VoIP is hot. The Gartner Group predicts that by 2008, VoIP-enabled systems will account for some 97% of all systems sold. But all that heat can raise some issues. We resolve to answer some of the more pressing questions you might be facing.
VoIP is hot. The Gartner Group predicts that by 2008, VoIP-enabled systems will account for some 97% of all systems sold. But all that heat can raise some issues. We resolve to answer some of the more pressing questions you might be facing.
· Can I trust Microsoft with VoIP?
· What really happens when I dial 911?
· Do I need a $1,000 IP phone?
· Will SIP ever be ready for the desktop?
· How do I run my business on Skype?
1. Can I trust Microsoft with VoIP?
There is plenty of uncertainty in the corporate VoIP arena, as reflected in a recent rash of consolidations and private-equity buyouts in the market. One thing users can be plenty sure of is Microsoft's intent to become a large player in corporate IP telephony and messaging.
However, some users and industry observers question whether Microsoft server technology has the mettle for handling the real-time load and reliability requirements of corporate telephony traffic and applications. Others say the move will help accelerate the use of converged messaging and productivity applications such as presence, Web conferencing and chat.
Well known by now, the centerpiece to Microsoft's VoIP bid is Office Communications Server 2007, a real-time collaboration server which has elicited much buzz and controversy in the industry, for a product not even available for purchase yet. (The server, which is the successor to Live Communication Server 2005, is in a public beta, and is expected for general release later this year.)
"We believe, over time, [enterprise voice networks] can be totally based on Office Communications Server," said Gurdeep Singh Pall, corporate vice president of Microsoft's Unified Communications Group, in an interview earlier this year at the VoiceCon show, where Microsoft launched OCS 2007's public beta. "For now, we also want to help customers . . . who are saying, 'can I trust my voice [network] entirely to Microsoft?'"
OCS, under the hood
As with any commercial VoIP systems, such Avaya, Cisco, Nortel or Siemens, customers will be buying into proprietary Microsoft protocols and technologies if plans are made to rely heavily OCS 2007.
Microsoft is deviating from the industry standard practice of using ITU codecs for voice traffic compression and transmission — mainly, the G.711, G.722 and G.729 codecs.
"We've made several investments in our own audio and video codecs," says Paul Duffy, group product manager at Microsoft for OCS 2007.
Microsoft says part of the value in its own codecs is the ability to compensate for congested or low-bandwidth connections — such as teleworkers' dial-up lines, or broadband links without QoS. Duffy says the OCS VoIP codecs include technology that can repair poor-quality VoIP transmissions. This is done with software that compensates for packetized bits that may be lost from one end to the other during a VoIP conversation. The Microsoft codecs, working with client software on either end, injects signals and tones into the voice stream, which make the calls sound better than standard VoIP calls made over jittery links, the company says.
Additionally, Microsoft uses extensions to standard Session Initiation Protocol (), which allows for more flexibility in the types of connections that clients can make among each other. (OCS supports voice, video, IM and presence across an array of devices, such as IP phones, and Microsoft Office Communicator software on PCs, cell phones and PDAs.)
OCS will also require a separate layer of server infrastructure, called Mediation Servers, in order to communicate with VoIP endpoints using ITU-standard codecs and IETF-standard SIP. These servers act as translators between an OCS 2007 server and the endpoints, as well as a gateway between an OCS server and other VoIP/public switched telephone network (PSTN) gateway hardware. Users considering a centralized deployment of OCS to support remote sites would have to install a Mediation Server in each location in order to support standard endpoints and for making PSTN calls. Microsoft recommends a full Windows 2003 server (minimum of dual-3.2GHz processors with 2GB memory) for running the Mediation Server software, as well as SQL Server 2005.
OCS and the fifth "9"
Then there is the reliability issue. For years, VoIP vendors have moved away from Microsoft's Windows Server as a platform for hosting IP PBX applications. Avaya, Siemens and Mitel run their call servers on Linux. Nortel's Communication Server 1000 runs on the real-time VXWorks operating system (used in military and NASA applications). 3Com's VCX platform runs on Sun Solaris.
Industry observers and vendors say the move away from Windows to other platforms to host VoIP was based on customer concerns about the stability of Windows systems, and the frequent software patching and updating required on the servers. Cisco's CallManager IP PBX, long based on a Microsoft server, was ported last year to Linux as an "appliance-like" system, requiring minimal patching and operating system tinkering, the company says. (Cisco still sells and supports CallManager, now called Unified Communications Manager, on Windows.)
