Early in 2005 the US National Institute of Standards and Technology (NIST) published a 99-page report entitled: "Security Considerations for Voice-over-IP Systems." It is not recommended reading for the feint-hearted.
In a nutshell, the NIST report points out that migrating voice services to an IP network immediately exposes them to the same catalogue of security exploits that threaten any other IP application. Unfortunately, says NIST, in most other respects, voice is not like any other IP application.
The key problem is that, unlike email or instant messaging, voice is a genuinely real-time communications medium. This is its great strength: voice offers an immediacy and degree of intimacy that text-based communications systems cannot match. However, removed from its traditional circuit-switched habitat, the real-time nature of voice becomes its Achilles heel because, unlike text-based alternatives, voice communications are easily derailed by bandwidth degradation, network jitter and packet loss.
If this were simply an engineering issue, it would not be a problem: modern IP networks allow different applications to employ different quality of service (QoS) levels, so that voice applications can be given priority access to the necessary bandwidth. But it is not just an engineering issue.
When security is taken into consideration, voice presents a set of special problems that most IP networks are ill-equipped to deal with. For instance, the established methods of protecting IP networks from viruses, worms or denial of service attacks, such as firewalls and protocol analysers, typically introduce latency into networks – making them almost as good at blocking voice traffic as intrusive security exploits.
Other security safeguards, such as encryption, present similar challenges to voice traffic, and then there is the inherently ‘open' nature of VoIP platforms servers: Unix and Windows-based servers are typically far more vulnerable to exploits than arcane and proprietary PBX systems. It is enough to make any network manager think twice before exposing such a mission-critical application to such a wide range of new risks.
However, analyst group Gartner insists that businesses should not allow security fears to scare them away from VoIP. In a recent research note Gartner argued: "Threats to IP telephony implementations are over-hyped. Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans. The benefits of IP telephony far outweigh any security risks."