"Arrests Indicate Vulnerability of Web Phone Service to Fraud" blared a recent Wall Street Journal headline - though I doubt any readers thought broadband VoIP was invulnerable to hacking. A few pages later, "Who's Watching Internet-Phone Services?" decried that state and federal agencies regulating traditional telephony are largely hands-off with Internet telephony. So, while VoIP technology has proven ready for prime time, our attention needs to turn to security and management.

Such is the momentum behind VoIP - largely fueled by almost irresistible economics - that security concerns, once paramount, are often left by the wayside. I spoke during a seminar tour a few years back on the topic of implementing VoIP in the enterprise, and security was always a focus of the question-and-answer sessions.

One network manager was so concerned about VoIP conversations being easily captured at any point on the network between the participants that he predicted his company would not use VoIP unless every conversation was encrypted.

While traffic between corporate sites is transmitted through secure VPN tunnels, intrasite traffic is handled differently. Because of the complexity and overhead of running VPN tunnels, they are rarely implemented in-building. Not only do tunnels have to be defined between each communicating pair, but the crypto functions also demand CPU resources, which could degrade your PC's performance.

In 2000, 3Com released a 10/100Mbps secure network interface card (NIC) that had a coprocessor to handle the encryption and decryption needed for IPsec VPN tunnel processing. Even though its market research probably showed that users wanted it, they really didn't. It never made the leap to gigabit, and the notion of many-to-many VPN tunnels went off into oblivion. (Yes, you can still buy that 3Com NIC for $100 if you want to try it.)

So, your on-campus voice isn't secure and can be compromised relatively easily by anyone with access to your switching infrastructure.

I can imagine the conversation between the exec and the tech:

Q: "Is our VoIP secure?"

A: "Yes, it is on a separate virtual LAN."

The exec gives an appropriate harrumph - not having a clue what a virtual LAN (VLAN) is - and walks away satisfied. There is, of course, nothing inherently secure about a VLAN. It is simply a separate broadcast domain. No encryption equals no security.