Daily Payload

Secure Your Network and You Secure VoIP

September 21, 2006

There is a lot of talk these days about VoIP security. Everybody is in agreement that VoIP security is lacking in a number of key areas. While some solutions for VoIP security exist, those solutions have not been adopted universally, leading some to go so far as to suggest that using VoIP can be dangerous.

Such blanket statements are not only misguided, but they are damaging to the industry. Since when did you stop using e-mail, instant messaging, or other applications? The same kind of security threats exist there.

VoIP is really as secure as the network. More precisely, if your network is secure, VoIP is secure. How many people expressed concern over the security of their traditional PBX? Most did not, though listening to phone calls was as easy as splicing two wires together. Is that old system secure?

The biggest threat to enterprises that use VoIP is having vulnerable VoIP equipment sitting outside the network or having phone equipment directly accessible from outside. As a general rule, one should never allow any packet from the outside world to reach an internal device directly. This is precisely why devices like Session Border Controllers exist. Those devices can serve as a barrier to the outside world. In addition to using such devices, a security conscious person would also take steps to prevent packets from arriving at that device, unless they are coming from a trusted source (i.e., the service provider). Yes, that is right: you should only allow calls to arrive from your trusted service provider, just as phone calls arrive today through your trusted service provider.

Securing the internal network is also important. There are a number of things that can and should be done to provide security. To be most secure, a separate cable would be used to connect the IP phones together, physically separating less secure devices like the PC. However, physical separation means higher cost. As an alternative, your VoIP equipment should utilize VLAN technology, which has a means of providing secure admission to the network. This logical separation will thwart most attacks on a VoIP network.

When it comes to VoIP security, the same rules apply as to any other kind of service on the network. It is not that VoIP is any less secure, but simply that voice systems are generally consider more business critical and an attack may have a more direct business impact. As such, extra care should be taken to ensure that systems are not exposed. Reasonable security is possible today, while technology improvements for wider, general deployment (i.e., connecting your enterprise voice network to the public Internet) are still under development.