You can tell enterprises are serious about VoIP when discussions about securing IP telephony are drawing record...
"Less than a year ago, if you had mentioned security in a discussion about VoIP, you would have cleared out the room," said R. Pierce Reid, vice president of marketing at Qovia, a maker of VoIP monitoring appliances based in Frederick, Md. "It's good to see people talking about spam and spit (spam over Internet telephony)."
Reid made his comments while speaking on a VoIP security panel at the Fall VON 2004 Conference and Expo in Boston last week.
The Yankee Group predicts about 1 million VoIP users by the end of 2004, almost eight times the number of users last year.
Yet the technology remains immature.
"VoIP has become deployable," said David Fraley, an analyst with Stamford, Conn.-based research firm Gartner Inc. "It works. Two years ago, you couldn't make that claim."
VoIP vendors and users must now focus on the technology's vulnerabilities, said Fraley.
Security specialists, and VoIP vendors for that matter, are treating the prospect of unwanted voice messages as a security threat, much as they have done with e-mail spam.
VoIP promises to eliminate traditional telephone surcharges beyond the cost of Internet access. But VoIP voice data packets sent over the Internet may eventually carry viruses, several VoIP experts at the conference said.
Enterprises using VoIP may also make their networks more vulnerable to distributed denial-of-service (DDoS) attacks, the experts said.
In fact, VoIP is opening new channels for nations and terrorists to engage in cyberwarfare, Fraley wrote in a January 2004 research note for Gartner.
While Fraley emphasized the risk today of large-scale cyberwarfare is very low, he noted that VoIP's vulnerabilities, particularly to DDoS attacks, will increase as the technology becomes more popular.
"Anything that creates latencies, including DDoS, is a problem for VoIP," said Fraley.
And while the threats to VoIP networks -- including DDoS -- seem familiar, enterprises will need to adopt new tactics to combat them.
"Unlike e-mail messages, which you can slow down, stop and examine," said Qovia's Reid, "you can't add latency to a VoIP call."
Some VoIP vendors are instead looking at patterns voice spammers might use, "such as those likely coming from auto-dialers," said Reid. He also said that standards specifying the use of Transport Layer Security (TLS), education, antispit legislation, "do not call" lists and other approaches will mitigate VoIP's vulnerabilities.
The nation's largest telcos will take the lead in securing VoIP calls for enterprises, small businesses and consumers, said Andy Abramson, a Del Mar, Calif.-based VoIP industry watcher, who maintains the blog, VoIP Watch.
"It doesn't take a genius to say the VoIP providers who are well-schooled in hacking, cracking and phreaking are going to do the best job securing VoIP," said Abramson. "AT&T and others will have the deep pockets, the hardware, and the people the start-ups can't offer."
Despite their best efforts, the experiences of telcos and their customers with telemarketing and fax spamming suggests that pesky marketers, at least, will find VoIP impossible to resist.
"Where there is a channel," said Qovia's Reid, "there will always be a pitch man."