VoIP is the new kid on the telecommuncations block. As such, there are things you need to be aware of in order to create a secure and reliable solution. Deb Shinder points the way.
If you're considering a switch to VoIP, you may be wondering about security and reliability issues. You know VoIP uses the Internet (in most cases) to transmit calls, and Internet security breaches are featured in the news almost daily. Perhaps the biggest challenge to building a secure VoIP infrastructure, however, is the trade-off you must often make between security and performance. This trade-off exists on data networks, too, but it presents more of an issue on voice networks because quality of service is so dependent on performance.
Let's take a look at the problem and some things you can do to work around it.
How to make VoIP more reliable
The phone company has a reputation for reliability: customers are used to getting a dial tone every time they pick up the phone; they're used to calls going through to the correct party; and they're used to clear communications on that call until one of the parties terminates it. They aren't willing to settle for less.
The trouble with VoIP
Many businesses tried VoIP when it first became available; they didn't cancel their PSTN service and embrace IP telephony because they didn't find VoIP to be entirely trustworthy. The service worked great -- sometimes. Other times, users would pick up the phone to find there was no dial tone, and would have to reboot the VoIP box before making or receiving a call. Sometimes calls went through with no problem, but calls to certain phone numbers, especially those on corporate PBX systems, resulted in so much echo that users had to switch to the landline when talking to those people. Other weird problems would occasionally pop up, such as caller ID reporting a totally different number than the one from which the call was made. The overall consensus: VoIP had great potential, but, like beta software with cool features, it's just a little too flaky for everyday use.
In fact, the complaints about VoIP quality -- poor sound, dropped calls, intermittent loss of service -- are the same ones that plagued cell phone technology in its early days and, indeed, the same ones that occurred with PSTN when the whole phone system was in its infancy. That should give us hope that, as VoIP matures, these problems will become rarer.
Indeed, many VoIP users who have stayed with the technology have noticed fewer problems this year than just a couple of years ago. Sometimes quality improves dramatically when you switch out the provided ATA (VoIP box) for a newer model; or, in some cases, you can simply upgrade its software. If you've been living with less-than-perfect VoIP service, ask your provider about upgrading the equipment.
The nature of VoIP
Although improvements make VoIP likely to improve, the nature of VoIP does introduce some factors that make it less reliable than PSTN. You'll recall that PSTN lines use circuit switching technology; this means that during the duration of any particular call, there is a dedicated circuit that stays open between the caller and receiver for the entire time. That circuit can't be used by anyone else during that time.
VoIP calls travel over a packet-switched network (the Internet). There is no constant connection maintained. Instead, the voice signal is digitized and broken into small portions (packets) that are sent through a series of routers until they reach the recipient. Different packets may take different routes; they're reassembled at the destination and turned back into voice. Multiple transmissions (of voice or data) can share the same lines. Because packets can be routed along whatever line is least congested at the time, it's more efficient and cost-effective. But there is also the potential for packets to get lost or misrouted. Problems with Internet routers along the way can affect the quality of your call, or even whether it goes through at all.
Another reason PSTN is more reliable is its relative independence from an on-site power source. In a business or even in a home that uses cordless phones, your equipment (PBX, phone base station, etc.) may require electricity. However, the phone lines themselves don't need to be powered at your site to work. They draw their power from the central office, so if you have an electrical outage at your office or home, you can still make phone calls.
Your VoIP line is dependent on an appliance that requires power to work. If you lose power, the line goes down. It's also dependent on your Internet connection; if that goes down, the packets that contain your call data have no way to reach their destinations. Even the normal momentary "glitches" to which broadband Internet services are prone can cause transmission errors that may interrupt your phone calls. Of course, viruses, worms, and hack attacks that bring down the network can also bring down your phone system when it's IP-based.
VoIP services that run client software on PCs ("soft phones" such as Skype) are also dependent on the resources of the computer. Call quality may be much better when you run the software on a higher powered system (faster processor, more RAM) or when lots of other applications aren't competing for the system resources.
Increasing VoIP reliability
Despite these problems, there are steps you can take to make your VoIP deployment more reliable:
- Power backup (UPS and/or generator): This will continue supplying electrical power to your VoIP equipment and Internet router if there's a power failure.
- Redundant Internet connections: Two broadband or T-carrier connections from different providers can be aggregated with some routers to provide more bandwidth and also to automatically failover when one connection goes down.
- Dedicated Internet connection for VoIP: Keeping your VoIP line on its own Internet connection, separate from your data network, allows you to isolate it from any viruses or attacks that threaten your data network and to protect it with its own firewall, which can be configured to block everything but the specific protocols needed for the VoIP communications.
- Redundant VoIP lines: If you need multiple voice phone lines, you don't have to get them all from the same VoIP provider. Although that may be more convenient and you may get a better price, having different lines from different provider can keep you talking if there are problems at the provider's end that cause your voice services to be unavailable.
