GRAND RAPIDS – Last month IP3 convened the Second Annual VoIP Security Forum hosted by Illinois Institute of Technology. We again had experts from academia, the vendor community and industry. The breadth and depth of coverage was outstanding; but it left most of us with a growing discomfort over the lack of progress on technologies to secure VoIP. Indeed, the most noteworthy findings echoed the growth of vulnerabilities, rather than a plethora of new defenses.

The summary message was clearly: VoIP is coming, with or without security; so lets do what we can to harden it.

The key findings are insightful and should be useful for virtually all organizations since industry estimates say 80- to 90-percent of all new office phone systems within two years will be VoIP based.

1) VoIP will be coming into the enterprise from a variety of directions.

a. users with Skype and other low-cost consumer grade offerings, flexible services

b. web conference and meeting services such as voice-over-screen presentations, web customer service and sales servers offering tele-support overlayed on a web site (this is likely to be the ?killer app? for VoIP integration)

c. key and PBX replacement markets

d. PDA/cell phone multi-mode mobile devices

2) Voice integrated with web services (this is SIP focused) has a very different culture and orientation than the PBX or Key set conversions. The latter sees VoIP as a different way to build an independent phone system; but that?s the Number 1 problem, there?s no easy way to keep voice and traditional data networks segregated. If you can?t keep them segregated, the phone systems become vulnerable to ALL of the classical IT threats including ddos, phishing, spam, spit, etc.

3) Most IT vendors argued that voice is just another application riding on the net ? however, it does have the slight difference in that users expect a six sigma service level; they expect service 99.9999 percent of the time. That?s not like any application traditional information systems have provided. I?m routinely in shock at how little the IT community understands about the difference in expectations. I have a house in Northport and have struggled for over three months with Charter Communications to get a my internet services to perform to spec ? it?s consistently too slow on the uplink. The last service visit actually made things worse; but the technician did as he was told and asked if I wanted to cancel my phone service and convert it to Charter?s new VoIP offering. I said if I did that, I wouldn?t have a way to call them to tell them my internet service was out! Their network and customer support isn?t ready for voice. I do hope somebody from Charter reads this and decides that I deserve some serious attention! Please.

4) Latency is a challenge ? data flows can?t have delays. These show up everywhere in today?s internet. Often the product of ddos attacks but even more commonly the result of poor configuration and network management. Delays in web browsing, email or file transfers are not serious and usually not even noticed; but small delays can kill VoIP, making crypto and content filtering a real problem.

5) Stateful firewalls prevent outsiders from initiating data flows into your enterprise but that approach is problematic for voice services. If we?re going to let voice flow into the enterprise, we better have strong inspection technologies to make sure it?s really voice and not malicious code. Indeed, this is a two-way concern. We took time to showcase some of the graduate student work I?ve supported in the labs that demonstrate the ease of taking the corporate database out the front door disguised as an encrypted VoIP call.

So, we covered a lot; but we also learned there?s a long way to go.

This is great opportunity for technology start-ups, service providers and corporate IT departments to address.

This column was written by Ken Kousky, president of IP3 Inc. For more information, click on IP3Inc.Com