The soap boxEnterprise VoIP Primer: The Secure Investment // by Daniel Zubairi, CISSP

Published 26 April 2007

VoIP offers many advantages to the organizations deploying them, but the technology also brings with it vulnerabilities that must be addressed

Many government departments and organizations are becoming familiar with the native scalability, cost savings, and management advantage to IP-based solutions for traditionally non-IP capabilities, but they must ensure they maintain the same level of security, reliability, confidentiality, and availability to which their users have been accustomed. The clearest case for this argument is that of VoIP. VoIP, also referred to as Internet Protocol Telephony (IPT) or VoE (Voice over Ethernet), is commonly known as Voice over Internet Protocol. It is a mechanism for moving from traditional Public Switched Telephone Networks (PSTNs) and Private Branch Exchange Systems (PBXx) to a consolidated enterprise solution bearing internet, intranet, and voice traffic over one common medium. The problems associated with moving critical and reliable communications networks to what some might consider less reliable networks, however, poses many potential security concerns. These concerns can be mitigated if the proper approach is taken.

Whether the mission of an enterprise is to choose a centralized, distributed, or compartmentalized approach to VoIP, it is important to focus on using one standard approach to planning and implementation. Many federal agencies are currently facing a dilemma of not specifying standards and procurement policies early on and ending up with pockets of incompatible systems within the same department; making it nearly impossible for the systems to interoperate and potentially resulting in the complete loss of an investment. More importantly, when considering continuity of operations in the event of a disaster, such a situation could prove devastating to the continued mission of an organization should a complete lack of interoperability exist. Other infrastructure issues to consider are the requirement of running power in tandem with Ethernet network connections in an implementation knows as Power over Ethernet, or more aptly PoE. It is also important to consider providing generator power or extended power UPS devices to power telephones. Because VoIP network devices are vastly different than traditional PSTN and PBX devices, much care needs to be taken due to the fact that the convenience of the phone always being on may not be a reality. Beyond proper infrastructure planning, there exists another very real challenge to the VoIP Network if not addressed early on and throughout the life of the system