Voice over IP offers great savings in long-distance calls. But without extensive safeguards, VoIP can expose your phone system to the havoc affecting the rest of the Web

Reader ROI

• Why VoIP is more vulnerable to hackers than are traditional phone systems
• What you can do to safeguard your VoIP systems
• When it makes sense to convert to VoIP and when it doesn't

Phone service is abruptly cut off at a brokerage house after a hacker launches a full-scale denial-of-service attack, flooding the firm's voice servers with registration requests. An Internet worm makes its way from a retail giant's data network to its voice network, shutting down call centres and costing millions in lost revenue. An impostor enters the phone network of a top government agency and makes away with classified information by spoofing his caller ID.

Sound far-fetched? According to security experts, such scenarios are not only plausible, they may be inevitable as companies and government agencies around the world scrap their traditional circuit-switched phone systems and move to voice over IP (VoIP). By sending voice calls over the Internet, companies are saving millions of dollars and gaining flexibility to provide multimedia services at the desktop. But they are also exposing their voice systems to all of the hazards that now plague data networks, including worms, viruses, denial-of-service attacks, spam over Internet telephony (SPIT), eavesdropping and fraud. And they are increasing their vulnerability to attacks against the rest of the network by creating new openings into critical infrastructure, networks and systems.

CIOs ready to take the plunge with VoIP need to understand that data firewalls alone won't protect them. They need only look to the past to remember the state of the Internet 10 years ago, when security was usually an afterthought. That was before the Nimda and Sasser worms and countless other threats came to haunt them. To head off attacks on their voice networks, IT executives need to devise a plan that includes voice encryption, authentication, VoIP-specific firewalls, and the separation of voice and data traffic. They also need to ensure redundancy in case of power loss (most traditional phone networks already require backup, but the systems will need to be expanded with VoIP). And they will have to physically secure voice servers and other equipment from intruders.

Traditional private branch exchange (PBX) phone systems have their own vulnerabilities, and in the past hackers have broken into large phone and voice mail networks. But VoIP expands vulnerability, offering more opportunities for hackers to gain access. In a recent 93-page report on VoIP security, the National Institute of Standards and Technology notes that in most offices there are many more points to connect to a LAN than there are points to connect to a PBX box. "Based on the history of attacks on various Internet services and things we've seen, it's inevitable that there will be attacks on VoIP networks," says Rick Kuhn, a computer scientist at NIST and co-author of the report. "Eventually, someone will find a way to take advantage of it."

Some experts in the US are even urging Congress to consider VoIP security implications as it starts to revise the Telecommunications Act of 1996. They believe the government may need to impose new standards or requirements for critical infrastructure, especially where it relates to emergency services or national security. "I do know that if there is a significant VoIP security event, there will be a reaction from Congress and the executive branch," says Roger Cressey, a former White House cybersecurity official from 1999 to 2002 and now the president of Good Harbour Consulting.

CIOs who have already begun using VoIP advise those considering it to start focusing on security now. That way, they can avoid the expense and frustration of patching and fixing their systems after the fact. "You'll be sorry if security is an afterthought with VoIP," says Gary Heller, deputy CIO for the Arizona Healthcare Cost Containment System, the state agency that administers Medicaid. Heller recently helped install VoIP between the agency's five metro Phoenix offices and its 11 call centres. "We're comfortable now only because we took the time to do the due diligence and proactive monitoring that can lead to a safe VoIP environment. If we didn't have all that, I'd be scared." Here's what a number of early VoIP adopters have done to realize the cost savings of VoIP and to save their companies from a potential disaster.

Full VoIP Ahead

With VoIP, PBXs - the backbone of the traditional phone system - are replaced by IP voice servers that usually run on Microsoft or Linux operating systems. These "call management boxes" deliver VoIP services and log call information - and they are susceptible to virus attacks and hackers. VoIP is even more sensitive than data when it comes to disruption and packet loss. Yet many security measures that are applied to data networks don't work well for VoIP. For example, traditional firewalls can result in delays or blocked calls, and encryption can cause "latency" and "jitter" (packet slowdowns that can disrupt calls). As a result, security techniques must be specialized for VoIP. And it should go without saying that VoIP equipment should be placed in a secure, locked location.

Despite the perceived gaps in VoIP security, there haven't been any reports of large-scale cyberattacks or security breaches of VoIP networks. That's due in part to the fact that vendors and service providers are offering a wider variety of VoIP firewalls, intrusion prevention systems and other protective devices when they install the systems. VoIP adoption also is still in its early phases. According to Osterman Research, only one in 10 US companies has deployed VoIP in the workplace. But that will soon change. By late 2007, the research firm predicts, 45 percent of companies will have some form of VoIP, and adoption is expected to accelerate thereafter as many large organizations will need to replace ageing telecommunications infrastructures.

Already, experts say early VoIP adopters have suffered voice-line outages. For example, a Merrill Lynch manager of voice product development said at a major VoIP conference last northern autumn that e-mail viruses including Sasser and Code Red took down the company's VoIP network for two to four hours because it rode on top of the data network. Darrell Epps, director of the convergence and IP telephony professional services practice for NextiraOne, a consulting and integration company, confirms that some Fortune 500 companies using VoIP have already suffered from VoIP hacking incidents that have hurt company operations.