Advantages, Disadvantages and Security Risk Associated With VOIP Implementation
This paper will examine some of the protocols and details of the RFC governing VOIP. Voice over IP, often referred to as VOIP involves the transmission of “voice over packet-switched IP networks” (Kuhn, Walsh, and Fries 9). A new and emerging technology according to the National Institutes of Standards and Technology (2005), VOIP provides users with many benefits including low cost, flexibility and efficiency. With the benefits associated with VOIP however, come many risks, including those related to security. This paper will explore both the benefits and the potential risks associated with VOIP technology.
Benefits of VOIP
There are multiple benefits organizations can realize by taking advantage of data networks to carry voice traffic or VOIP. VOIP is a technology that mingles voice traffic with IP telephony or “data traffic” to create VOIP (Flatland 26). Some of the benefits and advantages of this technology are as follows. First, businesses can take advantage of the data networks “already in use” to reduce the cost of telephone calls (Flatland 26). Second, VOIP systems can be integrated into an existing network using a simple infrastructure that includes CAT5 cables (Flatland, 2005; Kuhn, Walsh and Fries, 2005). Next, a VOIP system is easily extended into the existing network and thus scalable (Flatland, 2005). Many companies are jumping on the bandwagon eagerly awaiting installation of their VOIP systems because of these benefits. True to form, many individuals and organizations small and large alike find that despite the complications associated with training and utilization of VOIP, the long-term efficiency and cost-benefits are well worth the initial investment. Much time, care, and patience however, must be given to setting up a safe and secure infrastructure for VOIP to work on a wide-scale basis, because most companies will find they need to buy proprietary security plug-ins before they can use VOIP securely, without the risk of hijackers entering data network through unsecured gateways or backdoors.
Most companies will reduce their operating costs when using VOIP because they can take advantage of a congregated system that is easy to manage and inexpensive compared to other alternatives. Features of VOIP including “click to talk” services allow customer service agents to provide better, faster and more efficient service because of the enhanced features (Kuhn, Walsh and Fries, 2005). This service is easy to understand and easy to implement with a little training and dedication. VOIP systems can also be used remotely so employees traveling or working from home can enjoy the same benefits they would if they were working in house. Many companies are interested in implementing VOIP because of this benefit. As the world becomes increasingly global and diverse, and more and more companies operate on an international level, it is more important than ever before for remote workers to have access to secure packets of information. They must also have easy and cost-effective access to company computers without the hassle of setting up additional firewalls to receive and transmit data in real time.
If an organization operated from a corporate center and branch location, a single system could centralize operations so there would be no need to have an answering clerk or receptionist at both locations (Windley, 2005). This is much more efficient than the switchboard operations that used to be used to transport calls from one location to another. The concept however, is similar in that a single operator can easily connect data and voice messages from one point to another through a central “switchboard” operated by one technologist or by a very clever technician.
Employees can use VOIP much like their personal PC with the addition of a handset and an IP address (Windley, 2005). Most VOIP applications can run XML applications so organizations would not have to buy or utilize unneeded PCs which will also save a company money in the long-run (Windley, 2005). This does not mean on implementation however, that a company will not have to put out a great deal of money. To implement the system, some expense is necessary especially with regard to securing the system as noted later in this review. VOIP distributes voice signals into streams of packets distributed over what technologists call a “packet network” and then transmits the signal back, so voice and fax data can travel over “a packet data network” along with other data packets simultaneously (Windley, 2005).
VOIP technology enables web-based call centers, collaborative “white boarding” and “unified messaging” not to mention caller ID and voice mail, which are common features in any telephone system (VOIPReview, 2007). How does voice over internet protocol work? Typically phone lines called PSTN or “public switched telephone networks” work via circuit switching, much like old switchboards of the past where a single operator would connect callers or incoming calls (from faxes or other data sources) to the correct receiver, by passing messages through electrical currents. VOIP utilizes a technology referred to as “packet switching” where data packets are transported through the Internet rather than through electrical currents, so the information travels from one computer to another, or to a telephone network. Because so many people are attempting to integrate their services these days, VOIP is fast, efficient and up to 90% cheaper than traditional methods of communications for many large organizations. Why wouldn’t an organization want to implement this technology?
As with anything positive, there are some disadvantages associated with VOIP. These may include security risks, because introduction of VOIP may increase a company’s data and voice exposure if added security measures are not taken. This is perhaps the most serious risk and will be reviewed more thoroughly in the next section. Other risks or potential sources of problems include the reliability of service. While for the most part VOIP is reliable, if a company’s LAN or telephone system fails then the VOIP system will too. Also, the organization using VOIP will have to train all employees using it on how to use it safely and efficiently.
Security Considerations for VOIP
One of the primary security risks posed by VOIP comes from human use of VOIP (Flatland 26). Many people are simply ignorant of the safety considerations they must take. For example, often administrators fail to secure their VOIP system, because they assume they can insert the components into a network that is already secure and have no problems (Kuhn, Walsh and Fries, 2005). However, there are many steps administrators take before they can simply “plug and play” if they want VOIP to work with their network.
