When considering whether to cut the telco cord and go exclusively with IP-based telephony, transmission quality and reliability top the list of concerns among business owners. But sending your voice calls over today's attack-prone, virus- and worm-infested Internet raises a third issue: security.
Of course, the traditional telephone network (Public switched telephone network, or PSTN) is not invulnerable to security breaches. In fact, some of the earliest hackers were "phone phreakers," who specialized in cracking Ma Bell's network, usually for the purpose of making long distance calls on someone else's dime. Famous former phreakers include Steve Wozniak, co-founder of Apple Computer, and John Draper, also known as Cap'n Crunch because he used a toy whistle from a box of eponymous cereal to produce the tones used to access long distance lines.
Today, the threat posed by hackers to IP networks goes far beyond the cost of unauthorized long distance calls. An attack could take down the network (and thus the company’s phone service) for hours or days, and the content of calls intercepted, divulging trade secrets, confidential client information, and more. That makes security a very important issue, so let’s take a look at the status of VoIP today.
What are the threats?
Some of the security issues that affect VoIP are the same ones that affect any IP network, and some are unique to voice communications. Major threats include:
A different but related problem with VoIP is the possibility of receiving SPIT (Spam over IP Telephony). Another is the phenomenon known as Vishing, or VoIP Phishing. We’ll discuss both of these more in a future column.
VoIP security threats are no longer just theoretical. In June, two men in New Jersey were charged with hacking into several companies’ networks and stealing their VoIP bandwidth to resell it. At the Black Hat USA 2006 security conference in Las Vegas this summer, security researchers David Endler and Mark Collier demonstrated a tool for overwhelming Session Initiation Protocol (SIP)-based VoIP networks with millions of requests, preventing users from making calls. Another hack can modify the information a VoIP phone provides when it registers with the network, allowing the hacker to redirect calls to a different phone.
What can you do about it?
Do all these potential threats mean that your company shouldn’t move to VoIP? Not at all—many organizations are benefiting from the cost savings and convenience of IP telephony without falling victim to hackers and attackers. The key is that some VoIP implementations are much more secure than others, and your goal is to take steps to increase the security of your VoIP network.Securing VoIP servers
VoIP calls are transmitted as packets of data, like other data sent over an IP network. That means that hackers can intercept the contents of those calls in the same way as other data—for example, by using a "sniffer" (network monitor/protocol analyzer) to capture the packets. Interception can take place within the local area network or at the ISP anywhere the data travels through the Internet. Someone who knows the IP address of your IP phone can tap into your call.
Physical security of the VoIP servers in your organization is critical to protecting users from eavesdropping or call diversion. You should spend as much effort on securing these servers against both internal and external intruders as you spend on securing any of your mission critical servers.
Of course, you should protect your servers with firewalls. Be aware of the security issues created by firewall configurations required for VoIP traffic to go through. Firewalls designed to work specifically with a VoIP system are available; they dynamically open and close the appropriate ports as needed for calls.Encrypting VoIP communications
Your second line of defense, in the case of VoIP packet interception, is to render them unusable to the hacker who captures them—that means a strong encryption method. Many VoIP vendors provide built-in encryption. There are also add-on encryption products.
Phil Zimmerman, creator of PGP (Pretty Good Privacy), recently released the beta of a secure, encrypted, open source VoIP software program called Zfone. Unfortunately, although it works with all standard SIP phones, it only encrypts the transmissions between users who are both using the ZRTP protocol. One advantage of ZRTP is that key negotiation and management are peer-to-peer operations, so you don't have to use a Public Key Infrastructure (PKI).
Encryption has another advantage: Some ISPs block the SIP protocol. Last summer, Solegy released a VoIP encryption method that allows VoIP users to establish SIP sessions despite the blocking mechanisms.Redundancy for fault tolerance
What if a virus or Trojan crashes your VoIP network? Your best bet in providing fault tolerance for any type of data, including voice, is redundancy. That can mean multiple Internet connections/providers, multiple VoIP providers, multiple VoIP gateways within your organization, and clustered VoIP servers so that one automatically takes over if the other goes down.
You need redundant links to the centralized call processing station where call routing decisions happen. It's also vital to test your backup connections regularly to ensure proper failover.
Don't forget redundancy for your power sources. VoIP equipment requires electricity to operate, and that means backup power sources, such as UPS and generators, need to protect all the components on which your VoIP service depends, including routers, switches, and servers.
As with any other Internet application, deploying VoIP on your network can raise new security concerns. However, by addressing these concerns with proper planning and the right tools, your organization can take advantage of the benefits of IP telephony.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.