VoIP Security

By | August 15, 2006

Many organisations operate logically separate networks, keeping voice and data traffic apart, and this separation can be maintained when sites are connected using, say, an operator’s virtual private network (VPN) service. BT’s MPLS network, for example, can be used to connect the IP telephony systems at different locations, enabling calls between employees to be kept ‘on network’. BT can also supply secure PSTN-IP telephony gateways as a part of a VPN.

The isolation of the corporate IP telephony network from the public internet removes the need to enable calls to pass through externally-facing firewalls and consequently reduces the risk of many forms of attack. However, even where logical network separation is used, some connections between the organisation’s IP telephony infrastructure and its data network will remain. Such connections may be able to be exploited by attackers who successfully breach the organisation’s outer defences, and should therefore be minimised. Softphones create bridges between voice and data networks, which is why the US National Institute of Standards and Technology is among those to recommend that such devices are prohibited whenever high standards of security and availability are required.

Over the coming years, operators such as BT will be using IP networks to replace their current public switched phone networks and older types of data networks. As a result, IP telephony will eventually become the dominant – potentially even the only – way of providing public phone services.

These new 21st century networks will, however, be more like current converged corporate voice and data networks than the public internet. The available capacity will be split to create a number of logically-separate networks that will carry different types of traffic. Phone calls will therefore be kept separate from other types of traffic, notably internet traffic.

The way in which the 21st century networks operated by different companies will be interconnected to allow phone calls to flow around the world has yet to be fully defined but, with regard to security, these new public phone networks will effectively be private (i.e., owned and operated by one company), which will allow a high degree of security to be provided.

VoIP is no longer a new technology, with Gartner positioning it firmly on its way to the ‘plateau of productivity’ on its widely-respected technology hype cycle. However, neither is it a mature technology. While it is used extensively in the corporate environment, for example, the adoption of public VoIP-based phone services is still limited.

Thus far, this has helped VoIP and IP telephony achieve a comparatively good security record. The technology does have weaknesses and vulnerabilities, but hasn’t been a sufficiently tempting target for attackers. This situation will change as levels of adoption increase, making it increasingly imperative for any user of the technology to have an effective security policy and appropriate precautions in place.

Leave a Reply