The packet switching problem
Circuit switching technology used by the PSTN establishes a dedicated connection between two endpoints (the caller and callee). During the call, all of the signals that make up the voice transmissions travel across that same link, in much the same way as trains travel from one city to another over a dedicated track.
In a packet switching network (the Internet and other TCP/IP networks), the transmissions are broken up into small chunks (packets) and are routed over multiple routes from caller to callee. In the same way that two different drivers can go from Los Angeles to Dallas with one traveling across Arizona and New Mexico on I-10 to the South and another traversing those states via I-40, further north, the packets eventually arrive at the same destination, but take different routes to get there. This is a more efficient means of transmission because it doesn't tie up an entire route for the duration of the call. The packets can go across the least congested and least expensive lines. The same amount of bandwidth used by one PSTN phone call can be shared by several VoIP calls.
The problem with packet switching is that latency, jitter, and dropped packets are fairly common. Latency refers to the amount of time it takes for a packet to reach its destination. Delays result in high latency. Packets can be delayed at a router or other gateway that they pass through, or travel more slowly along a low-bandwidth link or one that is crowded with a large amount of traffic. Jitter refers to uneven transmissions, with data flowing in quickly at times and being delayed at other times.
Delays are also caused by errors and packet loss. If a packet is lost, it must be resent, which causes a delay. Propagation delays are caused by the distance between the two points. The type of link used can affect delay. For instance, satellite transmissions are always subject to high latency because of the long travel distance from earth to the satellite in orbit and back down again (satellites in geostationary orbit are a little over 22,000 miles above the earth).
Packet switching networks were originally designed to transmit data, and some delay in most data transmissions is acceptable and usually not even noticeable. Voice transmissions, however, are not nearly as forgiving.
Transmission errors and delays can cause VoIP transmissions to be distorted or lost entirely. Voice may sound garbled on one or both ends, there may be an echo effect, or calls may be dropped entirely. This is annoying and is not acceptable for organizations that depend on phone calls to conduct their business.
VoIP hardware also affects performance, and thus call quality. Network hardware that's unable to handle the volume of VoIP traffic can cause degradation in performance. Endpoint performance is another issue. "Soft phones," in which VoIP software is installed on a PC with the PC serving as the "phone," can be subject to poor performance and loss of call quality (or even an entire system crash) if the PC doesn't have sufficient resources (processor, memory) to handle the VoIP application plus any other applications that the user is running at the same time.
Bandwidth and latency issues
VoIP call quality is also affected by network bandwidth. A low bandwidth connection such as dialup generally won't provide excellent voice quality; broadband speeds are needed.
Latency or "lag time" can be even more important than speed. According to the International Telecommunications Union (ITU), the maximum acceptable delay for voice transmissions is about 150 milliseconds. DSL, cable and Wi-Fi all work well in this regard. Even dialup is adequate in regard to lag time; however, cellular, with delays of up to 600 milliseconds, doesn't work so well until you get up to the 3G level.
VoIP QoS requirements
Expectations for the level of service and reliability of voice communications are generally different -- and much higher -- than the expectations for data communications. Acceptable voice transmission quality requires low latency, so you don't have a long delay between the time one party speaks and the time the other party hears that speech. Long delays disrupt the easy flow of conversation. Variable delay (jitter) is even worse because it can result in echo.
Regular fax machines used on VoIP lines are also very sensitive to jitter and latency.
The security dilemma
Security mechanisms on an IP network almost always involve some overhead that affects performance. Again, when data is being transmitted this may not even be noticeable; but the delays added for, as an example, the time required to encrypt and decrypt packets to secure the confidentiality of your VoIP conversations can adversely affect the quality of the call.
There's already a lot going on in a VoIP call. With a PSTN line, you dial a phone number and the telco's equipment processes that information and the switching system establishes a circuit to ring the called number. When you call a phone number on a VoIP line, the analog signal must be converted to digital, data is compressed, the called number must be associated with the called computer's (or other VoIP endpoint's) IP address, and a number of complex protocols are involved.
Throwing security into the mix slows the process down. Firewall packet filters and application filters take time to examine packets as they enter or leave the network. Encryption protocols take time to encrypt and decrypt the data. Authentication and access control mechanisms take time to perform their tasks. Although each of these delays is small, when you have a good multi-layered security strategy, the effect is cumulative and can be enough to affect call quality.
This doesn't mean you should skimp on security for your VoIP network. Just as VoIP lines are more vulnerable than PSTN to the effects of delay, they are also more vulnerable to security breaches.
VoIP security: A multi-layered approach
A multi-layered approach to security of any kind works best. For example, in protecting your home and possessions against burglars, you probably take a multi-layered approach: you might erect a fence around the perimeter with a locked gate, place a large dog in the yard in case someone gets through the fence, put deadbolts on the doors and windows in case they get past the dog, install a security alarm system in case they manage to pick the locks, and place valuables in a safe in case someone circumvents all your other security measures.
Likewise, the best way to protect your VoIP network is with multiple layers of security mechanisms that can place as many obstacles as possible in the path of potential intruders or attackers. Let's take a look at some ways to create a multi-layered VoIP security strategy.
