Banning (free) VoIP from the enterprise

Banning (free) VoIP from the enterprise

In the computer trade press, sensation sells nearly as well as it does in the entertainment business. That probably explains why some recent alarmist headlines along the lines of "Banning VoIP from the enterprise" have garnered their share of placement and attention of late. Careful examination of such stories shows that, far from representing a general ban of any and all use of voice over IP technology in enterprises -- where its growth continues unabated, in fact -- it represents a selective and in fact typical application of normal enterprise security policies regarding employee use of unauthorized software.

In this case, the software in question includes numerous varieties of free VoIP software, such as Skype or Free World Dialup. That's because these software environments present multiple forms of exposure to potential security threats. As anybody who has used these tools already knows, in addition to enabling IP-based phone calls (inside their networks at no charge, outside their networks for a fee) they also enable instant messaging and file transfer, and report user status (online, offline, available, not available and so forth). As networked applications, usually with built-in scripting capabilities and programmable interfaces, they also present sometimes sizable "attack surfaces" that malefactors can try to exploit.

In fact, recent reports of vulnerabilities in Skype -- like those reported by well-known security watchdog firm Secunia related to

    Requires Free Membership to View

    Login

    SearchUnifiedCommunications.com members gain immediate and unlimited access breaking industry news, expert advice on UC, technical guides, and more -- all at no cost. Join me on SearchUnifiedCommunications.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchUnifiedCommunications.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchUnifiedCommunications.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

buffer overflows Thanksgiving week -- have brought increased visibility and attention to security exposures in well-known and widely used VoIP applications. Likewise, the Voice over IP Security Alliance is working on a VoIP Security and Privacy Threat Taxonomy (currently out in a draft "Public Release 1.0" form released on 10/24/2005) that does a great job of introducing and explaining standard terminology and protocols, as well as exploring potential sources of threats or vulnerabilities at multiple levels.

But the real and most basic source of the fuss boils down to unauthorized use of third-party software that IT departments and infosec experts haven't yet included in their explicit policies, practices and procedures. And since the safest method for dealing with items not explicitly covered in any security policy is to deny them access, or to expressly forbid their unsanctioned use, that's in fact what many enterprises are doing with these kinds of VoIP solutions. While it's a practical and predictable extension of existing security policy, it's by no means an outright rejection of VoIP telephony or software, because many of these same enterprises use other third-party VoIP solutions. But these are covered in the security policy and presumably monitored and maintained from a security perspective to make sure they don't present unwanted or unmitigated vulnerabilities or exposures themselves.

More on this topic

Don't believe the VoIP security hype

Find more VoIP tips
In other words, unless certain enterprises are willing to assume the burden of monitoring and tracking vulnerabilities and exposures for free VoIP environments such as Skype, it makes perfect sense for them to ban them. This is very much in keeping with end-user policies that might be generally and simply summarized as "install and run no unauthorized software on your machines" where Skype (or Free World Dialup, or whatever) simply becomes another VoIP-related case in point.

Thus, what may sound sensational or unusual in headlines that mention banning VoIP in the enterprise really represent no more than security business as usual. But the threats and vulnerabilities are real, and you can also expect affected vendors to do their best to fix them, given that their real user base well outside the enterprise is probably neither familiar with formal security policy nor protected by one.

Ed Tittel is a regular contributor to numerous TechTarget Websites and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine and edits Que Publishing's Exam Cram 2 and Training Guide series of cert prep books. E-mail Ed at etittel@techtarget.com.

This was first published in December 2005

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top