Anyone alarmed by this question must take a deep breath and examine the status quo pre-VoIP. The fact is, the traditional PSTN environment hasn't been all that "secure."

Consider a moderately sophisticated intruder whose repairman's uniform and toolbox gets him into the telephone closet: If he gains entry, he can install a wiretap to an enterprise PBX with a punch block tool and two alligator clips from Radio Shack. Our saboteur doesn't even need to get inside: Traditional CO lines are very easy to tap, as the point of demarcation is usually outside the building or easily accessed on a telephone pole.

A good look at TDM security tells us that if most companies don't suffer from illegal wiretapping, it's simply because they don't have the requisite enemies, or because their business conversations ("with or without mushrooms?") aren't the stuff of industrial espionage.

Some organizations that do have cause to worry have restricted wireless extensions to their PBXs, or have ruled out wireless LAN technology out of concern for security breaches. Very few corporations, however, use any kind of encryption technology on their wired, TDM voice conversations. Consider, too, that unencrypted email flows between corporations, vendors and customers with no particular security in place. While not quite as easy as alligator clips, hackers can "spoof" DNS and mail servers to hijack incoming email for nearly undetectable eavesdropping.

All conversations coming through the company PBX leave a record, if not a recording. Anyone who reviews a departmental phone bill will be able to note communications with certain companies. These vulnerabilities are the reason why CEOs still get on airplanes and meet face-to-face for the most sensitive high-level corporate meetings.

Piggybacking Network Security

The current thinking in the VoIP marketplace is that the voice application simply leverages the current data network security, which relies on a combination of firewalls, virtual private network (VPN) technology, and in some cases intrusion-detection systems (IDS). For most organizations, this provides reasonable security for all their communications applications, making access to their systems and communications difficult enough to ward off all but the most determined saboteur.

Recognize, too, that voice security is not about achieving absolute impregnability; it's a continuum of cost and complexity versus risk.

A vulnerability that's perfectly acceptable to a local florist shop, say, might be disastrous to a law firm or a hospital. So the first step of any VoIP security assessment is deciding, within industry norms, how much security is necessary.

One of the unrecognized advantages of VoIP communications is that an installation's security can be scaled to match the user's needs. This might include, for example, log-on authorization on individual IP phones, a level of security previously required only in call centers.

Secure Socket Layer (SSL) encryption and VPN tunneling restrict access to the IP PBX, similarly, to authorized remote workers. VoIP, in fact, is seen as a great prize for VPN client/server technology to add alongside email access, as it securely extends calling features and dialtone to remote (and often mobile) IP extensions. A range of vendors make VPN gateways, which sit in the corporate DMZ and allow access to client VPN software on a laptop.

The client VPN software, on its end, encrypts data, voice and signaling packets for "tunneled" passage through the open Internet to the private corporate network. Once there, the VPN gateway decrypts the packets.

Thus the VPN can secure all applications, from email and database software to voice. VoIP-optimized firewalls are now available with SIP and H.323 intelligence, letting RTP streams and call-control signaling through with acceptable performance for voice applications.

The Future for VoIP Security

Two major types of stakeholders - governments and cable telephony operators - are currently spearheading development in additional VoIP security.

Governments' special concern is fairly obvious and focused on military and other governmental applications, which will require end-to-end voice encryption over wired and wireless IP phones. The other major player - Cable ITSPs - are motivated by a special vulnerability to eavesdropping, since their cable infrastructure is inherently multi-drop.

Part of their effort is now focussed on VPN gateway technology. While VPN gateways securely admit remote users to corporate networks and are used to gain access to a corporate IP PBX, their encryption function does add more latency to voice conversations. What the market has seen, therefore, is a push by CableLabs, the R&D consortium of cable operators, and by governments, to further enhance VPN technology to better serve VoIP traffic.

One solution, now under development, involves embedding the VPN technology onto the gateways and IP telephone instruments themselves. In this configuration, voice data can be both encrypted and packetized in one simultaneous process. This will reduce the complexity of remote office installations and improve security for all enterprise deployments.

Encryption technology will, of course, drive up the cost of gateways and phones, due to added software complexity and computing resources required of the algorithms. Despite this, cable operators and government agencies will continue to demand this technology on gateways and on wired and wireless handset devices as well, securing speech from endpoint to endpoint.

As we see a "swords to plowshares" movement of these features, as they develop, from government/military into enterprise VoIP components, we see encryption appearing on gateways and even IP phones by 2005-2006.

Recommendations

As a decision-maker in deploying VoIP in your enterprise, how should you start to address the security aspect?

First, identify the needs of your organization for voice security. Be realistic. Examine your cost/risk reduction ratio.

Second, examine your existing data network infrastructure and look for optimizations for VoIP. Software and hardware options may be available to optimize performance and provide an appropriate level of security for your organization. One common example: Upgrading routers from Layer 2 to Layer 3 to isolate voice traffic on a virtual LAN.

Lastly, if your organization needs additional security capabilities, keep an eye on the equipment vendors for enhanced security features as the standards bodies begin to agree on encryption and authentication protocols and related algorithms.

Don't let nay-sayers scare you. VoIP has won its way into the enterprise by opening up many innovative ways to improve communications, increase productivity and reduce costs. It has proven itself within the limits of established good network security practices that most enterprises follow today. If you enhance your network to further VoIP security, you will have added a level of protection to all your enterprise's applications in the bargain.

Alan Percy is Director of Software Partner Business Development for Audiocodes in San Jose, CA.

CommWeb MarketPlace Make your customers (and your CFO) happy
Concerto Software contact center solutions help you deliver a superior experience across multiple channels and agent locations in IP or traditional environments. Download free white paper: Superior Customer Interactions Deliver Bottom-Line Results. Outsourced Call Center Services
The AnswerNet Network meets your Call Center needs with 53+ Networked and Web-enabled Inbound and Outbound Call Centers located throughout the U.S. All account sizes and types. We specialize in custom solutions. IVR with W3C VoiceXML
Plum provides best-in-class VoiceXML IVR (Interactive Voice Response)systems and software for the enterprise. Learn more about our proven, powerful, and manageable solutions. Hosted Contact Center/Virtual Call Center
Contactual (formerly White Pajama) OnDemand Contact Center allow you to setup or expand your contact center with local or remote agents in less than 24hours. Provides web-based ACD, remote config, VoIP or PSTN, Email, Chat, IVR, CRM and more. Inbound Call Center
Top 50 Call Center since 1992. 1500 seats of capacity with state-of-the-art technology. Family owned and operated. Average client tenure is eight years... we keep clients happy! Pricing as low as $12 per hour.
Buy a Link Now.