Banning (free) VoIP from the enterprise

In this case, the software in question includes numerous varieties of free VoIP software, such as Skype or Free World Dialup. That's because these software environments present multiple forms of exposure to potential security threats. As anybody who has used these tools already knows, in addition to enabling IP-based phone calls (inside their networks at no charge, outside their networks for a fee) they also enable instant messaging and file transfer, and report user status (online, offline, available, not available and so forth). As networked applications, usually with built-in scripting capabilities and programmable interfaces, they also present sometimes sizable "attack surfaces" that malefactors can try to exploit.

In fact, recent reports of vulnerabilities in Skype -- like those reported by well-known security watchdog firm Secunia related to buffer overflows Thanksgiving week -- have brought increased visibility and attention to security exposures in well-known and widely used VoIP applications. Likewise, the Voice over IP Security Alliance is working on a VoIP Security and Privacy Threat Taxonomy (currently out in a draft "Public Release 1.0" form released on 10/24/2005) that does a great job of introducing and explaining standard terminology and protocols, as well as exploring potential sources of threats or vulnerabilities at multiple levels.

But the real and most basic source of the fuss boils down to unauthorized use of third-party software that IT departments and infosec experts haven't yet included in their explicit policies, practices and procedures. And since the safest method for dealing with items not explicitly covered in any security policy is to deny them access, or to expressly forbid their unsanctioned use, that's in fact what many enterprises are doing with these kinds of VoIP solutions. While it's a practical and predictable extension of existing security policy, it's by no means an outright rejection of VoIP telephony or software, because many of these same enterprises use other third-party VoIP solutions. But these are covered in the security policy and presumably monitored and maintained from a security perspective to make sure they don't present unwanted or unmitigated vulnerabilities or exposures themselves.

More on this topic Don't believe the VoIP security hype Find more VoIP tips

In other words, unless certain enterprises are willing to assume the burden of monitoring and tracking vulnerabilities and exposures for free VoIP environments such as Skype, it makes perfect sense for them to ban them. This is very much in keeping with end-user policies that might be generally and simply summarized as "install and run no unauthorized software on your machines" where Skype (or Free World Dialup, or whatever) simply becomes another VoIP-related case in point.

Thus, what may sound sensational or unusual in headlines that mention banning VoIP in the enterprise really represent no more than security business as usual. But the threats and vulnerabilities are real, and you can also expect affected vendors to do their best to fix them, given that their real user base well outside the enterprise is probably neither familiar with formal security policy nor protected by one.