Much ink has been spilled over the vulnerabilities created by running voice traffic over data networks. But smart CIOs are, in fact, going to use voice over IP - and similar forthcoming technologies - to their benefit

READER ROI

• How to use voice-over-IP technology to aid security and safety
• Why VoIP is the vanguard of significant changes in networking

When Bernalillo County in New Mexico committed to a new courthouse, the designers naturally wanted to build the most secure facility possible. But for courthouses, security is defined as including both the integrity of the physical structure (the 1995 assault on the Murrah Federal Building in Oklahoma City has made structural robustness a must-have feature in the US) and the reliability of the personnel mobilization system. Unfortunately, it wasn't clear that Bernalillo County could have both.

Improving mobilization meant establishing a guaranteed connection to security personnel, one that could not be cut and one in which calls always reached the intended person quickly. Improving physical security meant lots of metal and concrete. Portable phones were an attractive and probably essential solution for the mobilization problem. But the materials used to solve the physical security issue played havoc with the frequencies used by wireless phones, causing missed or dropped calls.

The designers found a way of reconciling this conflict with a new technology called voice over wireless IP - sending telephony over a wireless local area network (LAN). Since wireless routers are cheap (relative to configuring wired networks), they were able to position a new access point anywhere the physical structure imposed an interference problem. After some experimentation ("Can you hear me now?"), they arrived at a communications system that was both seamless and ubiquitous, without having to sacrifice the robustness of the building itself. And according to Paul Roybal, CIO of the Metro Court, the system is also used to support the "telepresence" of defendants at routine court hearings, thus increasing security by reducing transportation requirements as well.

When VoIP (not just the wireless kind) first became a leading enterprise technology fad, many security professionals refused even to let the technology through the front door. From a security point of view, there was not that much wrong with plain old telephone service (POTS). Moving telephony onto the network would just make the application vulnerable to the usual network threats: viruses, worms, spam. And VoIP vendors kept hyping the technology as the poster boy for "convergence", which to a network security person is just a fancy word for "single point of failure" or "putting all your eggs in one basket".

However, smart use of encryption and redundancy can go a long way toward mitigating those risks - more on that later. More significant, the Bernalillo Metro Court illustrates the beginning of a more advanced development: using VoIP as a tool to further the security agenda, instead of complicating it.

Boon, Not Bane

The potential is clearly there. The freedom to move phones freely and flexibly around a building without calling a contractor is as good for a CSO or CISO as it is for a CIO. At least in theory, VoIP simplifies the management of many pro-security tricks - such as encrypting both the message and the address; logging a long list of usage details; utilizing fine-grained resource assignments (according to Roybal, the Metro Court installation can assign communications from jurors, lawyers, judges and security personnel to different traffic priority levels); and last but not least, tightly integrating with the rest of the security infrastructure - from a point that can be both centralized and mobile. Since legal decisions have held that companies own the data on their IP networks, it is probably even allowable to record all VoIP traffic for use in future investigations.

It is not unusual for high-security installations to ban mobile phones, usually out of concerns over eavesdropping and the risk that pictures will be taken where they shouldn't. This is another trade-off that's good for security but a burden to employees and visitors. Patrick Ravenel, senior vice president of engineering and operations at security software company Preventsys, says some of his clients are beginning to give visitors wireless "push to talk" VoIP walkie-talkies that communicate only within authorized personnel categories or VoIP phones that are configured to turn off automatically when carried into sensitive areas.