Network hardware provider Zultys Technologies has responded to KPMG's whitepaper on the risks of Voice over IP (VoIP) by saying that some of the comments were on the verge of "scaremongering".

Zultys director of business development, Tony Warhurst, said although he agreed with several of KPMG's conclusions on security concerns, he feels that "some of the comments made by KPMG verge on scaremongering and could cause many organisations to unnecessarily put their VoIP plans on the back burner".

"The bottom-line benefits of VoIP are far too great to let these security issues keep you on the fence. In reality, VoIP security is not as complicated or difficult as some vendors and consultancies would have you think," Warhurst said.

He added that organisations should ensure that they get top-notch security from a VoIP system and should thoroughly evaluate the system they pick.

The KPMG report stated that VoIP systems are susceptible to viruses and therefore require an appropriate management framework. KPMG also stated possible confidentiality problems that businesses will face when changing to VoIP.

Warhurst suggests that companies look for VoIP systems that have voice encryption using the 128 bit AES standard, which "provides a level of security that is almost impossible to breach". He said that when voice streams are encrypted with the AES standard, network sniffers cannot be used to decode the traffic.

The system should also include an easy to activate voice encryption since "it doesn't matter how good an encryption system is if people can't or won't use it".

Warhurst identified other necessities that he thinks VoIP systems should include:

• Security code keys that appear on the telephone's display. Under this scenario, one caller reads the encryption key to the other caller. If the code keys match, the callers are secure in the knowledge there has been no "man-in-the-middle" attack.

• A stable, secure operating system. A robust telephone system is a mission-critical component of any successful business. Some telephony systems run on operating systems that are not only vulnerable to hacker and virus attacks, but are prone to crashes and constant reboots.

• Lock down all unused ports on the system. Some operating systems leave unused ports open, making them vulnerable to port scans.

• Firewalls and VPNs built into the box. No matter where users may be located, they all need secure Internet access and secure access to the company WAN. The best VoIP systems build these features in.

• Password protected logins. Seems like a "no brainer," but some systems don't have them.

• Authenticated devices. The best VoIP systems authenticate all devices on the telephony network.

Warhurst agrees with KPMG that security should be a major consideration for companies when implementing VoIP systems. However, he believes that companies have "no excuse not to capitalise on the incredible productivity gains VoIP can bring to companies of all sizes".

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.