VoIP Faces Major Hurdle: The "S" Word
[All, we've talked about this matter of security before here in this thread. See the article posted below this caption. Can Security become a killer inhibitor that will stall or postpone VoIP on the open Internet?
Security is one of the issues I decided would be a real bear to overcome and implement in our outlook for several proposed network deployments last year, and in fact, a primary inhibitor responsible for not going forward. Hey! Chalk it up to principles.
It was inconceivable to me at the time (but not any more, since everyone, including the top tier IXCs, is now doing it) how many networks have gone forward and been deployed using UDP-based voice and TCP/IP-based fax traffic on the open Internet without regard for guarding against interceptors, hackers and other threats which are lurking to compromise users' traffic streams. What do you think?
Regards, Frank C.]
==============
VoIP Faces Major Hurdle
August 25, 1998
PC Week via NewsEdge Corporation : With corporations
already contending with the cost issues associated with
implementing voice over an IP network, a more serious
issue--limited security-- may be enough to convince
corporate IT to rethink deployment plans altogether.
Voice traffic currently riding on circuit-switched
networks enjoys tight security, and corporate data on IP
networks can be encrypted. But voice riding on an IP
network doesn't enjoy the same level of security.
And although equipment providers are just now starting
to tackle the problem, the issue takes a complicated legal
twist when corporations look to implement IP voice
security overseas.
As a result, the technological and legal hurdles of
security, combined with the questions surrounding the
cost benefits of VoIP (voice over IP) (see PC Week, July
27, Page 1), may be enough to persuade many IT shops
to either hold off on such plans or outsource them to a
service provider willing to take on the integration
challenge.
"Security is obviously something that doesn't appear to
be part of VoIP implementations today," said Abner
Germanow, security and telephony analyst at
International Data Corp., in Framingham, Mass. "The
[public-key infrastructure] being built into the Internet
today does not address it."
"Even though we're running over a private network, I'm
absolutely concerned [about security], and it's
something we need to address," said Rob Morton,
network manager at Dallas-based Productivity Point
International Inc., which is just starting to test VoIP.
Products from vendors that solve some of the VoIP
security problems won't be ready until next year. Part of
that is due to the fact that encryption products are at
odds with voice compression, as well as the fact that
voice traffic is sensitive to latency.
Dealing with these issues has been more of a challenge
than anticipated, according to Jeffrey Berk, director of
voice and data at Cabletron Systems Inc.
"What we find is customers with private WANs end up
not compressing the voice traffic because security is
more important," Berk said. Without compression, for
example, a 64K-bps channel on a T-1 line will support
just one call instead of as many as eight.
Cabletron plans to address the issue with a retooled
version of its data switch hardware encryption module,
called Zip-lock. A model for voice encryption won't be
ready until mid-1999 and will come in the form of a
firmware upgrade, said Berk, in Rochester, N.H.
Likewise, Cisco Systems Inc. will release next year
hardware versions of its IPSecurity engine that encrypt
voice traffic.
But additional hardware is a Catch-22 for IT, as
hardware-based security is more expensive than
software solutions.
"Security is a huge performance issue," said Stuart
Phillips, Cisco's IOS product manager in San Jose, Calif.
"And we can't tell someone with 5,000 routers they
should buy a new one for VoIP, so we go with a software
upgrade. That's an advantage usually, but with security
they may think they need hardware."
Startup RPK Security Inc., meanwhile, plans to address
the issue with its new proprietary algorithm tailored for
encrypting real-time traffic. The San Francisco
company's president, Jack Oswald, said a hardware
version of the security algorithm targeted specifically at
VoIP vendors will debut later this year.
Beyond just dealing with technology problems,
multinational companies, which stand to benefit the most
from the inexpensive calls VoIP offers, could also run
smack into another security problem: U.S. export
restrictions. If companies want to use a robust 56-bit key
encryption technology for VoIP for international voice
traffic, they have to go through a special licensing
process with the U.S. Department of Commerce--with no
guarantee of approval.
Security problems, compounded with the difficulty of
proving the cost benefits of VoIP adoption, may cause
corporations to either put off deployment or consider
whether outsourcing is viable.
Indeed, service providers hungry for revenue streams
are making the expensive investments in equipment and
software to offer VoIP with the hope that those services
will bring a new customer base.
"The tools for security are out there, the equipment is
out there, and the protocols are out there. You just have
to have the competency to implement them," said David
Greenblatt, chief operating officer for Net2Phone IP
voice service of IDT Corp., in Hackensack, N.J.
In fact, many IT managers are starting to look at
service-level agreements as a way to avoid the
complexities and myriad issues facing VoIP. PPI's
Morton has started to lean that way, even in the test-bed
phase.
"Security is a hurdle we see out there--it's one of many,"
he said. "And there are probably some we haven't even
thought of yet."
Voice-over-IP security checklist
Points that IT managers should consider before
implementing voice over IP:
The cost of hardware upgrades to manage increased
processing needs
U.S. export restrictions that limit the use of unbreakable
encryption
Whether in-house IT has the skills needed to internally
manage security
If outsourcing the technology, whether security is part
of your service-level agreement with an ISP
With the added cost of security mechanisms, whether
voice over IP will actually save money
<<PC Week -- 08-24-98>>
[Copyright 1998, Ziff Wire]
|
