Sidebar: How Secure Is VoIP?

VoIP-enabled telephone systems are becoming more widely accepted and utilized, with VoIP adoption expected to triple by 2010 among small organizations in North America, according to a study by Infonetics Research.

While VoIP technology is cheaper and more flexible because it uses the Internet for phone calls, these digital phone systems are susceptible to the same dangers as Web-linked computer networks.

Since VoIP is basically a telephone call over the Internet, the biggest threat to VoIP systems is denial-of-service (DoS) attacks, according to Gartner. These attacks can be especially problematic in the VoIP environment because the network congestion from DoS attacks can make conversations unintelligible. Capturing VoIP packets, or "eavesdropping," is another concern, although the threat isn't yet prevalent and is overhyped, according to Gartner. Signaling protocols, which establish communication sessions between two or more endpoints, also can expose VoIP phone systems to intruders.

The most important precaution to take with any VoIP-based phone system is protecting the Internet protocol PBX system with an internal firewall to stop DoS attacks, said Lawrence Orans, a research director at Gartner. VoIP traffic should run through a separate Internet connection using a virtual local area network that separates voice and data. This prevents an Internet-based data attack that could use the VoIP network to attack the primary network.

"If you look at high-level security, there's nothing mysterious about VoIP," Orans said. "The same components that can be attacked by converging information can be avoided with VoIP by many of the same best practices used with networks, such as firewalls and vulnerability management."

A 2005 report by the National Institute of Standards and Technology (NIST) urged caution when implementing VoIP technology because of security concerns. The report also recommends that organizations build separate voice and data networks.

Yet many security measures implemented in traditional data networks are currently inapplicable to VoIP since it has a low tolerance for disruption and packet loss, the report said. NIST recommended that firewalls, intrusion detection systems and other security components be customized for VoIP.

Organizations should also avoid buying inexpensive VoIP systems that can be installed on standard desktops, since these systems tend to be insecure. NIST recommends strong authentication and access control on the voice gateway system and using "stateful" packet filters that can track the state of connections, and "deny" packets that are not part of a properly originated call.