VoIP Toolkit

Tackling VoIP security concerns

Tags:
Security,
VoIP

Deb Shinder Tech Republic

Published: 27 Sep 2006 15:10 BST

…without falling victim to hackers and attackers. The key is that some VoIP implementations are much more secure than others, and your goal is to take steps to increase the security of your VoIP network.

Securing VoIP servers
VoIP calls are transmitted as packets of data, like other data sent over an IP network. That means that hackers can intercept the contents of those calls in the same way as other data — for example, by using a "sniffer" (network monitor/protocol analyser) to capture the packets. Interception can take place within the local area network or at the ISP anywhere the data travels through the Internet. Someone who knows the IP address of your IP phone can tap into your call.

Physical security of the VoIP servers in your organisation is critical to protecting users from eavesdropping or call diversion. You should spend as much effort on securing these servers against both internal and external intruders as you spend on securing any of your mission critical servers.

Of course, you should protect your servers with firewalls. Be aware of the security issues created by firewall configurations required for VoIP traffic to go through. Firewalls designed to work specifically with a VoIP system are available; they dynamically open and close the appropriate ports as needed for calls.

Encrypting VoIP communications
Your second line of defence, in the case of VoIP packet interception, is to render them unusable to the hacker who captures them — that means a strong encryption method. Many VoIP vendors provide built-in encryption. There are also add-on encryption products.

Phil Zimmerman, creator of PGP (Pretty Good Privacy), recently released the beta of a secure, encrypted, open source VoIP software program called Zfone. Unfortunately, although it works with all standard SIP phones, it only encrypts the transmissions between users who are both using the ZRTP protocol. One advantage of ZRTP is that key negotiation and management are peer-to-peer operations, so you don't have to use a Public Key Infrastructure (PKI).

Encryption has another advantage: Some ISPs block the SIP protocol. Last summer, Solegy released a VoIP encryption method that allows VoIP users to establish SIP sessions despite the blocking mechanisms.

Redundancy for fault tolerance
What if a virus or Trojan crashes your VoIP network? Your best bet in providing fault tolerance for any type of data, including voice, is redundancy. That can mean multiple Internet connections/providers, multiple VoIP providers and multiple VoIP gateways within your organisation, and clustered VoIP servers so that one automatically takes over if the other goes down.

You need redundant links to the centralized call processing station where call routing decisions happen. It's also vital to test your backup connections regularly to ensure proper failover.

Don't forget redundancy for your power sources. VoIP equipment requires electricity to operate, and that means backup power sources, such as UPS and generators, need to protect all the components on which your VoIP service depends, including routers, switches, and servers.

Summary
As with any other Internet application, deploying VoIP on your network can raise new security concerns. However, by addressing these concerns with proper planning and the right tools, your organisation can take advantage of the benefits of IP telephony.