Defining the perimeter: voice/data network separation
Before you can practice perimeter security, you need to have a defined perimeter. A popular mantra in data networking circles in recent months is that "there are no perimeters." In truth, there are more perimeters than ever -- and this seems to have caused some IT security experts to give up completely on the concept of protecting it. But it doesn't have to be that way. You can create protectable perimeters for your network just as you can put up fences to create protectable perimeters for your land.
The first step in creating the most secure VoIP network is to separate it from your data network. Total integration may seem ideal in terms of ease of management and interoperability, but it's less than ideal when it comes to security. Your best bet is to logically segregate the voice and data networks using VLAN-capable switches, so that an attack on the data network won't bring your VoIP system down with it. This means:
- Put VoIP phones on a separate virtual LAN with non-routable (private) addresses.
- Don't allow interaction between Internet-connected PCs and VoIP components.
- Use access control lists (ACLs) to prevent communications between the VLANs.
Protecting the perimeter: VoIP-aware firewalls
Perimeter protection in an IP network usually means a firewall, but just any old firewall won't do for a VoIP network. You need a firewall that's specifically designed to handle VoIP traffic. This means it is able to recognize and parse VoIP protocols and perform deep inspection of the VoIP packets and analyze the VoIP payload to discover patterns that indicate attacks.
For example, if your VoIP implementation uses SIP, the firewall should be able to:
- Monitor inbound and outbound SIP messages for application level attacks
- Support TLS
- Perform SIP-aware NAT and media port management
- Detect unusual calling patterns
- Log details of SIP messages, especially for unauthenticated calls
Companies such as BorderWare are now making SIP-aware firewalls.
Protecting VoIP gateways
The gateway is a point where data enters or leaves the VoIP network; gateways also connect unlike networks, such as the IP network and the PSTN. You should use strong authentication mechanisms and access controls at the gateways, to control who can make and receive calls through the VoIP system, who can perform administrative tasks, etc.
Protecting VoIP at the physical layer
The physical layer of the network includes the media over which IP packets travel. This can be Ethernet, fiber optic cabling; or, in the case of wireless VoIP, the airwaves. Limiting access to the media (as well as the VoIP servers and endpoints) is just as important for a voice network as for a data network).
Intruders who have access to the media, either by plugging into a switch or hub, tapping the cable itself, or intercepting wireless transmissions, can use "sniffer" software to capture the packets containing the voice data and signaling information and use readily available tools such as VOMIT to reassemble them and eavesdrop on conversations or even make changes to the communications and use them in replay attacks.
- Control access to call servers by keeping them in a locked room
- Restrict access to endpoints (hard phones or soft phone programs installed on computer workstations)
- Secure cabling by running it through conduits and walls
- Limit wireless interception by strategic location of access points, limitations on signal strength, use of blocking materials to contain wireless signals within the building, etc.
Protecting VoIP at the network layer
You can use Internet Protocol Security (IPSec) encryption to protect your VoIP data as it travels over the network, so that if attackers get past your physical security precautions and intercept VoIP packets, they won't be able to decipher the contents.
IPSec uses Authentication Header (AH) and Encapsulating Security Payload (ESP) to provide authentication, integrity and confidentiality of IP transmissions. IPSec for VoIP (VoIPSec) uses IPSec in tunnel mode to secure the identities of both endpoints. IPSec can make your VoIP communications even more secure than a traditional landline.
Protecting VoIP at the session layer
You can use Transport Layer Security (TLS) to protect VoIP session initiation to ensure that calls are set up securely and secure VoIP call traffic. TLS provides an encrypted channel between two endpoints, and operates between the Network layer (where IPsec works) and the Application layer.
TLS uses digital certificates and public key cryptography. This means each endpoint must have a certificate issued by a trusted certification authority (an internal CA such as a Windows server running certificate services for calls within the organization, or a public CA -- such as Verisign -- for calls outside the organization).
RFC 3261 defines a method for sending SIP over TLS channels called Secure SIP or SIPS.
Protecting VoIP at the application layer
You can use Secure RTP (SRTP) to encrypt the media at the application layer. SRTP is defined by RFC 3711 and provides the following security mechanisms:
- Message authentication
- Replay protection
- Protection against DoS attacks to the RTP stream
SRTP can be used for protection of VoIP communications on both wired and wireless networks. It uses the AES cipher, with one master key from which all session keys are derived. ZRPT is a key management protocol -- developed by Phil Zimmerman of PGP fame -- that can be used with SRTP. SRTCP provides the same security mechanisms for RTCP that SRTP provides for RTP.
Reliability and security is still a major concern for organizations considering a VoIP implementation; despite the growing popularity of VoIP, security remains an obstacle to more widespread adoption. VoIP is inherently more vulnerable to attack than the PSTN network because of the public nature of the IP network and its protocols, but by taking a carefully planned, multi-layered approach to securing their VoIP networks, companies can make VoIP as secure as -- or even more secure than -- traditional phone systems.