If you're considering a switch to VoIP, you may be wondering, "What about security issues?" You know that VoIP uses the Internet (in most cases) to transmit calls, and news of Internet security breaches are in the news every day. We discussed how common IP security issues apply to VoIP and some of the steps you can take to make VoIP more secure in a previous column.
Perhaps the biggest challenge to building a secure VoIP infrastructure, however, is the trade-off you must often make between security and performance. This trade-off exists on data networks, too, but it presents more of an issue on voice networks because quality of service (QoS) is so dependent on performance.
The packet switching problem
Circuit switching technology used by the public switched telephone network (PSTN) establishes a dedicated connection between two endpoints (the caller and receiver). During the call, all of the signals that make up the voice transmissions travel across that same link, in much the same way as trains travel from one city to another over a dedicated track.
Let's take a look at the problem, and some things you can do to work around it.
In a packet switching network (the Internet and other TCP/IP networks), the transmissions break up into small chunks (the packets) and route over multiple routes from caller to receiver. In the same way that two different drivers can go from Los Angeles to Dallas with one traveling across Arizona and New Mexico on I-10 and another traversing those states via I-40, the packets take different routes but eventually arrive at the same destination. This is a more efficient means of transmission because it doesn't tie up an entire route for the duration of the call. The packets can go across the least congested and least expensive lines. Several VoIP calls can share the same amount of bandwidth used by one PSTN phone call.
The problem with packet switching is that latency, jitter,
and dropped packets are fairly common. Latency refers to the amount of time it
takes for a packet to reach its destination; delays result in high latency. Packets
can stall at a router or other gateway that they pass through, or travel more
slowly along a low-bandwidth link or one crowded with a large amount of
traffic. Jitter refers to uneven transmissions, with a quick flow of data at
times and delays at other times. Errors and packet loss can also cause delays.
If a packet gets lost, resending is required, which causes a delay. The
distance between the two points causes propagation delays. The type of link
used, also, can affect delay. For instance, satellite transmissions are always
subject to high latency because of the long travel distance from Earth to the orbiting
satellite and back down again (satellites in geostationary orbit are a little
As the original design and purpose of packet switching networks were to transmit data, some delay in most data transmissions is acceptable and usually not even noticeable. Voice transmissions, however, are not nearly as forgiving.
Transmission errors and delays can distort or completely lose VoIP transmissions. Such errors may garble the voice sound on one or both ends, create an echo effect, or drop calls entirely. This is not acceptable for organizations that must depend on phone calls to conduct business.
VoIP hardware also affects performance and thus call quality. Network hardware that's unable to handle the volume of VoIP traffic can cause a degradation in performance. Endpoint performance is another issue. Soft phones, in which VoIP software is installed on a PC with the PC serving as the phone, can be subject to poor performance and loss of call quality (or even an entire system crash) if the PC doesn't have sufficient resources (such as processor or memory) to handle the VoIP application plus any other applications that the user is running at the same time.
VoIP QoS requirements
Expectations for the level of service and reliability of voice communications are generally different—and much higher—than the expectations for data communications. Acceptable voice transmission quality requires low latency, so you don't have a long delay between the time one party speaks and the time the other party hears the transmission. Long delays disrupt the easy flow of conversation. The variable delay of jitter is even worse because it can result in echo.
Regular fax machines used on VoIP lines are also very sensitive to jitter and latency.
The security dilemma
Security mechanisms on an IP network almost always involve some overhead that affects performance. Again, when data is being transmitted this may not even be noticeable—but the delays added for the time required for security-enhancing encrypt and decrypt packets can adversely affect the quality of the call.
There's already a lot going on in a VoIP call. With a PSTN line, you dial a phone number and the telco's equipment processes that information, and the switching system establishes a circuit to ring the called number. When you call a phone number on a VoIP line, the analog signal must be converted to digital, data is compressed, the called number must be associated with the called computer's (or other VoIP endpoint's) IP address, and a number of complex protocols are involved.
Throwing security into the mix slows the process down. Firewall packet filters and application filters take time to examine packets as they enter or leave the network. Encryption protocols take time to encrypt and decrypt the data. Authentication and access control mechanisms take time to perform their tasks. Although each of these delays is small, when you have a good multi-layered security strategy, the effect is cumulative and can be enough to affect call quality.
This doesn't mean you should skimp on security for your VoIP network. Just as VoIP lines are more vulnerable than PSTN to the effects of delay, they are also more vulnerable to security breaches. In the weeks to come, we'll look at individual VoIP security mechanisms, such as firewalls, encryption, physical security, and how you can implement each while minimizing the effects on performance.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.