Cutting-edge VoIP technology provides SMBs with significant opportunities to realize new productivity gains and efficiencies. But this promise is balanced with the same security vulnerabilities found in the data networking world. Industry pundits have sounded the alarm about cyber threats, which have the potential to wreak havoc with business IP telephony systems. A strange new vocabulary of security jargon has arisen to label these dangers - "SPIT" (Spam over Internet Telephony) and "Vishing" (Voice and Phishing) are just a few - and telecom resellers and systems integrators should be prepared with answers and solutions to VoIP's security vulnerabilities as more businesses transition to IP telephony.
What are these threats? If you boil them down, they can be grouped in two basic categories - "D" threats and "P" threats.
D threats: VoIP attacks to disrupt, disable or destroy. What type of damage can be done? Imagine trying to accomplish work in your office and being barraged by "SPIT" - hundreds of automated inbound telephone calls flooding your phone, containing the same recorded message. Besides the obvious inconvenience, SPIT can severely degrade voice quality by sucking up all available bandwidth - especially if a business' VoIP and data systems are running on a converged LAN infrastructure.
A simple shell script - a few commands in several lines of code - can unleash a DoS (Denial of Service) attack that causes every phone at the business to ring off the hook and reboot continuously, paralyzing communications and operations.
P threats: Threats against privacy. In the TDM world, eavesdropping on private communications usually meant "wire-tapping." Today, a hacker using conventional network intrusion tactics can remotely penetrate a corporate LAN via his/her own personal computer and load an application that can eavesdrop and record VoIP calls, silently stealing information with little effort or risk.
Many Choices
Businesses considering IP telephony have a variety of choices to consider from a stand-alone IP PBX to a hosted VoIP solution to a "best of both worlds" managed, premises-based solution, which leverage the strengths of both. From a security standpoint, a Managed Services solution is the best bet as it provides LAN and WAN security controls that the other solutions cannot provide.
A managed service combines the same rich features as the larger and more expensive "big business" IP PBX platforms at a dramatically lower price point, while also providing the simplicity of a hosted VoIP service with vastly superior call quality and availability.
By selecting a managed broadband telephony service, a reseller enables SMBs to capitalize on the most advanced technology immediately affordable, while the reseller enjoys recurring monthly revenue from each seat sold over the life of the service contract. The operational hassles of maintaining equipment and ensuring security protections and overall system performance are handled invisibly by the Managed Services provider who monitors the service end-to-end on a 24-7 basis.
From a security standpoint, a managed service with its unique architecture featuring a premise-based IP PBX, integrated telephony hardware, dedicated voice-only broadband connection and 24-7 monitoring, Quality of Service and service optimization LAN and WAN management, provides end-to-end protection from the endpoint to IP PBX to the cloud.
A Few General Safeguards
A VoIP system or service, which has a voice-only proxy firewall and session border controller, provides robust protection against network intrusion threats trying to exploit an IP connection' s vulnerability at the demarcation point between the LANs and WANs. A dedicated voice-only proxy firewall built into a centrally managed IP PBX can neutralize evolving spam and network intrusion threats by terminating and regenerating all inbound voice traffic, preventing packet forwarding and public SIP call addressing.
With each phone call, a session is established from the handset to the IP PBX where the private IP address is translated, and a new session is established directly to the centralized network operation center of the Managed Services provider. This eliminates peer-to-peer dialing with non-secure IP end-points.
The VoIP phone should have a tightly controlled configuration with restrictions on its ability to access and browse the public Internet to avoid the spread of viruses and third- party attacks.
Secure business-class VoIP is achievable. By having a thorough understanding of VoIP's threats and vulnerabilities, selecting and deploying a VoIP system or service that supports the security features discussed and following proper network management protocols, businesses implementing IP telephony can enjoy the benefits and avoid the pitfalls.
Mark Galvin is founder, president and CEO of Whaleback Systems, a Managed Services provider based in Portsmouth, N.H. Prior to co-founding Whaleback Systems, Galvin was founder, president and CEO of Cedar Point Communications.
Cutting-edge VoIP technology provides SMBs with significant opportunities to realize new productivity gains and efficiencies. But this promise is balanced with the same security vulnerabilities found in the data networking world. Industry pundits have sounded the alarm about cyber threats, which have the potential to wreak havoc with business IP telephony systems. A strange new vocabulary of security jargon has arisen to label these dangers - "SPIT" (Spam over Internet Telephony) and "Vishing" (Voice and Phishing) are just a few - and telecom resellers and systems integrators should be prepared with answers and solutions to VoIP's security vulnerabilities as more businesses transition to IP telephony. 
