InStat/MDR estimates the roll out of IP phones topping seven million by 2007. Whilst such numbers are encouraging and developments continue to unfurl the possibilities of VoIP, it is still important to realize that alongside the challenges of achieving PBX quality voice and meeting interoperability issues, there are growing concerns over securing IP calls.
Though the modern business world is becoming ever more data-centric, voice still reigns as king. If you want to create a client relationship, secure a business deal or safely discuss sensitive information your voice is your greatest tool.
Voice over IP can, however, run foul of traditional security challenges that beset modern data communications, including address spoofing used to hijack a phone number, or Denial of Service (DoS) attacks (which is possible due to a shortcoming of TCP/IP during the establishing of a connection). Deploying a firewall will counter such traditional assaults, but does little to counter the more targeted attacks from sniffers and eavesdroppers.
Eavesdroppers can easily access software designed to convert misconfigured IP phone conversations into wave files for playback on ordinary sound players. To counteract such sniffer activities and secure voice calls, businesses need to seriously consider encrypting voice. One possibility is to do this via a virtual private network (VPN) tunnel, either using AES or DES (Data Encryption Standard) for the encryption the signaling and streaming components of a VoIP call. A second option is to use secure real time protocol (SRTP) for encrypting the streaming part of the VoIP call.
However, securing voice traffic raises new challenges for the technology as voice packets need to be submitted to encryption and traverse the firewall without suffering undue latency. Slowing of transmission, short breaks or interuptions in data communication is generally not going to be too noticable, but when it comes to voice the quality of service (QoS) is absolutely critical. As conversationalists we are highly conscious of correct audio, so latency issues causing breaks in speech therefore become rapidly tiresome.
For this reason, any business seeking to address the security of its voice calls over the Internet needs to ensure that any system deployed, as well as providing the aforementioned levels of encryption, also needs to address the demands of traffic management to ensure quality of service. This is especially important because voice packets are sent using the user datagram protocol (UDP) which offers no guarantee of delivery.
One essential element in managing traffic while ensuring security is the traversal of the network address translation device (NAT) and of the firewall. NAT helps to ensure security since each outgoing or incoming request for an Internet Protocol address must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request.
For that reason, businesses seeking to deploy a Voice over IP infrastructure must ensure proper traversal of both NAT and firewall, which can be accomplished by either integrating an application level gateway (ALG) or by using STUN, enabling the Simple Traversal of UDP through the NAT.
Though securing VoIP calls brings with it a set of new and often unique challenges, businesses should give as much serious consideration to securing their voice traffic as they do to their data today.
Voice traffic will always account for a considerable portion of a business' communication, and as systems transfer from the traditional PBX to the Internet voice will increasingly become an attractive commodity for interception by third parties.
Whether malicious in the form of eavesdroppers and spoofers or simply distracting in the shape of unwanted content such as voice spam, the damage to a business whether financially or to its reputation could be devastating, so now is the time to be aware and seek a proactive solution – don't let them steal your voice.
John Porter is director of marketing, Eicon Networks Ltd.
Eicon will be exhibiting atthe Infosecurity Europe 2005 show in London, April 26-28.