Network managers need to start thinking very carefully about implementing voice over IP (VoIP) security to maintain LAN performance, avoid denial of service (DoS) attacks on IP phones and software platforms, and stop hackers listening in to private conversations.

Speaking at a roundtable forum at Cebit this month, experts said it could take another two years before the right balance of security and quality of service (QoS) in enterprise VoIP systems can be found.

"We have to follow standards and listen to news groups. Security and QoS issues will keep us working for the next two years before they are resolved," said Arndt-Michael Meyer, product line manager for media processing at Eicon Networks.

Paul Slaby, chief executive of VoIPShield Systems, added, "Some com- panies are OK today [with VoIP security] but those with compliance requirements have issues that need to be addressed and we are just at the beginning."

VoIP conversations can tolerate a maximum latency of just 150 milliseconds. But IP handsets and soft phones based on non-real-time operating systems such as Linux and Windows are susceptible to delays and vulnerable to hacker attack. Adding encryption to prevent outsiders listening into conversations can also degrade performance.

"Providing QoS to use limited bandwidth but still encrypt data limits the ability to analyse what application is running, or decide what QoS should apply, " said Gilad Brand, director of product management at VoIP gateway specialist Jungo.

Martin Feuk, executive vice-president at Session Initiation Protocol (SIP)-based VoIP equipment maker Intertex, said, "All parts are being made more secure, and there are standards and protocols to make sure nobody listens in. VoIP security is out there but it is not implemented by everyone today."

SIP is an open standard that should help to address the security versus performance issue, but vendors' implementations of the technology differ, so interoperability and uniform feature sets are not assured in the short term, said Slaby.