07 December 2005

Falk Bleyl, senior product manager at THUS, considers the issues around downloading of consumer VoIP in the workplace and how businesses can protect against negative impacts

The materialisation of consumer Voice over Internet Protocol (VoIP) services in 2005 has seen more than 50 million people register for a service across the globe. However, with all the advantages that come with a VoIP service there can be drawbacks when a consumer VoIP service is used in a business environment.

Recent debate about the security implications of retail VoIP services has led to analyst firm Info-Tech Research Group to call for businesses to address the use of consumer VoIP at work. THUS agrees that consumer VoIP services are now causing IT departments considerable concern and highlights the following reasons:

• Some consumer VoIP products use a peer-to-peer model, resulting in bandwidth being used to carry other individual’s voice and data traffic without the user’s consent or knowledge
• As aggressive applications, consumer VoIP services are designed to circumvent firewall restrictions by emulating a web browser. This can be troublesome on a corporate network as it makes the VoIP packets difficult to identify, audit and control
• IT departments will find tracking and storing user communication difficult
• VoIP applications may also include further services such as Videoconferencing, Instant Messaging (IM) and peer-to-peer file transfer. While VoIP and IM may not use much bandwidth per user, videoconferencing and file transfer applications can take up significant bandwidth on the corporate network and slow other network traffic, having a serious impact on work productivity
• VoIP may limit the performance of applications on a user’s desktop because it uses the desktop’s resources. Having unauthorised and unknown/untested applications on company desktops may decrease stability of the devices
• There may be licensing restrictions which allow free personal use, but not free business use

THUS advises that there are certain controls businesses can put in place to protect themselves from such vulnerabilities associated with VoIP. Such as:

• Heighten awareness of VoIP security issues to employees, emphasising the risk it can put on a business
• Restrict a user’s ability to install applications by locking down desktops
• Regularly audit devices and traffic flows for unknown or unexpected activity
• Include VoIP applications in a list of explicit applications that may not be appropriate for employee use (acceptable use policy)

If a business does allow consumer VoIP packages to be downloaded it should:

• Ensure virus scanners are installed on all desktops and that they are kept up-to-date. If you permit the use of consumer VoIP clients then ensure that they are managed properly and that patches are applied when they are released by the vendors
• Manage the VoIP application as if it is a supported business application
• Thoroughly test a specific application and include it in the list of applications that are tested, recognised and installed for employee usage. In this case each employee needs to be very aware of the limitations of such a service