| COLUMN |
Enterprise VoIP security: Experience is the best teacher |
 |
By Andrew Graydon
10 Jul 2006 | OLDsearchCIO.com
|
With the recent arrest of a Miami man for a VoIP fraud scheme, and the possible regulations by the FCC of VoIP communications, organizations need a clear migration path on how to deploy a VoIP solution that meets their business needs while ensuring security and compliance.
Today's enterprise market has already begun to deploy VoIP and many organizations are realizing the need to implement a security solution for this new technology. To date, most enterprises have deployed an IP PBX and recent reports indicate that sales of IP PBXs comprise 80% of the PBX market. But a number of questions remain: What are the benefits of VoIP? How will this affect my communications strategy? Can I use this for remote or home users? Can I use it for customers? What is the cost? And most importantly, how will I secure it?
The benefits of a VoIP system for internal enterprise deployments are limited; realistically the only benefit is free inter-company calls. In this scenario, external communications are still being transmitted through local and long distance telco providers. The significant ROI will only be realized when organizations can use the intrinsic features of IP and allow the voice calls to be transported over the open Internet. This is possible when companies have bypassed the local and long distance providers by either deploying an IP-to-IP telephony solution with no communications cost, such as Skype or by deploying an IP trunk from a service provider such as AT&T to realize more cost-effective voice communications.
|
|
|
|
|
The majority of business systems today, such as email, Web and IM, are based on IP and they are for the most part, secure. VoIP doesn't have to be any different.
|
|
|
|
|
|
|
|
|
|
We have all seen the advertisements for consumer-based VoIP solutions offering lower costs for long distance communications, and many providers are now offering these same services for businesses. There are added benefits for enterprises with remote or home users, and especially those with geographically disperse offices. By having an open communications model where the current Internet connection carries the voice communications, enterprises can connect to these remote sites via pure IP transport. In effect, this allows organizations to 'piggy back' the cost of their Internet communications with their voice communications, giving them free inter-company communications. In addition, they can extend the benefits of the PBX functionality for those people outside the main office. Just imagine the productivity benefits of having employees' desk phones and the advanced functionality that comes with them sitting in their home offices.
While the benefits are clear, the question still remains: Why hasn't VoIP become commonplace?
Fear, uncertainty and doubt
The answer is simple: Voice communication is still the primary communications channel for any enterprise. While email, IM and Web traffic continue to rise in every corner of the business world, an outage in the phone system would be catastrophic. Imagine the sales team unable to make calls, or the support desk phone number being out of service. This type of scenario is a real concern for any IT professional considering VoIP.
We all know the threats associated with email and Internet communications, from spam flooding inboxes to DOS (denial-of-service) attacks on firewalls. Moving voice communications from a trusted secure telecom connection to an untrusted, insecure IP connection is not without its considerations. However, the majority of business systems today, such as email, Web and IM, are based on IP and they are for the most part, secure. VoIP doesn't have to be any different.
Old solution for a new problem
Nobody would put a business server on the open Internet today. Even most consumers wouldn't put their personal systems on the open Internet. People protect these systems with a variety of layers from firewalls at the IP transport layer, IPS/IDS solutions for deeper analysis and some even use application or protocol analyzers to ensure the content is legitimate, e.g. anti-spam, anti-virus, anti-malware etc. Why would we treat VoIP any other way?
The most popular firewalls today have VoIP functionality in their current releases. Current IPS/IDS solutions are similar, providing deeper protection for VoIP traffic. Until recently the only component missing for VoIP in a typical Internet communications security implementation was the next level -- the anti-X; however some vendors are now offering protection for this layer and the solutions are easy to deploy.
By taking this standard Internet communications approach to VoIP and applying a security methodology that we typically use in other Internet communications, enterprises can implement and deploy an open VoIP solution that is secure and provides the same level of service they've come to expect from all of their IP business applications. In an industry where voice is still largely considered from the legacy viewpoint, realizing that VoIP security should be handled no differently than any other Internet communication is the big leap for most enterprises
|
|
|
|
