Growing Pains: VoIP in the Enterprise
What, Me Worry?
What should be your biggest VoIP security concerns?
One of the most common threats to VoIP, some vendors and users say, is a denial of service (DoS) attack that takes out a network's servers. DoS attacks aren't directed at the VoIP services themselves, of course, but VoIP services will get shut down if a DoS attack successfully overloads company servers with requests.
"In the VoIP arena, you're taking voice traffic that used to be separate and is now integrated into IP," says Brandt. "So you have to have certain things in place to protect yourself from those risks, but you want to be careful to not degrade your quality of service."
The most basic element for guarding against DoS attacks, says Siemens global marketing director Graham Howard, is installing a SIP-enabled firewall during your network setup to act as the first layer of defense. Lazar says session border controls, which are firewalls designed specifically for VoIP systems, can control what packets go over an entire SIP trunk, thus giving businesses a strong tool for blocking packets sent as part of a DoS attack. Indeed, for small businesses, a good firewall can be entirely sufficient for VoIP security needs. Tolbert says that he sends all his intra-office voice traffic over a fiber backbone strung over six different sites, and that he only relies on firewall protection to keep his VoIP service up and running.
"If I was having my SIP traffic go through the Internet, I'd be a lot more concerned about it," he says. "But since my SIP traffic doesn't go outside my own little world, that doesn't worry me too much."
For companies that are sending their traffic over the Web, however, Howard recommends investing in a VoIP encryption service that will thwart hackers attempting to tap into your company's communications. Siemens, for instance, offers a solution that lets users set encryption options on a call-by-call basis, and that gives them a notice on their desktop telling them that the encryption service is up and running.
How far should you go with your VoIP service? Should you get full-on premises control, or should you run your own PBX and let a vendor handle wire-to-the-building?
The answer really is, "It depends on your business needs." Brandt says that for his business, which runs contact centers for large companies, voice is an absolutely critical application that needs to be up and running with no latency at all times. Thus, it makes more sense for his IT department to have full-on premises control of the entire voice platform to ensure rapid problem-solving and to ensure that the network is tailored specifically to the company's needs. For companies where voice services are less critical -- that is, companies where employees rely more heavily on tools such as cell phones, e-mail and instantly messaging -- Brandt says it makes much more sense to outsource managing your voice platform to a vendor or carrier.
"A lot of larger organizations prefer on-premises solutions, because you can't get hosted services for as large a scale as they need," says Lazar. "Where we see a lot more hosted services is in small businesses that have less than a thousand seats and that aren't geographically dispersed."
Howard shares Lazar's assessment that large businesses mostly want to run their own voice platforms themselves, although he thinks a lot of it has to do with the level of expertise the business has in its IT department. For instance, Howard says a credit card validation company recently contacted Siemens about VoIP solutions and wanted an outside company to manage all of its communications because the company simply did not want to deal with any of it internally.
As for smaller businesses, Tolbert says that they generally need the help of a hosted service provider, since most small businesses "don't want to be wasting their time tweaking and babying" their VoIP system constantly. However, he also notes that for small businesses that require 50 handsets or less, it's relatively simple to manage your own services by training one or two employees to do all the routing, phone-answering and the adding of new users.
"Since we have a fairly small organization and I'm a volunteer IT coordinator, I want the technology to be as idiot-proof as possible and to make people self-sufficient in running the system," he says. "If you're an organization with 75 phones or less and you have to constantly call tech support, then you have the wrong telephone system and you're wasting money."