With all this as background, some views on Microsoft's ambitions in enterprise VoIP are skeptical.
"I can see it now," wrote one Network World reader in an online forum about Microsoft OCS 2007. "'Everyone, please get off the phone, we have to apply a bug fix'."
A major move Microsoft made a year ago to convince enterprises that Microsoft can handle corporate VoIP is the company's partnership with Nortel. The two vendors' Innovative Communications Alliance involves shared R&D, marketing, sales and support resources over a four-year span.
"We're dedicated to earning the confidence of all customers" when it comes to OCS reliability, said Jeff Raikes, president of the Microsoft Business Division, during a presentation earlier this year. He equates Microsoft's entry into enterprise VoIP with the company's emergence in mission-critical data center serving. "We're not new to this position in the area of critical communications." He pointed out that the Nasdaq stock market runs on Windows and SQL server, and in upwards of 10 million Cisco IP phones are tied into Windows servers running Cisco's CallManager platform.
"We want to work closely with partners such as Nortel to help power telephony in our software."
Users of both Microsoft and Nortel technologies say this is a good development.
"From what I've seen, it should be positive," says Joanne Kossuth, CIO at Olin College of Engineering in Needham, Mass., which runs a Nortel-based VoIP network, and Microsoft Exchange messaging servers.
The college is beta testing OCS 2007 and could roll out services to the school next year. Kossuth says integration of presence, federated IM and conferencing into Microsoft Outlook, with Nortel call control systems on the backend, will be easier to roll out and manage.
"Now you're going to be able to add capabilities without having to add new staff and skill sets to handle that capability," she says. This has been a concern to Kossuth as she has explored such applications in the past.
As for system reliability, OCS 2007 could only gain from closer integration with Nortel technology.
"In my work with Nortel, I've seen them as a company that engineers products at 150%," she says. "They don't go to market with something unless it's more than ready. Microsoft doesn’t necessarily have the same reputation. So I'm thinking that there will be some complementary things there. . . . Maybe together, they'll deliver products that are 100%."
2. VoIP: What really happens when I dial 911?
All corporate IP PBX systems can dial 911 services, but how much critical location data is transmitted during a life-or-death call depends on how the VoIP network and LAN is configured. The issue of IP softphones and mobile voice over Wi-Fi also complicates the issue.
Enhanced 911 service support was a major stumbling block for VoIP when it emerged in the consumer market several years ago. Technical issues, and some well-publicized incidents of failed emergency response from service providers, forced the FCC to step in with special 911 requirements for Internet phone service providers.
Many companies are still dealing with 911 issues and IP telephony deployments, as many IT departments still must manually track the location of phones in corporate offices. The easy portability of IP phones and the emergence of wireless IP handsets are challenges for maintaining an accurate device location database of phone extensions.
Enhanced 911, or E911, requires specific location information to be transmitted from a phone dialing 911 in an emergency, including building number, if a single campus address contains multiple buildings, as well floor numbers directional location (for example north, south, east, west).
"We do support 911 on all of our telephones on our campus," says Scott Mah, assistant vice president for IT infrastructure at the University of Washington in Seattle. "We have policies in place to limit end users from moving their phones around, which helps. But anytime we put a phone into service we basically register that telephone number and its corresponding address with the database."
The database maintained by the school's IT staff is passed to local emergency 911 call centers, or Public Safety Answering Points (PSAP), which links location information to each phone number in the school's system. This Automatic Location Identification (ALI) data is what's relayed to rescuers; if a 911 call is disconnected, emergency responders have information on where to go.
"[E911] is something we care a lot about and it's something we've maintained even without IP-enabled endpoints," Mah says.
There are some ways to automatically update ALI information when IP phones are moved. Some of this involves some planning of the campus network layout. New protocols and software are also available to help. Clever network administrators can setup pools of IP addresses into subnets which correspond to physical locations inside a building or campus. IP phones plugged into ports in these locations would automatically be linked to a building number and floor.
Cisco, Enterasys, Extreme, Nortel and Foundry all have their own proprietary discovery protocols for finding switches, routers and other devices on a network. But getting a Cisco switch to detect, let alone collect location data, on a Nortel IP phone is tricky, if not impossible. The Link Layer Discover Protocol-Media Endpoint Discover (LLDP-MED) is a Telecommunications Industry Association standard supported by Avaya, Extreme and ProCurve by HP, which LAN switches to collect device information and location data from IP phones (as well as other LLDP-MED-compliant devices, such as Wi-Fi access points) when network connections are plugged in. But because wide adoption of a standard discovery or registration protocol for phones is limited, users must work with what they have.
