Perimeter security. Depending on your existing investment in firewalls and network security devices, you may need to have significant adjustments made to your network perimeter security. Your firewalls may work fine for the traffic that currently runs through them, but if you intend to move to VoIP, they may need to be replaced with firewalls designed to handle that kind of traffic. You will likely need to invest in firewalls, switches, and routers that are able to recognize and act on VoIP data to keep your latency down.
DOS. A denial of service (DOS) can adversely affect the quality of your calls, just as jitter and latency can. A DOS is anything that causes the sheer volume of activity on the firewall or network to become a limiting factor in the transmission of packets. Essentially, the network is too busy to deliver the quality of phone transmission that you expect. This can be handled in a number of ways depending on your network architecture. But in some cases you can't do anything but ride out the storm.
If you're looking for more information on the vulnerabilities and components of VoIP, check out the SANS Institute whitepaper “Voice over Internet Protocol (VoIP) and Security” at www.sans.org/rr/whitepapers/voip/1513.php.
Information security for a VoIP system should begin with an appropriate risk assessment and solid security on the company's network. The project should include a determination of the impacts of implementing the VoIP system in your environment, so that any bandwidth or control issues are planned for.
Don't make the mistake of assuming that you have enough horsepower, network pipe size, or controls up front. Engage the IT folks and have them find out what it will take for real. Determine your business requirements first and how you intend to use the technology. Do your homework, and then design your implementation.
Eduard L. Telders is the director of enterprise information security at T-Mobile. Since 1981 he has served in physical security, information security, corporate contingency planning, and safety programs in the banking, insurance, and financial industries. He is active in a number of security trade groups and associations such as ASIS, ISACA, InfraGard, the AGORA, CyberGuard Advisory Council, and others, for both physical and information security, and he is a contributing technical editor for ST&D.