Voice over Internet Protocol (VoIP) services enable businesses to conduct calls across the same network to access the Internet and get email – and at a fraction of the cost of traditional voice networks. However, VoIP developers have been focused on quality and reliability versus security. Therefore, if you choose to adopt VoIP, it is up to you to take the proper steps to secure it.

Background and benefits
The technology behind VoIP has been around for a few years; early incarnations of VoIP were plagued by spotty service, muddled and dropped calls. Only in the last few years has VoIP service improved enough to make it sufficiently reliable and stable for business use. In fact, businesses are finding that a well-planned and implemented VoIP system can provide call quality and reliability that rivals mobile phone or landline calls.

The number one benefit of VoIP is its low cost. In the conventional telephony world, multiple phone lines, conference calling features, and long distance charges create many extra charges. However, most VoIP providers not only offer unlimited local and long-distance calling for a relatively low flat fee, the fee also includes most, if not all, of the additional features businesses need. In addition to lower phone bills, here are some other benefits of VoIP:

Simplified infrastructure. Eliminating dedicated voice lines means you no longer need separate voice and data networks. Since each usually has its own equipment and vendors, you'll likely pay less for ongoing capital investments and support services.

Easier management. Because a VoIP exchange is based on software rather than hardware, it is easier to alter and maintain.

Better productivity. VoIP treats voice like any other kind of data, so users can attach documents to voice messages or participate in virtual meetings using shared data and videoconferencing.

Scalable. Traditional PABX (Private Automatic Branch Exchange) based phone systems come in many size ranges and it may be necessary periodically to scrap existing systems and replace hardware. This is not the case with VoIP systems.

Flexible connections. If your company has its own VPN and combines it with VoIP, you can set up a fully functioning office anywhere there is a broadband connection. With a VoIP phone, you can place or receive calls as if you were sitting at your desk. Moreover, since your phone number is mobile as well, you can make "local" calls back home or call around the globe without worrying about cell phone roaming or hotel surcharges.

Security concerns
Unfortunately, the same types of attacks that affect data networks can affect VoIP networks. As a result, the content of VoIP communications is vulnerable to being attacked, hacked, altered, intercepted or re-routed. Worse yet, because voice and data communications are running on the same infrastructure, an attack on the VoIP system could compromise the entire availability of the IP network, risking a business' ability to communicate via either voice or data. Here are just a few of the security risks to VoIP:

Denial-of-Service Attacks — This is when "telephony botnets" are unleashed with the intent of overpowering VoIP telephony devices with call requests and registrations. This flooding can create resource exhaustion, long term busy signals, and force dropped calls.

Eavesdropping — Services measurement and troubleshooting software that is part of a VoIP solution makes eavesdropping a relatively easy task. By monitoring call signal packets, unauthorized third parties can learn user names, passwords, and phone numbers, thereby gaining control over calling plans, voicemail, call forwarding, and billing information. More importantly, third parties may also gain access to confidential business and personal information by eavesdropping on actual VoIP-based conversations.

Phishing — Similar to email phishing, VoIP phishing occurs when a voicemail left for the account owner is purportedly from a trustworthy person or business, but is really designed to acquire sensitive information such as passwords or credit card numbers. These phishing voicemails may include a phone number or Web address masquerading as a legitimate bank or online payment service.

Toll Fraud — Toll fraud happens when an intruder gains control of the VoIP network and proceeds to mimic an authorized user or take control of the network and use the account to make long distance calls at the account holder's expense.

Security recommendations
VoIP use is expected to skyrocket over the next few years. In-Stat, a technology research firm, predicts that the number of business VoIP phones sold will grow from 9.9 million in 2006 to 45.8 million in 2010. In-Stat also notes that over 40% of the businesses it surveyed don't have specific plans for securing their VoIP deployments. However, ignoring security is not advisable, because the more widespread VoIP becomes, the more likely it is to be targeted by Internet criminals. Most VoIP solutions are lacking built-in security features, but here are some things businesses can do to protect themselves:

Separate VoIP and data — A properly designed network will separate the entry of data and VoIP at the perimeter, using a general firewall for data and a specific security device for VoIP. A good perimeter solution for VoIP should be able to intercept attacks on a VoIP system.

Vigilance — Make sure to be stay up to date about new and changing threats to the operating system as well as the VoIP systems. This includes installing patches and security updates as soon as they are available.

Block rogue VoIP use — There are many free consumer VoIP technologies available — any of which could be downloaded and used by an employee without the IT staff knowing. These rogue networks introduce unnecessary risk, so it's important to detect and block them by using VoIP-aware firewall and intrusion detection tools at key access points.

Manage entry points — Disable and remove any unneeded application and operating services a hacker could use as a pathway into the system. Employ gateway security to limit access to authenticated users.

VPN for remote VoIP — When employees use a business' VoIP account from outside the office, making untrusted remote connections, a VPN tunnel, as well as encryption and authentication measures are vital.

Network security — Tools should be in place to constantly monitor the network for suspicious activity and to prevent unauthorized access to the network.

Conclusion
VoIP is another example of how the Internet is changing the face of communications by lowering costs and simplifying the business infrastructure. With VoIP use projected to grow, it is likely that attackers will increasingly seek out ways to exploit this technology, which is already subject to most of the same threats as data networks. If your business chooses to adopt VoIP, it should be prepared to address the lack of security features that are built into the current VoIP systems. With awareness and a commitment to security, your business can safely enjoy the cost savings that VoIP offers.

from Symantec

J4Systems  |  2521 Warren Drive, Suite A  |  Rocklin, CA  95677  |  916.303.7200