Converged networks that carry voice, data and even video on to a single infrastructure bring benefits but also risk and at first appearance the two seem to be in equal measure. At a recent conference, one speaker summed up the situation well: “The problem and benefit of convergence is, your network is your business. If your network fails, your business is off the air.”
In a converged environment, voice traffic runs over internet protocol (IP). As such, it carries some level of risk, but that’s true for any new application on a network. Donal Daly, sales manager with Lan Communications, emphasises that voice over IP (VoIP) is secure and doesn’t carry any inherent risks. “Voice is just an application wrapped up within an IP packet,” he says. The early days of VoIP deployments were characterised by greenfield sites of 25 users or so. “Now it’s being more widely adopted and accepted by corporates and governments. It has been proven to work, is effective and reliable and by definition secure.”
“The problem is not so much with the technology but with the deployment,” adds Gary Newe, security architect with Entropy. “There are best practices that should be followed and if a company does not have the resources or expertise in-house they should partner with someone who does.”
The same risks that data packets are potentially susceptible to — such as sniffing, hacking or denial of service — are all just as relevant for VoIP. Then there are some additional risks. According to Conall Lavery, managing director of Entropy, availability is crucial and there are two elements to consider. The first of these is quality of service. Business VoIP is best deployed on dedicated business networks, not over the internet because of the risk that traffic peaks on the internet will cause voice delays that would be unacceptable on business calls.
Secondly, security problems that are bearable in a data-only environment take on a different complexion with convergence. Lavery gives the example of a denial-of-service attack that doesn’t bring the network down but slows it so much that there are quality problems with phone calls. “In the data network it is not a serious business problem if mail takes an extra few seconds to be delivered but it is in a voice environment,” he says.
Newe elaborates on the threats, noting that some of the specific risks associated with VoIP revolve around the integrity of the data: this could mean knowing a call that was placed was actually placed. “It is very easy to capture VoIP conversations in raw data form and with a little work this data can be converted back into an audible conversation, bearing that in mind there is also the threat of introducing words into conversations. These risks are not too common but should be kept in mind.”
There are many different approaches to take in order to improve security of voice traffic on an IP network. Daly advises organisations to put encryption in place so that even if voice packets are intercepted, the call could never be subsequently decoded. Encryption now comes as standard with many manufacturers’ products, he adds. “Don’t go with the default settings because they’re the easiest to set up and therefore the least secure.”
Daly promotes the security as insurance argument — if what you hold is valuable, it’s worth protecting it accordingly. Positing the worst-case scenario, he says: “If somebody broke into an online bank or retail organisation’s VoIP stream, they could get customers quoting credit card numbers or giving personal information.” The level of risk will be different for every company, he adds. “The technology is there to allow a secure VoIP stream between two people, absolutely. The question is how many layers of security are appropriate.”
Lavery points out that the manufacturers and standards bodies of VoIP are driving some security features into products, although he cautions against customers relying on product makers to anticipate all problems. “Each organisation should be responsible for their own security just as they are in the data world,” he says. Encouragingly, he believes a better job is being done with VoIP security than there was for wireless networking.
The sticking point is that the more security implemented, the more difficult it can be for a user to interact with the network because of having to enter various passwords or go through laborious authentication procedures. In other words, if there is a clear business case for using VoIP, this shouldn’t be undermined by technology that makes it hard to use in practice. “Layers of security typically impose on user experience,” says Daly, “so the buying decision is a balance of risk, cost and ease of use.”
John Stone, chief technical officer with Cisco Ireland, doesn’t subscribe to the theory that because IP is a widely known standard it is therefore more vulnerable. “The advantage in moving to IP is that there are a significant number of protection mechanisms built in that allow you to do more than you could previously. By using new technology and the security features it has, you can actually increase the level of protection in your voice network,” he says. That level of security has been sufficient to satisfy many police forces to adopt VoIP, Stone claims.
All agree that security considerations are not a reason to hold off from deploying VoIP. “People don’t stop deploying a data network because they’re thinking it could be open to attack. They make it as secure as possible, then deploy it,” says Daly.
Stone makes the case that voice’s importance to a business is helping to improve the level of overall security within their sites. “VoIP is raising customer awareness of how security can be implemented within their infrastructure,” he states, suggesting the work involved in collapsing two networks into one puts the issue of business exposure firmly in the spotlight. “When an organisation makes this converged decision, they look at it from the risk point of view. If it’s on one platform they look at it as being a far greater strategic resource to the company and security is probably the greatest decision in relation to that. The data network becomes more secure because voice is put on top of it.”
By Gordon Smith