As with most new technology,
convenience often demands important security trade-offs. The ability to make long-distance telephone calls over the Internet using Voice over IP (VoIP) is no exception. While Internet calling may save small businesses money, it's vulnerable: hackers can easily get ahold of phone lists, intercept incoming and outgoing phone numbers, or worse, listen in on confidential conversations. Fortunately, there are some considerations you can (and should) make before installing any Internet phone service, to ensure your company a greater margin of safety.
First, you need to understand how Internet phones work. Several different flavors of VoIP are available. Very simple applications use your desktop's built-in microphone and an Internet messenger such as Yahoo IM. Business solutions, however, include Internet-aware telephones (complete with network interface cards) that send voice-signal packets similar to data packets over existing intranet or Internet trunk lines.
Internet phone attacks are possible
Although attacks against Internet phone networks are still rare, they will increase as the technology goes mainstream. VoIP attacks often mirror those against pure data networks and include denial of service, packet reconstruction, and (less commonly) attacks aimed at the operating systems used by VoIP phones themselves. And like data attacks, voice attacks can occur either from within a company or from outside the office.
VoIP attacks often mirror those against pure data networks.
The most likely scenario is that of a distributed denial-of-service attack against your company's Web site. Of course, this wouldn't bring down your Internet phone system if you keep it and your file server on separate networks. It's very tempting, however, for a small business to run both its voice-signal and data transmissions over the same system. In this case, the simplicity and the reduced costs won't justify the loss of both voice and data should your business's sole connection to the Internet go down.
Another scenario involves an attacker sniffing out voice packets from your business's Internet traffic, then reconstructing the packets to intercept phone conversations. With conventional phone systems, attackers must identify the correct pair of wires being used to place a particular phone call and even then can listen in on only one conversation at a time. With VoIP, however, attackers could potentially listen in on all corporate communications (assuming they have the time and resources to reconstruct the calls, of course).
Packet-spoofing (where someone intercepts a call by impersonating voice packets, a man-in-the-middle attack) and message-integrity attacks (where someone could corrupt a message in transit) are of lesser concern, as they are in pure data networks. Nonetheless, these attacks are worth guarding against.
Solutions do exist
Fortunately, there are ways to safeguard your Internet calls. With a little due diligence, you can enjoy the benefits of VoIP without compromising your business's safety.
With a little due diligence, you can enjoy the benefits of VoIP without compromising your business's safety.
Last October, the SANS Institute put out a white paper
outlining specific concerns for small to medium-size businesses, particularly when it comes to hiring a third party to administer your VoIP networks.
The SANS Institute recommends that you separate voice and data networks with virtual local-area networks (VLANs), limit physical access to the network rooms, choose switches over hubs, use encryption, and opt for hardwired rather than software-based Internet phone solutions whenever possible. Other recommendations include having firewalls or firewall proxies monitor voice and data, maintaining antivirus software on all systems (either voice or data), and performing regular backups (many VoIP systems include backup capabilities).
If all this sounds like a lot to take care of, it is. Adding VoIP to your business demands adding voice-specific protocols and hardware specific to voice technology that require unique IT expertise. For example, VoIP requires its own set of protocols, such as Session Initiated Protocol (SIP), H.323, MGCP, or Real-Time Transport Protocol (RTP), among others, so you'll need (depending on the size and nature of the company) at least one more IT person specifically trained in VoIP, an option that most small businesses don't have.
Thus, third-party solutions have become attractive. And it makes sense: someone else applies security patches, manages the voice system, and assumes all the risks. The main disadvantage, however, is that if an attacker decides to take out your third-party supplier, it cripples all dependent businesses, including your own. In other words, keep your cell phone handy but also request in writing the VoIP reseller's details regarding updates, patches, and technical support. The up-front costs may seem reasonable, but that doesn't mean the service after the sale will be as affordable.
Got a security question? Let me hear about it!