oice over Internet Protocol, or VoIP, is no longer the wave of the future—it is a service available today—and it is gaining more and more ground. Various market studies have shown that consumers are following Internet telephony with interest and plan to switch over from traditional to Internet-based telephony within a few years. The main reason for this is cost savings, but an additional reason to switch over is the convenience of purchasing Internet and telephone service from one provider. These studies also show that traditional telephone services will be phased out in the near future.

The launch of VoIP consumer packages, such as from the Netherlands' KPN, at the end of May, is proof that the market is finally taking Internet usage and Internet phone calls seriously. Other major competitors in the telecommunications industry, like cable companies, have also been active but were orienting themselves more to the business market. As is often the case, the business market is the trendsetter in technology acceptance and expansion. Consumers also find cost savings one of the primary reasons to switch from landline phones to Internet phones. However, reducing network costs and streamlining network management are seen as valid arguments, too.

Aside from all these seemingly overriding benefits, adding voice to the data network is not without risks. In particular, security is an important point to take into account. Each component of the VoIP architecture—such as each PC, which acts as the phone and also has access to the network—can be used as the "weak link" to hack into the network. Both the setup of the phone call on the Internet and the actual conversation—the media stream—will need to be secured by a firewall at the network and application levels. Without security, VoIP calls are susceptible to denial of service attacks, eavesdropping on calls by outsiders, and the hacking of gateways, leading to unauthorized free calling.

VoIP: whose department?
Typically, the telecom or network department handles a VoIP project within a company, and the security department is not necessarily

consulted in the process. Yet, it is logical that the security department must be involved. While telephone traffic used to have its "own" network and used technology that was familiar to only a few people, today is quite a different story.

Now, VoIP uses the same network that is used by the regular network for transporting data. That also means that it is exposed to everything to which network data is subjected. In principle, all users have access to the network, so eavesdropping becomes much easier (there are enough tools available for "replaying" received information). It is possible to access the telephone service from many more locations (any PC on the network), so calls can be dropped or terminated more easily, or people could infect the telephone by means of network access. Not to mention, telephone service will now have to compete for bandwidth on the network. Ultimately, if the telephone environment is connected to the Internet, the scope of potential hacking will be much greater than it already is.

As a technology, VoIP was developed by "network people." Therefore, they looked primarily at the connectivity issues and much less at security factors. Before the market and the technology have evolved enough to be able to say that VoIP is safe, specific security products will need to be used.

What has been done about security
VoIP can certainly be made safe enough if it is first understood that something must be done about security. Why, you may ask, was nothing done about security earlier? Well, first there was a battle over which technology was to be the "standard," and then there was a debate about how that standard should be interpreted. On top of that, VoIP is what is known as an asymmetrical protocol. This means that the setup of a call follows a different route from the actual conversation. For a security component like a firewall, this is an extremely demanding task.

In recent years, security companies have watched developments in the VoIP market extremely closely. Check Point already has several years of experience with this technology and has also identified it as a strategically important component of the entire security suite. This has resulted in the release of firewall software that can service VoIP solutions sold by the most popular vendors in the market and the protocols they employ (MGCP, SIP, H323, SCCP, also known as Skinny).

In addition to detection of the protocols, it is absolutely necessary to be able to handle network address translation, which is not simple, once again due to the complexity of the protocols. And, again, like any other Internet-based devices, VoIP gateways can be subjected to denial of service attacks. Check Point is the only one in the market that has already addressed this in its security products.