VoIP Providers List Worldwide VoIP Providers Directory

There's no such thing as a bulletproof VoIP system, but there are things you can do to make your setup more secure.

At its heart, a VoIP system is a data network. This means VoIP deployments are vulnerable to the same internal and external threats that plague any enterprise data local area network (LAN) or wide area network (WAN).

Enterprises pondering voice over Internet protocol (VoIP) primarily focus on the technology's cost benefits. Yet, in their zeal to converge voice and data networks and shave telephony costs, many organizations are failing to adequately consider VoIP's single drawback: security.

Like Seinfeld's George Costanza and the cashmere sweater with the little red dot, most VoIP supporters would prefer to ignore the ugly defect that mars their otherwise stainless technology. Unfortunately, VoIP's little red dot has the potential to cripple enterprise VoIP systems. Worse yet, VoIP's security gaps threaten to wreck havoc in several different, often insidious ways.

In-Stat, a US technology research firm, predicts that the number of business IP phones sold will grow from 9.9 million in 2006 to 45.8 million in 2010. Yet, the company ominously notes that over 40 percent of the enterprises it surveyed don't have any specific plans for securing their VoIP deployments. Additionally, when asked to rate their VoIP security knowledge, most enterprise managers In-Stat contacted characterized themselves as being "somewhat knowledgeable," the lowest rating the survey offered.

Locking Down Your System

There's no such thing as a bulletproof VoIP implementation, but there are a handful of fundamental steps you can take today to ensure that your system, or the systems that you're planning, will be highly secure.

According to network vendor Cisco, preventing unauthorized access to the network is a smart first step in a voice security program. For an additional layer of protection, in case somebody does gain unauthorized access, organizations can also encrypt voice traffic. Voice and video-enabled VPN (V3PN) technology, available in many routers and security appliances, encrypts voice as well as data traffic using IP Security (IPsec) or Advanced Encryption Standard (AES). Encryption is performed in hardware so that firewall performance is not affected.

Many security experts also recommend limiting VoIP data to a single virtual local area network (VLAN). A VLAN will keep voice network traffic hidden from data network users, providing an additional layer of security. The technique can also limit the scope of damage to the VLAN in the event of an attack. An additional side benefit is that a VLAN help prioritize VoIP data over other types of network traffic.

When creating the VLAN, be sure to place its equipment behind separate firewalls. This practice will restrict traffic crossing VLAN boundaries to applicable protocols and prevent viruses and other kinds of malware from spreading from clients to servers. When looking for firewall technology, be sure to examine products that support both leading standards: Session Initiation Protocol (SIP) and the International Telecommunication Union's H.323 protocol.

Data and Physical Security

By now, just about everybody is aware of the need for packet data encryption to safeguard VoIP transmissions. Yet call signaling encryption is important as well to prevent hackers from misdirecting or otherwise interfering with call traffic.

To install multiple encryption layers, turn to Transport Level Security (TLS), which encrypts the entire call process. The Secure Real Time Protocol (SRTP) is useful as well for encrypting communication between endpoints.

A secure gateway, properly configured, is a VoIP system's cornerstone. The gateway will limit system access to authenticated and approved users while keeping hackers safely on the outside. Gateways themselves, as well as the networks that lie behind them, can be protected through the use of a stateful package inspection (SPI) firewall and network address translation (NAT) tools.

Eternal Vigilence

VoIP security requires constant vigilance. This means monitoring the network for suspicious activities, as well as maintaining the operating system and VoIP applications. Be sure to install updates, particularly security patches, as soon as they become available. Consider using an operating system that has been "hardened" to deflect hacker attacks. It's also important to disable non-essential operating and application services, since hacker can exploit these pathways to enter your system.

Ethernet ports are also prime hacker entry points. You can help keep the bad guys out of your network by using management tools that limit access to authenticated and pre-approved users and devices. You may also want to bar softphones from your system, since these products are vulnerable to malware and can also be imitate IP and MAC addresses when linked into the network via an RJ44 port.

Building redundancy into a VoIP system can help it better withstand hacker attacks as well as equipment failure. Multiple gateways, nodes, routers, servers and power supplies make a system more resilient and reliable.

Final Point

The good news is that VoIP threats are still a largely theoretical issue. So far, few enterprise VoIP networks have experienced anything close to a serious hacker attack. But complacency shouldn't lull enterprise VoIP adopters into a false sense of security. Enterprises should strive to follow security best practices and demand that VoIP technology vendors build adequate safeguards into their products. Doing anything less is to court disaster.

By John Edwards