It seems that Voice-Over-IP (VOIP) is a technology that will inevitably spread to every corner of the space-time continuum. Things like this don’t spread unless there is a real economic value to somebody. So, what does this mean for enterprises? Are employees installing VOIP phone software like SKYPE on your organization’s computers? Are they loaded with spyware? It’s probably not as bad as it might sound, but there are VOIP security issues that impact the enterprise, regardless of whether it is a sanctioned practice or not.Once again, the Security Round Table podcasts are a great source of background to get us up to speed on the issues. I believe it’s in Episode #5 of the 2006 series of SRT podcasts where guest expert Dan York, of the BlueBox Podcast helps unravel some of the panel’s probing questions.

The main things I think are important to note for Security Managers are:

  1. Port-hopping and bandwidth concerns for most VOIP solutions are not as big a problem as you might think. Most voice data is very compressed, and as long as the service’s supernodes (which aggregate and switch the voice channels) are outside the enterprise network. And while port-hopping is annoying to IT Security Management, some vendors like Avaya and Mitel are starting to think about ways to enable enterprises to have more control over the behaviour of VOIP traffic within its boundaries.
  2. Malicious code concerns do exist, but again are not as likely to be a problem as in other technologies. The hardware based VOIP phones have very little “general purpose” capabilities for viruses and worms to exploit. However, you should be aware that software or firmware loads sometimes come from unprotected TFTP sites, so signed and encrypted software loads are often required.
  3. Privacy and confidentiality concerns are being addressed by some vendors. While SKYPE has a proprietary protocol, a psuedo-independent analyst report available on the SKYPE Web site indicates that it uses AES 128 encryption, which is respectable provided it is implemented with appropriate surrounding safeguards.
  4. SPAM over Internet Technology (SPIT) is not yet a big concern due to some incidental characteristics of most networks that make it difficult to exploit, for now…

So, aside from the basic problem with having staff installing software on machines connected to a network, VOIP technologies probably don’t pose as many security risks as one might imagine. The benefits of more cost-effective voice communications are clearly being realized. However, it’s a newish and evolving technology that must be monitored if you plan to allow it, or even deploy it, within an organization.