VOIP comes in many forms including mobile units and conferencing units. The components needed for VOIP to work include call managers and processors, gateways, protocols, firewalls and routers (Kuhn, Walsh & Fries, 2005). All of these components typically require “counterparts used in data networks” however traditional network software will not be enough to meet the needs of VOIP software; thus companies will typically have to supplement their current networks with special components built to handle VOIP data transmission (Kuhn, Walsh & Fries, p. 3). Quality of Service in VOIP networks is important, however often when security measures are implemented the quality of service declines because firewalls and other protection units can block calls or delay them (Kuhn, Walsh, & Fries, p. 3). All security devices in a traditional network including firewalls and hijacking software have to be applicable to the VOIP components or they will not work together.
Most VOIP systems on the market today use H.323 and SIP or “session initiation protocol” to provide security, and since the two operate similarly there is no clear indication whether one is more secure than the other (Kuhn, Walsh & Fries, p. 3). Components and standards that would support these include “media gateway control protocol or MGCP” and “Megaco/H.248, which is useful in “large deployments for gateway decomposition” (Kuhn, Walsh & Fries, p. 4). The packet networks used to transmit data in VOIP require administrators to configure multiple parameters including the physical or MAC addresses of the voice bound terminals and the IP addresses of any firewalls and routers used; VOIP “specific” software like “call managers” or call “processing components” are used to route calls from one center to another (Kuhn, Walsh & Fries, p. 4). One of the reasons it is difficult to secure the VOIP network is because all of these extra components and figurations open many backdoors in a system that is already susceptible to hijackers (Flatland 26).
There are tools like NATs (network address translation) (Kuhn, Walsh & Fries, p. 4) that are expensive, but that will afford companies greater securities. NATs however are not always compatible with IPSec and thus present their own problems (Flatland 26).
How to Protect Networks and Preserve QOS
There are steps the organization can take to protect networks from hijackers and preserve quality of service apart from the expensive options discussed (Flatland 26). For examples, if it is possible, an organization can build network architecture that allows “different subnets with separate RFC 1918 address blocks” for voice traffic transmissions and for data traffic (Kuhn, Walsh & Fries, p. 12). Each would require however separate DHCP servers so that firewall protection could be easily integrated within the system (Kuhn, Walsh & Fries, 2005; Flatland, 2005). H.323 SIP and other VOIP protocols can be disconnected at the voice gateway that interfaces with the PSTN to allow for stronger authentication and access control on the gateway system (Kuhn, Walsh & Fries, 2005). However this can make key management problematic. Other ways to secure the data and voice network include implementing “packet filters” to track malicious connections (although this doesn’t always work and is not always sensible) or IPsec and Secure Shell to manage remote voice and data access so hijackers can’t utilize the remote system (Kuhn, Walsh & Fries, 2005).
If performance declines because of security measures then the organization can take advantage of encryption at a gateway like the router rather than “individual endpoints” which would allow “IPsec tunneling” however this burden should be placed at a central point in the system so that all VOIP traffic is safe and encrypted rather than traffic only at specific gateways, like at the router (Flatland 26). A central location is universally protective whereas endpoint protection is time consuming and less efficient. Either way each requires a bit of work and training to set up correctly (Flatland, 2005).
Organizations have to determine whether they are capable of managing the risk involved with using VOIP before they invest and take advantage of the benefits VOIP has to offer. It is important that “continuity of operations” is not interrupted while deploying VOIP systems (Kuhn, Walsh, and Fries, p. 11). Competent trainers will use voice samples and insert them into data packets to test their transmission on the Internet, using Real-time Transport Protocol or RTP packets, which are able to hold larger volumes of data that can assemble information from one point to another.
There are also many versions of VOIP that an organization must look at before they decide what is right for them. For example, a company might select a key management scheme capable of addressing SIP calls, RTSP sessions, multicast and more; an example of a key system capable of doing this is the MIKEY (RFC 3830; Kuhn, Walsh and Fries 33), which can support multiple “crypto” sessions that are secure and trustworthy in nature. MIKEY allows for what researchers call “crypto session bundles” which Kuhn, Walsh & Fries (2005) describe as “a collection of crypto sessions that may have a common traffic encryption key or TEK, generation key or TGK and “session security parameters” (p. 34). Many different versions of SRTP exist, which all provide greater confidentiality and message authentication as well as “replay protection to the RTP/RTCP traffic” allowing companies the flexibility to adapt application requirements with their own profiles (Kuhn, Walsh & Fries 33).
There are multiple benefits of VOIP which include greater flexibility, lower long-term costs and integration of services. Just as there are benefits there are also disadvantages including the cost to start a system and security costs associated with creating VOIP specific security changes. Flatland (2005) sums it up best noting key to successful integration of VOIP is “selecting a VOIP gateway, wireless access points and phones” that are compatible with a company’s existing system (p. 26). Large and small companies alike will find if given enough time, training and patience, that VOIP is superior to other telephone data transmission services and utilities.
Flatland, Jeanne. Integrating Voice into the School Network: Benefits of Wireless VOIP,
E Journal (Technological Horizons in Education) vol. 32.8: 2005. p. 26
Kuhn, Richard, Walsh, Thomas and Fries, Steffen. Security Considerations for Voice
Over IP Systems. Special Publication 800-58, National Institute of Standards and Technology, U.S. Department of Commerce, January 2005
VOIPReview.org (2007) “Benefits of VOIP” Retrieved 16, December 2007:
Windley, Nicholas. “Benefits of VOIP” EzineArticles July 26, 2005. Retrieved 16, December 2005 http://ezinearticles.com/?id=54083