One of the key advantages of VoIP, which melds a company's voice and data networks, is that it saves a tremendous amount in infrastructure and manpower costs. One of the key challenges stems from that same union: A failure of any sort can take down or degrade the organization's total communications infrastructure.
A parallel thought is that, to date, the VoIP infrastructure has been more or less secure. That's a good thing, but it shouldn't lead IT and security staffs to relax their vigilance. The bottom line is that all of the eggs are in one basket, and a failure will be catastrophic.
You'd think this would be a universally accepted idea, and it probably is -- until it comes time for companies to do something about it. This eWeek story quotes In-Stat findings that say the number of corporate VoIP handsets will grow from 9.9 million last year to 45.8 million in 2010. However, the firm says more than 40 percent of companies responding don't have VoIP-specific security plans.
This, as they used to say, is no way to run an airline. No matter how secure the VoIP system seems, IT staffs should take every precaution, dot every "i" and cross every "t," to keep things safe. There is a lot of good information available on the Net and elsewhere. Our advice: Take advantage of it.
There are many specific steps a business can take to protect its VoIP network. Four of them are offered in this piece at The Practice Management Blog. The blogger suggests performing every conceivable test to all layers of the network, using passwords for both end users and system administrators, securing all hardware, and using VoIP-specific technology "only as a last resort." The last point is a bit of a surprise. The writer appears to believe that vendors are taking advantage of IT departments' fear by releasing a lot of products. That, of course, is a debatable point. Whether it's true or not, the bottom line is that the first step toward securing VoIP is to secure the underlying IP network.
A two-part -- and cumulatively quite long and insightful -- look at VoIP security at Information Portal, Tech News, Data Recovery is available here and here. Those who assumed VoIP security is not too involved will be surprised. The piece suggests that there are six key things to think about in VoIP: the equipment; denial of service attacks; eavesdropping; the scattering of resources away from a centralized PBX; the fact that VoIP operating systems are inherently less secure than legacy telephone OSs; and the ability of administrators (and bad guys) to access VoIP system administration functions through browsers.
The two pieces dive into this material fully. The piece drives home the reality that VoIP presents a number of very significant and widely diverse security challenges.
PC Magazine treats the topic a bit more generally than the Information Portal, Tech News, Data Recovery series. The underlying point is about the same: There are a lot of vulnerabilities to deal with. The writer says there are two main types of attacks on VoIP networks: attempts to keep legitimate users from accessing the system (through denial of service attacks) and using VoIP as a way to pry information from callers.
This isn't too complicated. VoIP is a sophisticated application that can be attacked at the IP networking layer, at the VoIP-specific layer, and through phishing and other approaches that target the user instead of the technology. IT departments' challenge -- and responsibility -- is to guard the organization at each of these levels.