Technology has even emerged recently for tracking location data for IP softphone users. RedSky, which makes E911 software for enterprises and carriers, recently launched its RedSky Softphone Location Determination Application (SLDA), which works with Avaya softphone clients. The software lets users input location data during the logon process for the softphone application, which is then sent if 911 is dialed from the application.
The city of Oakland uses a VoIP system from ShoreTel to support around 2,000 city employees across multiple locations. IT and telecom technicians use a mix of automated and manual database maintenance to deliver E911 ALI data to emergency responders. Ethernet switches in the city's network use virtual LAN (VLAN) tags that are grouped according to buildings. ShoreTel IP phones can also correlate user names and system extensions with IP phone hardware, which is all collected in a database on the system. "This will tell 911 where the call is coming from, what the caller's name is, and what building," says Bob Glaze, CTO for the city. "But to bring it back to the exact location, we enter that information ourselves," into the ShoreTel ALI database, which is passed to local PSAPs.
"The real issues is that people typically feel more comfortable moving VoIP around, whereas they didn't feel like they could terminate their own digital phone in the past," says Drew Depler, Boulder County, Colo., IS director.
Even though the county uses all Cisco switches, CallManager IP PBXs and IP phones, a spreadsheet is used to update location data anytime a phone is moved. Only IT staff are allowed to physically move IP phones, Depler adds. "It's a manual set that we've added to our procedures list."
Depler says the proliferation of softphones and VoWi-Fi handsets is starting to emerge as another challenge for E911 services. "That really starts to become a cost-saving opportunity," Depler says of softphones, which allow county employees to work from home and cut down telecom costs. And in the future, if they're used widely, softphones could also eliminate the need for more costly IP desktop handsets.
But, Depler says, this also raises an issue for mobile workers with softphones. "How do you track where they are. It does have some impacts on 911. There are real tenuous issues as we look at mobility and we look at IP phones moving anywhere."
3. Is VoIP safe?
VoIP safety is a broad question that touches on many aspects of how IP telephony systems operate, and the various parts of the network VoIP touches, but according to one survey one thing is clear, VoIP technology isn't safe enough for many businesses.
Only half of the IT executives polled recently in a CompTIA study said they think security technology built into corporate VoIP products and services is solid. The survey (of 350 companies with 500 employees or fewer) showed that even wireless technology — often maligned for its security weakness — was held in higher regard than VoIP in terms of security. (Sixty percent of respondents said they trusted security in Wi-Fi gear.)
With VoIP, security concerns among the respondents in the CompTIA survey were not relating just to potential attacks on VoIP gear and software, but the affect a general worm or virus outbreak could have on the quality of IP voice calls. Worms and viruses that flood corporate networks with traffic may cause e-mail delivery to be delayed, slow application response times. But the latency introduced can simply kill an IP telephony conversation.
As for VoIP products, vulnerabilities are popping up more in IP telephony gear and software. Cisco, for instance, over the last 18 months issued nine major vulnerability advisories on products ranging from IP phones and IP PBXs, to routers that perform VoIP processes and functions. These nine warnings — serious enough for the vendor to issue software patches — compares with the two VoIP-related vulnerabilities Cisco had issued in the 18 months prior (July 2005 to January 2006).
Many vendor's IP call processing and messaging products run on top of Linux, Windows, Sun or other server operating systems. Softphones generally run on Windows desktops, while applications such as VoIP-based call center platforms can touch a wide array of other applications. Taking all this into account, Avaya had 25 product security advisories relating either directly to its VoIP products, or affecting underlying software products on which Avaya's technology runs, according to security research Web site Secunia. The Internet Security Systems X-Force vulnerability database has more than 100 entries over the past five years relating to vulnerability reports in VoIP products, applications and underlying protocols.
Some security researchers say the basic technology of some VoIP protocols is by nature hackable or susceptible to denial-of-service or call-interception attacks.
Sheran Gunasekera, a researcher with Scanit, wrote in a report that VoIP call interception can be simple, if targeted against equipment and traffic using non-encrypted, standards-based protocols. Scanit says tests it conducted used standard SIP signaling protocol and Real Time Protocol (RTP) for media transmission.
