Voice over IP (VoIP) calls offer the twin benefits of cost and convenience but there are dangers associated with moving your telephony system onto IP networks: it potentially opens them up to hacking, with disastrous results.
Commentators like Paul O'Reilly, director of sales for VoIP EMEA at network monitoring company NetIQ, say VoIP is really just another application on the network. This turns security experts such as Mike Murray, director of vulnerability and exposure at vulnerability management company nCircle, a strange shade of pale.
"You are now deploying a second computer on everyone's desk in the whole network," he says, describing the use of IP phones. "Does that change your security posture? Well, sure it does." Most IT security departments he knows are already overworked.
Running your telephony service over IP makes it one of the most mission-critical IT applications you own. Most medium-sized organisations can survive for a while if line of business applications fail but if your telephones are down, everyone may as well go home. And moving telephony to an IP network makes it vulnerable to different types of attack.
Denial of service attacks, where someone tries to hit your telephony server repeatedly with traffic, can theoretically stop a company using its VoIP system but there are other more insidious attacks, too. "It means that any box on your entire system that gets compromised can be potentially used to start tapping phones," says Murray.
VoIP users who don't properly protect their networks can look forward to attacks such as on-hook listening, where hackers surreptitiously turn on an IP phone's speaker capability to eavesdrop on your office. Or they could theoretically eavesdrop on VoIP traffic travelling across the network.
"I'm waiting to see the security tool which is a network packet sniffer that reassembles packets on the fly," Murray says. Or, if you'd really like something to keep you awake at night, think about hackers compromising the phone system and using your VoIP network to make free calls to external numbers.
Companies have to work out the threat and risk to their voice applications, says Paul King, Cisco UK's principal security consultant. Cisco breaks VoIP policy down into four areas: infrastructure, call control, the phones themselves, and components at the application level. He advocates the use of application firewalls to check that, for example, communications coming into its Call Manager application are using the right signalling protocols. For IP phones themselves, the company uses digital certificates to encrypt traffic and authenticate endpoints.
NetIQ's O'Reilly adds that security managers should use common sense practices, such as disabling advanced facilities on IP phones located in public areas such as the company foyer.
