptly to maintain system availability," he says.
Thomas believes that seductive tales of eavesdropping and corporate espionage have led to misunderstandings about the finer details of VoIP. "An organisation such as the MoD might be worried about espionage, but for Irwin Mitchell the VoIP security issue is more associated with worms and viruses, and the need to protect ourselves from those, because you're always one step behind the malware authors," he explains.
"It's very much a business continuity issue. We decided to separate voice and data and prioritise voice to ensure quality of service. We also run our phones using power over ethernet, so it's doubly important that we have a backup electrical supply to keep the phone system up and running in the event of a power failure."