Against SIP-based VoIP conversations "signaling attacks can be used to eavesdrop on conversations and re-route or hijack calls," Gunasekera writes. "It is extremely easy to replay or resend SIP messages" to SIP-based call control gear in order to add participants to a SIP call or reroute the traffic.
Additionally, "media stream attacks are as easy to perform in a typical VoIP implementation," Gunasekera writes. "Any RTP streams intercepted by an attacker can easily be decoded with the relevant audio codec and the actual voice call can be recorded or listened to."
Other new VoIP threats on the horizon include the emergence of maliciously designed VoIP audio codecs. Theoretically, these so-called "evil codecs" are a VoIP audio stream designed specifically to crash a VoIP endpoint or server. VoIP industry pioneer Henry Sinnreich, who helped develop early implementations of SIP while at carrier MCI, said at a recent trade show that researchers are already demonstrating such attacks are possible.
"Eavesdropping is one example of an overhyped threat," said Lawrence Orans, a researcher with Gartner, in a previous interview. "Sure, it’s technically possible to execute a man-in-the-middle attack and capture packets. The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself."
"It is possible to have a secure VoIP deployment if you follow best practices," said David Endler, chairman and founder of the VoIP Security Alliance (VoIPSA) and director of security research for TippingPoint, in a previous interview. "All of these systems are securable, but they do take some knowledge to get them to that point." Using encryption on VoIP signaling (SIP and H.323) and payload streams (RTP and UDP, typically) are some approaches. Ensuring IP PBX servers are patched and configured properly, and restricting the types of traffic that can contact IP endpoints are other measures.
Orans agrees that IT security best practices can cover most common threats to a VoIP network. "Enterprises that diligently use security best practices to protect their IP telephony servers should not let [VoIP] threats derail their plans," he writes in a report.
He also has said in past interviews and reports that much of the talk around VoIP security threats is hype and conjecture, vs. actual security problems facing enterprise IT professionals. (He's even accused VOIPSA and other VoIP security alarmists of "scaremongering" in the past.)
"Threats to IP telephony implementations have been overhyped," he says. "Attacks are rare."
4. Do I need a $1,000 IP phone?
Flat-screen color display . . . Gigabit Ethernet . . . Linux OS.
These aren't specs for high-end gaming PCs or enterprise network appliances . . . the features describe Siemens' OpenStage SIP-based IP telephone. While clearly aimed at the high-end user, this type of desktop IP phone reflects the growing horsepower, features and capabilities being packed into desktop IP handsets. Whether these mini-computer telephones make users more productive, or add business value to an IT deployment is debatable, some observers and users say.
"Many enterprises are dramatically overspending on desktop IP telephones," says Jeff Snyder, an analyst with Gartner. "Spending $700 to $800 on a beautiful IP phone for the desktop is serious overkill."
The reason is that many users are not yet rolling out applications that take advantage of advanced capabilities these phones provide. While some phones support Web browsers, XML and Java applications, the effort and cost of tying back-end applications and systems into an IP phone is hard to justify.
"The most common application people use on phone displays is calling up past-call lists," Snyder says. "They don’t really have any enterprise applications that merit having a large color screen on the phone."
This is not to say there is no value in tying applications to IP phones with displays. Credit Valley Hospital in Mississauga, Ontario, conducted a pilot project to push corporate directory information down to more than 1,000 Nortel IP phones deployed throughout the hospital. An appliance from Citrix called the Net6 was used to convert directory data into a format that is readable and navigable by IP phone screens and interfaces. The project's aim was to allow doctors, nurses and other staff to quickly look up information when not at a PC.
The problem is that the hospital has 2,500 phones, with more than half of them being non-IP phones, or IP phones that cannot support the directory tie-in feature.
"We could not justify the extra licensing to roll out this feature to all those new IP phones," said Tim Oliwiak, the hospital's voice systems analyst at a conference earlier this year. "If we deploy a feature like this, people will become familiar with it, and it has to be everywhere." As a result, the hospital pulled back on the IP phone/directory roll out.
Gartner's Snyder says the integration of IP telephony with corporate applications and databases has real value and is an emerging trend inside databases. "By the time these types of [converged] applications become pervasive, [most] users will be accessing them through softphones on their screen" or through enterprise applications, which are tied to VoIP-based features. Salesforce.com is an example: recent tie-ins with Siemens and Cisco allow users to make calls from client record screens via a Web interface.
