FOR - Tim Keanini, CTO, nCircle
With most VoIP systems, email and voicemail are housed in the same Exchange server. Prior to VoIP, an attacker would have to have knowledge of a specific vendor's firmware or software. This platform presents a familiar face to the attacker and for the less skilled, exploit tools are widely available.
Wire tapping, or unlawful intercept, has also become easier with VoIP. No physical access is needed, the target faces a globally connected threat. These bits flow as freely as web traffic.
Another problem with IP telephony is that most VoIP vendors seem to believe that security is for others to solve. The typical response is to recommend that VoIP be put behind a firewall, or on an isolated network. But this isn't feasible with converged networks. So security comes second to functionality and is seen as a feature and not a fundamental.
VoIP might not be considered safe, but what complex system is safe? The threat is opportunistic and won't focus on VoIP until it is the best means to attack. In order to manage this risk, you need network intelligence. Only then can you realise the benefit of IP telephony.
AGAINST - Ian Shepherd, solutions manager, Telindus
Any technology that offers major benefits is open to attack if it is adopted without considering the security implications. Much has been written about how an IP telephony infrastructure could be attacked. But its security has one important thing going for it, hindsight! Expertise and experience in securing data networks that has been painfully built up in the past 15 years can be applied to voice networks.
We have the technology to contain threats, and with the work of the US National Institute of Standards and Technology (NIST) and the VoIP Security Alliance (VoIPSA) we can stay ahead of the game.
VoIP can be done securely, but firms must proceed cautiously and not assume that the components are just peripherals on the Lan. Keep in mind also VoIP's unique requirements, acquiring the right hardware and software to secure VoIP is crucial. The recommendations made by NIST, VoIPSA and vendors are mostly extensions of existing security practices and should not surprise any company that already takes its data and voice security seriously.