VoIP: Is it Worth the Hype?

VoIP is generating a lot of noise these days. We are seeing new standards,

products and vendors in the market enticing you in the name of faster and

cheaper voice communication. All superlatives apart, is VoIP really mature

enough in all respects to be used in an enterprise. Let's try and figure out.

How secure is it?



What if one fine day you find your landline phone not working because you've
forgotten to update its antivirus last night? Or while sitting in a meeting you

suddenly receive 50 spam calls on your phone, from some company selling nasty

drugs to enlarge your body parts? Or, what if a crucial tender your company was

working on, just got publicized because some 'Black Hat' hacked and

intercepted your CEO's call and recorded all of a confidential conversation?

If you think it sounds absurd, do it yourself and see. Telephony, when it took

the path of IP, got some really cool features in terms of manageability and cost

effectiveness. But it also inherited the vulnerability of IP based networks. You

can easily intercept the voice stream being transferred over your corporate

network using an easily available and free tool like Ethereal.

Intercepting VoIP calls



First of all you have to understand the protocols and data flow pattern of a
standard VoIP network. When someone picks up a VoIP phone and dials a number, a

Session Initiation Protocol (SIP) stream is sent to the IP PBX. From here the

phone recognizes, connects and authenticates the other phone it wants to talk

to. After this session, both the phones establish a direct IP link between each

other. Voice communication between the two takes place in the form of two

streams (backward and forward) of RTP (Real Time Protocol). Each stream contains

the voice generated from one end. So, if there is a conference call happening

with three people, there will be three RTP streams, each having voice from one

end. Now, the problem lies with the RTP protocol. This protocol is not encrypted

and anyone can initiate a 'Man in the Middle' attack and capture the stream

easily. Let's test it through a simple 'hands on.' Take any two VoIP

phones from a vendor and an IP PBX. Now connect all of these to a hub. We are

not using a switch, because to intercept data on a switched network you have to

run an ARP Spoofing tool, which is essentially a hacking tool and here we are

not instigating you to hack into a network.

In Ethereal, you can see all VoIP streams. To capture and publish these streams click on the Analyze button4

Now after you have connected all the VoIP devices, take a laptop and hook it

on to the same network, and run Ethereal. Whenever someone is speaking on the IP

phone, start capturing the data by going to the Capture menu and then selecting

the appropriate network adapter. Let Ethereal capture the data till the phones

are free. After that, stop the capture process and go to the Statistics menu and

select the RTP submenu. This will show you an option 'Show All Streams.'

Click on it and a new window will open. Here, you will see two different streams

of RTP. Select both the streams one by one and click on the 'Analyze'

button. This will open another window. Here, click on 'Save Payload' and a

third window will open. Give a name to the file, select the '.au' and 'forward'

radio buttons, and save the file. Now you can play this file on any media player

and listen to the confidential talks that might have taken place on the VoIP

phone.

How cost effective?



Vendors claim that because of your existing network, you don't need to spend
much on the wiring and infrastructure set up. But there are some hidden costs

which are generally not disclosed to the customer. The first thing that you

require is a bandwidth shaping solution for your network. Without a proper QoS

for your VoIP network, most of the vendors will not promise you good sound

quality and there will be packet losses because of collision while speaking. The

deployment cost of such a solution is not included in your VoIP deployment cost.

Also note that VoIP phones are pretty costly and a standard phone will cost you

around $100 to $200 which is around 5 times the price of a full featured normal

PSTN phone. For eg, the D-Link DPH-140s IP Phone reviewed in this issue costs Rs

11, 940. You can save costs using softphones, but these have their own

limitations. The same holds true for IP PBX as well. Besides the IP PBX, you

would also need a PSTN to VoIP gateway to make local calls.

Legal angle



In India the legality behind VoIP is so confusing that it's difficult to
understand what is legal and what is not. According to the Telegraphic Act 1883

and the Telegraphic Wireless Act 1935, all international calls should conform to

the norms set by TRAI. You can make IP-based calls outside the country but it is

not legal to make calls to a local PSTN or a cellular network. So, one can't

enjoy the real advantages of VoIP, ie, lower recurring costs in terms of making

and receiving calls amongst branch offices or customers and partners across the

world.

What to do?



After reading all this, you must be wondering whether to deploy VoIP or not. The
good news is that for enhancing security, companies like Cisco have come up with

technologies like SRTP and secure SIP to enable secure VoIP communication. But

these are very costly. Our advice is to evaluate your options thoroughly and do

a cost/benefit analysis on them. Because ours is a fast growing outsourcing

market and VoIP is something that can really help.

Then, there are telecom service providers who eye VoIP as a profitable

opportunity and are pushing the government to make laws more liberal. As things

fall into place slowly, we are bound to see an increased adoption of this

technology. And as adoption increases the cost of deployment will go down,

making VoIP really hot and exciting.

Note: PCQuest does not offer legal advice. The material presented above

should not be construed as legal advice. You are encouraged to consult your

legal counsel before taking any action on this subject.