When it comes to leading-edge technologies, financial institutions have always been at the forefront, and Voice over Internet Protocol (VoIP) is no exception. Leveraging existing network infrastructures to deploy a cost-effective alternative to traditional Public Switched Telephone Network systems has resulted in significant savings while delivering an innovative set of digital resources.
Stamford, Conn.-based research firm Gartner Inc. estimates that more than 80% of companies are currently engaged in IP telephony trials and that within three years, VoIP deployments will be ubiquitous.
But the reality of packetizing voice calls and routing them over the same network used for Internet traffic exposes organizations to the same cyber security challenges facing data transmissions.
There are a number of considerations financial services organizations should explore prior to integrating VoIP technology into their business.
Solid architecture
New protocols and resources are ripe targets for exploits. "From an architectural perspective care must be taken to prevent access to network resources from the VoIP network," says Paul Henry, vice president of technology evangelism at Secure Computing in San Jose, Calif.
For example, isolating SIP servers and assigning granular access controls to define what users can establish connection to specific resources. Additionally, Henry suggests the use of a SIP proxy. "As an integral part of the overall architecture, this can offer significant risk mitigation by validating the protocol and applying policy to SIP."
Degrees of separation
Although convergence is the buzzword often associated with VoIP, many organizations are considering isolated networks -- either physical or virtual -- for voice and data. Cisco advocates logical separation of VoIP traffic from the data network.
By putting voice and data on a single network, organizations are subject to losing both in a network outage.
However, separate networks require additional resources, regardless of whether they are virtual local area networks or completely separate physical networks.
"In reality, few will take it to that level," predicts Henry, who points out the key to VoIP security is access control and policy enforcement.
Similarly, due to the types of information traversing financial services networks and residing on servers, IT shops, especially those tasked with regulatory compliance in addition to security, are questioning how to best protect their VoIP infrastructure.
"Treat VoIP applications the same as any other application: Lock down servers and protect against unwanted access using intrusion detection and firewalls," suggests Irwin Lazar, senior analyst at Burton Group, based in Midvale, Utah.
"The current generation of firewalls can easily handle VoIP and all other gateway protocols," Henry added.
Security equals quality of service
In the data world, users have often equated increased security with decreased performance. In the world of VoIP for financial services companies, dropped calls, latency or a jittery connection -- all common issues associated with VoIP -- pose serious risks to business continuity in addition to IP-centric threats including viruses, hackers and exploits.
"No matter what you do with the fanciest phone in the world, if an end user hears jitter, gets latency or just has a bad overall VoIP experience, all the investment that you made and the utility you get from VoIP goes out the window because the user thinks it stinks. The end game is that you are able to deliver service the way people expect it to be," explained Neil Darling, of EtherSpeak, a Virginia-based company focusing on VoIP in vertical markets.
At the 2006 CeBit roundtable on VoIP security, industry leaders and experts estimated it could be two more years until the right balance of security and quality of service in enterprise deployments could be achieved. One of the primary concerns was the latency created by firewalls unable to handle VoIP traffic, but in the last year, firewall vendors have responded by adding features specific to VoIP to existing products.
Even with VoIP-capable firewalls, Henry pointed out that a firewall must be properly sized to handle the amount of traffic present on the network or quality of service will suffer.
About the author:
Sandra Kay Miller is a technical editor for Information Security magazine with 15 years of experience in developing and deploying leading-edge technologies throughout the petroleum, manufacturing, luxury resort and software industries, and has been an analyst covering enterprise-class products for 10 years.
