VoIP and the Security Threat

Phil Wedgwood, MD at VoIP specialists Voice4IP, says now that VARs have the confidence to reassure customers about call quality it seems that security is the next issue blocking reseller VoIP sales. Recent research from US-based consultancy Savatar suggests that only 20% of SMEs are buying VoIP systems from resellers, it seems they feel more secure buying from their current telecoms equipment provider.

“But what are these security threats and how can resellers address users concerns so that organisations have the confidence to buy VoIP solutions through the channel? Phil Wedgwood, managing director of managed business telephony provider, Voice4IP, explains.

Migrating voice services to an IP network immediately exposes telephony to the same security issues that threaten any other IP application. Unlike email or instant messaging, voice is a genuine real time communications medium and can easily be derailed by bandwidth degradation, network jitter and packet loss.

Voice over IP (VoIP) networks use the same TCP/IP technology as any other network connected device and require the same procedures to ensure their security. Hackers will inevitably turn their attention to VoIP systems, so it is imperative that security is top priority in the resellers’ sales strategy and integral to VoIP system design.

Companies adopting VoIP should be aware of threats including; voicemail spam, ID spoofing and denial of service (DoS) attacks as well as the possible interception of private or sensitive phone calls.

It is a joint vendor and reseller responsibility to provide a VoIP system that addresses all these security fears. Customers should be advised right at the start of the process about the available security measures, such as encrypting voice traffic, running it over a VPN, making sure firewalls are properly configured, and choosing a provider where the firewall configuration does not have to be completely overhauled.

Running traffic over the public Internet is inherently insecure and trying to add security onto this can never be as effective as using a private network. A private network also makes activity and call tracking easier.

If companies opt for the DIY approach, and choose to try and integrate disparate hardware and services, the risk of exposing the business increases. Often only large organisations have the luxury of fully skilled IT teams with Cisco accredited staff and network professionals capable of implementing such projects. Resellers can add the most value through advising the less technology mature businesses.”

So what are the issues for the channel?

– Resellers must understand the issues of a fragmented system. Selling an IP PBX where the customer may link via the public Internet could be exposing them to security breaches.
– Resellers must understand their liability, focusing on how they can protect themselves, looking at what they can legitimately be responsible for given they do not have control over the entire system.
– If a provider includes a soft switch can they control and change the code? Things as simple as protecting voicemail boxes and outbound calls need to be managed as the system evolves so these cannot be hacked leading to ‘toll-fraud’.
– Who owns responsibility for the service levels? The right vendor-partner agreements are needed to fully protect customers.

Wedgwood concludes, “Given that security is a real issue, resellers have a duty to plan, implement and maintain the highest quality systems. Selling a fully managed system exposes the reseller to less risk and can increase their involvement in future customer revenue.”