Kurt Jarvis, a technical engineer at MCI, agreed. However, he pointed to safeguards built into his companys Advantage VOIP product as protection enough. MCI uses SIPs digest authentication mechanism for hiding the user credentials as well as an expiring nonce in the challenge, which makes a replay attack more difficult. A denial-of-service attack is "possible but unlikely," he claimed, and even if it happened, MCIs UUnet-based network would clamp down and terminate the attack within five minutes. Thats fine if youre traversing just MCIs network, but not so great if you cross a boundary.Sure, you can tell your CEO to use his cellphone, but what about customers? What will you do when hackers demolish your voice network? How will you bring your switchboard and call center back online? Despite the assurances from MCI and Foundry, I see VOIP and SIP vulnerability as a huge problem. Without a robust security infrastructure, Internet-based voice traffic is vulnerable to all kinds of monkey business. Im a huge fan of VOIP, and I think itll change the world. But until we can protect those phones and servers from criminals, Id recommend caution. That doesnt mean you cant save money with VOIP. Take a cue from Raindances Burch and make a clear distinction between public and private networks. IP-based voice should work just fine over your secure corporate network. Just beware. When your pristine voice packets touch the dirty net, all bets are off. Editors Note: This story was updated to include more detailed information about MCIs authentication scheme. Check out eWEEK.coms Server and Networking Center at http://servers.eweek.com for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.
Ian Grey, a product marketing manager at Foundry Networks, is also worried. "Its absolutely susceptible" to hacks, he said. But he doesnt think a downed IP-PBX is as critical a problem as it once was. "My CEO will just pick up his cellphone" if theres a problem, Grey said.