Getting back to the licensing issue facing the Ontario Hospital, this is something many enterprises and organizations are avoiding by choosing low-cost, generic IP phones running SIP. Part of the high costs of deploying IP phones also comes with licensing. While TDM phone systems are also licensed on a per-seat basis, other users are finding ways around these costs as they move to VoIP.
Sam Houston State University in Huntsville, Texas, uses Cisco IP phones running a generic SIP software stack, which allows the handsets to access an Asterisk IP PBX. The school had partially deployed an older-generation Cisco CallManager system, which used Cisco's proprietary "Skinny" call control protocol. This required each phone on the system to be licensed in order to register with the call server.
"The massive amounts of licensing fees required to keep the Cisco CallManager network up and running" was one of the main reasons the school went to the SIP/open source approach, says Aaron Daniel, senior voice analyst at the school. Because Asterisk is open source, this eliminates the need to license thousands of IP phones, which would have been required to run on Cisco's CallManager IP PBX.
5. Will SIP ever be ready for the desktop?
The VoIP industry has touted SIP for most of this decade as the future of IP telephony. Proponents say the open-standard nature of SIP, its flexibility and elegance are among its virtues (besides being a great acronym for marketing PowerPoints and trade magazine headlines).
The problem is, most companies must still rely on proprietary VoIP protocols, or vendor-tweaked (and thus, vendor-exclusive) versions of SIP in large IP telephony deployments.
"SIP really describes a limited number of features in terms of it being an industry open standard," says Anne Coulombe, senior product manager at Avaya. "So invariably, a proprietary protocol will have more features."
Most major vendors such as 3Com, Avaya, Cisco, Nortel, Mitel and Siemens who ship phones that run proprietary VoIP protocols also offer standard SIP software stacks that can be loaded onto the devices. This allows the phones to work with so-called "pure" SIP backend IP PBXs or media servers. Even the open source Asterisk IP PBX system — touted by users for its openness and flexibility — has its own non-SIP protocol for communicating between servers and end-point devices. (Although Asterisk fully supports SIP-based endpoints and peering servers.)
With desktop phone features, the most important ones vary widely depending on users. People who live on conference calls want a button that can hold all parties without dropping anyone. Those who pop in and out of the office need a message-waiting light. This is why protocols such as Cisco's SCCP, Siemens' CoreNet, and others still come as standard on respective IP and phones and PBXs.
But the demand for SIP is increasing, as users look to integrate presence and multimedia features into a VoIP network. To accommodate, vendors are also creating proprietary extensions to SIP to give the protocols a few extra features — enough to make or break an enterprise VoIP system sale, in some cases.
"It's commercially unreasonable to say to customers that they must be purists about a certain protocol," Microsoft's Duffy says. " If we need to make changes to a protocol, or other scenarios, we'll do that" in order to meet customer's needs, he says.
Avaya calls its SIP extension Avaya SIP Telephony, which extends the number of features a SIP phone supports to around 62 — twice as many as are available on basic IETF-based SIP phones.
Vendors such as Avaya and others are also extending basic SIP phone functionality with feature access codes. This involves passing dual-tone multi-frequency (DTMF, or tone-based signaling based on dial pad buttons) signals through standard SIP packets to a PBX or IP PBX backend, which allows users of SIP-based phones to access features normally available only to proprietary systems.
"So features you could normally turn on by dialing 1234# on your phone, it will turn on the backend," Coulombe says. "That's 100% SIP-compliant, but you've actually extended the capabilities of all SIP phones attaching to the [non-standard] backend."
Some users rolling out large deployments of SIP endpoints say a lack of features is not an issue. (Albeit, these users say they chose to use SIP phones in basic office settings where advanced PBX features are not commonly used.) The University of Pennsylvania is one such organization in the process of deploying thousands of IETF-standard SIP telephones to faculty and staff offices at its Philadelphia campus locations.
"The truth is that the vast majority of services people want, we can provide," says Deke Kassabian, senior technology director at the university. "And the ones we can't yet provide, we're working on those."
Bridged-line appearance and busy-indicator lights are among some features that are hard to do well in an open, standard environment right now, he says.
At toolmaker Stanley Works, plans are in the works to widely use Polycom IP phones with a SIP-based VoIP system from Interactive Intelligence. IT executives at the company have said they expect to see cost savings of $200 to $300 per seat in using the SIP-based phones vs. proprietary VoIP handsets and systems offered by Cisco or Avaya.
"I have not heard of any problems or issues about shortcomings in terms of SIP's features," says David Cote, global telecommunications manager for the company.
