VoIP: Is it Worth the Hype?

VoIP is generating a lot of noise these days. We are seeing new standards,
products and vendors in the market enticing you in the name of faster and
cheaper voice communication. All superlatives apart, is VoIP really mature
enough in all respects to be used in an enterprise. Let's try and figure out.

How secure is it?

What if one fine day you find your landline phone not working because you've
forgotten to update its antivirus last night? Or while sitting in a meeting you
suddenly receive 50 spam calls on your phone, from some company selling nasty
drugs to enlarge your body parts? Or, what if a crucial tender your company was
working on, just got publicized because some 'Black Hat' hacked and
intercepted your CEO's call and recorded all of a confidential conversation?
If you think it sounds absurd, do it yourself and see. Telephony, when it took
the path of IP, got some really cool features in terms of manageability and cost
effectiveness. But it also inherited the vulnerability of IP based networks. You
can easily intercept the voice stream being transferred over your corporate
network using an easily available and free tool like Ethereal.

Intercepting VoIP calls

First of all you have to understand the protocols and data flow pattern of a
standard VoIP network. When someone picks up a VoIP phone and dials a number, a
Session Initiation Protocol (SIP) stream is sent to the IP PBX. From here the
phone recognizes, connects and authenticates the other phone it wants to talk
to. After this session, both the phones establish a direct IP link between each
other. Voice communication between the two takes place in the form of two
streams (backward and forward) of RTP (Real Time Protocol). Each stream contains
the voice generated from one end. So, if there is a conference call happening
with three people, there will be three RTP streams, each having voice from one
end. Now, the problem lies with the RTP protocol. This protocol is not encrypted
and anyone can initiate a 'Man in the Middle' attack and capture the stream
easily. Let's test it through a simple 'hands on.' Take any two VoIP
phones from a vendor and an IP PBX. Now connect all of these to a hub. We are
not using a switch, because to intercept data on a switched network you have to
run an ARP Spoofing tool, which is essentially a hacking tool and here we are
not instigating you to hack into a network.

In Ethereal, you can see all VoIP streams. To capture and publish these streams click on the Analyze button4

Now after you have connected all the VoIP devices, take a laptop and hook it
on to the same network, and run Ethereal. Whenever someone is speaking on the IP
phone, start capturing the data by going to the Capture menu and then selecting
the appropriate network adapter. Let Ethereal capture the data till the phones
are free. After that, stop the capture process and go to the Statistics menu and
select the RTP submenu. This will show you an option 'Show All Streams.'
Click on it and a new window will open. Here, you will see two different streams
of RTP. Select both the streams one by one and click on the 'Analyze'
button. This will open another window. Here, click on 'Save Payload' and a
third window will open. Give a name to the file, select the '.au' and 'forward'
radio buttons, and save the file. Now you can play this file on any media player
and listen to the confidential talks that might have taken place on the VoIP
phone.

How cost effective?

Vendors claim that because of your existing network, you don't need to spend
much on the wiring and infrastructure set up. But there are some hidden costs
which are generally not disclosed to the customer. The first thing that you
require is a bandwidth shaping solution for your network. Without a proper QoS
for your VoIP network, most of the vendors will not promise you good sound
quality and there will be packet losses because of collision while speaking. The
deployment cost of such a solution is not included in your VoIP deployment cost.
Also note that VoIP phones are pretty costly and a standard phone will cost you
around $100 to $200 which is around 5 times the price of a full featured normal
PSTN phone. For eg, the D-Link DPH-140s IP Phone reviewed in this issue costs Rs
11, 940. You can save costs using softphones, but these have their own
limitations. The same holds true for IP PBX as well. Besides the IP PBX, you
would also need a PSTN to VoIP gateway to make local calls.

Legal angle

In India the legality behind VoIP is so confusing that it's difficult to
understand what is legal and what is not. According to the Telegraphic Act 1883
and the Telegraphic Wireless Act 1935, all international calls should conform to
the norms set by TRAI. You can make IP-based calls outside the country but it is
not legal to make calls to a local PSTN or a cellular network. So, one can't
enjoy the real advantages of VoIP, ie, lower recurring costs in terms of making
and receiving calls amongst branch offices or customers and partners across the
world.

What to do?

After reading all this, you must be wondering whether to deploy VoIP or not. The
good news is that for enhancing security, companies like Cisco have come up with
technologies like SRTP and secure SIP to enable secure VoIP communication. But
these are very costly. Our advice is to evaluate your options thoroughly and do
a cost/benefit analysis on them. Because ours is a fast growing outsourcing
market and VoIP is something that can really help.

Then, there are telecom service providers who eye VoIP as a profitable
opportunity and are pushing the government to make laws more liberal. As things
fall into place slowly, we are bound to see an increased adoption of this
technology. And as adoption increases the cost of deployment will go down,
making VoIP really hot and exciting.

Note: PCQuest does not offer legal advice. The material presented above
should not be construed as legal advice. You are encouraged to consult your
legal counsel before taking any action on this subject.