Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!

As broadband Internet connections become more
common, phone service based on voice over Internet Protocol (VOIP)
is rapidly increasing in popularity. In general, most organizations
consider VoIP to be a cost-saving way to bypass the telephone
companies, particularly for long-distance services.

However, VoIP is certainly no panacea. From the
standpoint of Internet security, it’s important to keep in mind
that VoIP is still an Internet service, so the technology is
subject to the same type of problems as any other Internet service.
Worms, viruses, and DoS attacks can affect the usability of VoIP
services, and the majority of these attacks will be outside the
control of the VoIP provider.

In addition, VoIP presents some legal issues,
not the least of which is whether we consider VoIP a “pure”
Internet service. While the U.S. government doesn’t typically
regulate Internet services, VoIP could change that.

I’m closely watching VoIP technology for a
number of reasons, particularly because I’m interested to see how
VoIP and Internet security will intersect. I will say that using
VoIP to replace clunky PBX systems has proven to be a great success
at many companies. But using VoIP to replace the public-switched
telephone network is a different matter entirely.

VoIP has become one of the latest buzzwords for
the Internet industry. Because governing agencies can’t possibly
regulate or control VoIP like traditional land-line phone systems,
it’s appealing to competitive local exchange carriers (CLECs) as a
lower-cost way to compete with the incumbent local exchange
carriers (ILECs).

But don’t forget that VoIP is an Internet
service–and that means no Internet service, no phone service. VoIP
differs drastically from land-line telephone systems, despite
claims from companies and governments insisting that they’re
identical services.

For example, in the United States, land-line
telephone systems are subject to a variety of governmental
regulations regarding wiretapping and emergency service use.
Specific laws, such as the Communications Assistance for Law
Enforcement Act (CALEA), can’t possibly apply to all VoIP services,
regardless of recent rulings insisting on placing wiretaps on VoIP
services. In my opinion, it’s just not possible to regulate VoIP
like this.

What government agencies are failing to
understand is that security is a personal choice. If people want to
communicate securely, they will do so regardless of whether it’s
legal.

And they will use freely available strong
encryption. With the source code for programs such as PGPfone
available on the Internet, all the VoIP regulations in the world
won’t make a difference.

But just how reliable and usable is VoIP
anyway? In a time when cell phones can be unusable at times, I
don’t place much faith in VoIP ever becoming as good or reliable as
a land-line telephone.

Remember that VoIP services use software, and
all software has flaws. VoIP technology works, but its long-term
security is still undetermined, and complex legal and technical
issues exist that will likely take a long time to resolve.