As SIP becomes more mainstream, increased interoperability and the expansion of features should be expected, industry insiders says.
Microsoft's Duffy says users "won't be having conversations about SIP interoperability in five years." Over time, VoIP systems and SIP will operate similarly to Web applications over TCP/IP. "No one would for a minute realistically wonder if those systems would work."
6. How do I run my business on Skype?
Skype, which claims around 100 million registered names, estimates that 30% of its installed base are business users. The free VoIP tool is utilized widely by road-warrior employees with laptops, as well as small businesses and teleworkers.
Some companies are even patching together systems that integrate Skype into larger VoIP systems. Big cost savings can be gained this way by using Skype to connect branch offices, while still maintaining the feeling of working on a business telephone, as opposed to a PC-based softphone, which some employees may find unfamiliar.
Chicago to China: a case study
One such company is Eastern Accents, a Chicago home furnishing manufacturer, which has a growing presence in China. It started using Skype to connect to China years ago, and recently took its Skype/telephony integration to the next level.
Elvin Rakhmankulov, the company's director of IT, wanted a way to inexpensively, and reliably connect its growing China operation with the company's 200 employees in Chicago, and other domestic satellite offices. Eastern Accents has 3Com NBX IP PBX system, which easily ties together its U.S. branch offices over the Internet. Sites in Los Angeles and North Carolina get 3Com IP phones, which link back to the Chicago NBX through VPN links.
When Rakhmankulov tried this setup to connect to China, he hit the wall.
"The calls were not being blocked, but the latency, the speed of the network, was really slow," he says. "Nobody knows for sure why there is so much latency for Internet traffic going into and out of China. But any Internet communication to China is a huge issue. When the signal goes from the United States to China, it really takes a while."
Rakhmankulov discovered the free VoIP client worked fine, passing through whatever firewalls or other gateways without any perceived latency to the calls. "Skype does not need a lot of bandwidth. At the same time works with China very well," he says. "The quality of the calls is very good."
Employees used PC-to-PC Skype, but Rakhmankulov wanted to integrate communication line as part of the businesses phone system. "It would be much easier for most people because they don't have to have headsets on their computers, microphones and all that stuff," he says.
Rakhmankulov rigged his system by attaching the 3Com NBX to an appliance from VoSky, which lets employees make Skype calls from 3Com IP phones on desktops. The 3Com NBX connects to the VoSky Exchange 9000 appliance through four analog trunks. A USB links from the VoSky box also connects to a dedicated Windows XP machine with four Skype accounts running simultaneously. The VoSky box has a database that converts the Skype user names of the employees in China into extension numbers. When Chicago users dial eight and then the extension from a 3Com phone, it connects to the employee in China using Skype on a PC with a headset.
"Users don't know anything about it in the background," he says. "If they want to make an international call, they dial eight, and it goes through Skype. His next plan is to ship a 3Com NBX, IP phones and VoSky appliance to the office in China, and replicate the setup in the Chicago office so all employees can talk on actual phones, instead of a mix of PC headsets and handsets.
Overall, Rakhmankulov estimates he's cut his telephone bills a third by using Skype to call China. Using Skype of the public Internet is also a big cost saver vs. setting up a private point-to-point IP line to China for VoIP,
For around $5,000 a month, "major providers like Sprint or AT&T can give you an MPLS channel, which is equivalent to T-1 speeds but dedicated channel between the offices," he says. But even with such a service, "I wouldn't be sure that VoIP would work perfectly over such a channel to China. It would work, definitely better than the Internet, but there are still latencies there. And it's really a lot of money."
Security in mind
Experts say that tightly controlled Skype usage, such as the system at Eastern Accents, is what companies should strive for in using Skype. While it can be a useful tool, IT administrators should get out in front of Skype usage before discovering the software downloaded on laptops and PCs without authorization.
"Because the Skype client is a free download," Gartner's Orans says, "it is widely used and most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."
Skype currently has seven security bulletins on its site relating to known security flaws or exploits of the software. Exploits of vulnerabilities and bugs range from potential system crashes to execution of arbitrary code on a Skype PC. Skype's P2P file-sharing capabilities compounds the risks associated with the software.
The growing number of security holes in the program "highlights the risk of not establishing and implementing an enterprise policy for Skype," Orans says. "If after weighing the risks, a business decides to allow Skype use, it should actively manage version control of Skype client — and its distribution to authorized users — using configuration management tools."