DUBUQUE, Iowa - Voice over Internet Protocol (VoIP) telephony dangles the promise of big savings, but some IT experts are sending out a wake-up call on potential security issues related to the technology.
Indeed, VoIP critics said that due to myriad inherent security flaws, hackers can listen in on conversations and flatten the popular Internet-based communications systems with denial-of-service (DoS) attacks.
“Absolutely, the marketplace hasn’t addressed VoIP security well enough,” said Steve Ervolino, VP-information services and technical support at Dupaco Community CU here, which has employed voice over Internet protocol (VoIP) telephony for five years.
“DoS can render the phone system inoperable,” added Alex Barker, SVP and CIO for Mountain America CU. “Eavesdropping could result in confidential information being misused.” The $2.4-billion CU installed VoIP eight years ago in all branches and four years ago at its headquarters in West Jordan, Utah.
VoIP systems are also vulnerable to worms, viruses, spam and fraud. Nearly 50 such risks in leading platforms, including Avaya, Cisco, and Nortel, are monitored by VoIPshield Systems, an Ottawa, Ontario-based provider of VoIP security. The VoIP vendors are attempting to address the majority of the flaws, whereas patches are available for others, said VoIPshield.
“Putting in a VoIP system on your network and computers introduces security vulnerabilities,” Ervolino said. “A VoIP system could be taken down faster by a hacker than the traditional PBX.”
Dupaco and Mountain America are lying low by safeguarding their VoIP systems–and by foregoing one of the benefits of VoIP: making external calls via the system.
“What we’ve done to mitigate is put our VoIP on 100% internal only,” Ervolino said. “So our external calls aren’t trunked across the open Internet but over regular phone lines. Any credit union that is pushing calls over the Internet is vulnerable if they’re not taking additional security steps.”
VoIP could be made safe–but it doesn’t seem likely in the near term, he continued. “If we could direct all of our calls to receivers with a virtual private network, or if someone would pay for end-to-end encryption, we’d be golden.”
As far as internal calls go, MACU would not specify how it protects its voice network. Instead, Barker advised CUs to separate voice and data traffic. A distinct virtual local area network for voice traffic equipped with an intrusion prevention system can keep voice protected from potential data vulnerabilities, he said.
Voice servers can be hardened, meaning the software can be altered to make it harder to attack, Barker added. Redundant hardware is also helpful in the event of a failure.
And credit unions can encrypt VoIP data, which is usually transmitted in clear text format and is easy to steal. Finally, authorized phones can be registered in the system, allowing for each VoIP call to be authenticated.
Ervolino doesn’t encrypt or separate VoIP data because the traffic is internal only, but each internal call is authenticated, he said. “It’d be easier for an employee to sit around the corner from another employee and listen to a private conversation than to listen in on a VoIP call.”
The $505-million Dupaco uses a standard firewall to block VoIP traffic from leaving or entering the internal network. Comprehensive VoIP-specific firewalls are also available and recommended by some experts.
Ervolino advised CUs that are diving into VoIP to pair up with a veteran provider: “Don’t try to do it yourself. And if you want to use VoIP to make calls across the Internet, then that’s something extra to think about.”
Dupaco handles 6000 calls per day on a VoIP system provided by Interactive Intelligence. MACU uses a Cisco system and routes about 10,000 calls per day.
Despite the risk, Ervolino is enjoying the cost savings and configurability of VoIP. “I wouldn’t go back. The benefits far outweigh the threats.”
MORE
Read more about VoIP at cujournal.com and search the following bolded terms in the archive:
Internet-Connected Phones: Gold Standard In Security, Reliability?
Experts Suggest VoIP Telephony Is Heading For The Main Stream
For more info on this story:
* www.dupaco.com
* www.macu.com
* www.interactive-intelligence.com
* www.voipshield.com(c) 2008 The Credit Union Journal and SourceMedia, Inc. All Rights Reserved.http://www.cujournal.com http://www.sourcemedia.com
