VoIP security still a major issue

In a previous column, I discussed how budgetary constraints are impeding voice-over-IP implementation. Another major impediment is security concerns, according to Webtorial’s recent 2003 VoIP “State of the Market Report” (available for download at www.webtorials.com). In this worldwide survey of end users, about 40% of the approximately 300 respondents cited security as one of the top four reasons why they haven’t deployed VoIP.

Digging deeper into the results, about 25% of the respondents cited concern about security of the network infrastructure as a major problem, while the rest took a less drastic view of the problem. When asked about security of the network infrastructure vs. the security of voice content, the greater concern was about the infrastructure.

The recent Blaster and SoBig-f attacks demonstrate that some of these concerns are well-founded – especially if the network infrastructure is not appropriately cared for. Some VoIP users who did not apply patches to protect against Blaster found their VoIP networks bogged down along with their data applications. Blaster-type attacks will force companies to take patches and upgrades more seriously. This additional diligence in securing the data network will have the side benefit of protecting the VoIP infrastructure.

But SoBig-f exposed a separate and equally disturbing VoIP vulnerability. By affecting e-mail, SoBig-f had a severe effect on thousands – if not millions – of PCs. While e-mail problems were being resolved, the PC became unusable for other applications. If you’re dependent on your PC for telephony, when your PC becomes unstable, your phone becomes unstable, too. This raises some serious questions about the wisdom of adopting soft phones – software that turns PCs into IP-based phones – as a part of overall VoIP implementation.

According to the “State of the Market Report,” end users strongly favor maintaining their traditional phones as part of their overall voice infrastructure. When asked about the importance of integrating traditional phones into the VoIP infrastructure and given five choices from “not important at all” to “extremely important,” more than half of the respondents chose “very important” or “extremely important.” It’s not clear whether security concerns were a part of this desire to maintain traditional phones at the time the survey was taken, but it is another issue that must be considered.

Overall, virus/worm incidents shouldn’t have a major effect on the VoIP market. These are data security issues, and when they are addressed for the data network, the VoIP installation will be addressed by default. But virus/worm incidents do indicate that if you’re getting ready to go full-throttle with VoIP, it’s common sense to apply any applicable patches to keep your infrastructure up to date.