Millions of telephone conversations around the world take place every day over the traditional public switched telephone network (PSTN). "People tend to trust the PSTN," says Irwin Lazar, senior analyst at Burton Group. "But they have a false sense of security from a privacy standpoint."

The PSTN has been the target of security breaches since its earliest days, when people spoke in code to deter eavesdroppers on party lines shared by several subscribers. Despite advances in service, tapping into phone calls remains simple; thousands of Websites offer advice and tools to those interested in doing so.

If the PSTN is so insecure, why is there greater concern about calls that use voice over IP (VoIP) technology? "People fall victim to scare tactics about IP voice security," says Patrick Tredway, senior voice architect at ABS Technology Architects, a Cisco SMB Select Partner with specializations in IP communications, wireless LANs, and VPN security. However, "Voice is the most important and sensitive application on the network, so you do need to take precautions," he says.

Proactive Protection

SMBs that employ integrated network-security best practices can cost-effectively use their IP network in securing IP voice services. Lazar says, "A good IP phone system has built-in security features. All you have to do is turn them on."

To save money and protect your company's network assets, the best practice is to secure your voice system during deployment. Expect to see less than a 10% increase in your security budget to extend security technology and monitoring tasks to the IP communications system, according to Lazar.

The time required to deploy a secure voice communications system on your existing IP network could be a few weeks or several months, depending on:

• The number of sites and handsets
• Whether it's a phased or complete implementation
• Level of predeployment testing

Security Policy

Effective security begins with developing and then implementing and enforcing a written security policy. This best practice forces you to assess your IT infrastructure and decide what actions to take to mitigate risks and eliminate vulnerabilities.

The security policy should address four areas to secure IP voice traffic and applications:

• Network infrastructure
• Call management
• Applications
• Endpoints

Network Infrastructure Security

You may already own many of the required security technologies because they're embedded into your routers and switches. "There isn't a separate infrastructure for protecting VoIP installations," Lazar says. "Treat VoIP applications the same as any other application: Lock down servers and protect against unwanted access using intrusion detection and firewalls."

Basic voice security starts with an architecture that logically separates voice and data traffic using virtual LAN (VLAN) technology on your own network. This simple step makes voice streams invisible to hackers who may penetrate the private data network.

Securing voice traffic across a public network (such as the Internet) requires VPN technology to encrypt voice traffic and hide voice packets inside a software tunnel.

Call Management Security

Like a private branch exchange (PBX) or key system, a call-management server initiates call signals to establish active connections and stores data about every phone number, such as who owns it and its features and privileges.

Protection of the call-management server begins with host-based antivirus and anomaly detection software. A call-management server with embedded encryption capabilities can encode call-signaling protocols to prevent hackers from detecting call setup information and impersonating the identification of users or devices.

Applications Security

Voice applications, such as voice-mail services, call center managers, and audio/videoconferencing, are susceptible to the same attacks as data application servers and databases. Protecting them is also similar:

• Maintain the latest operating system and application security patches
• Install host-based antivirus and anomaly detection software
• Encrypt signaling protocols

Endpoint Security

IP phones are more secure than standard cellular phones. IP phones and other IP communications endpoints, such as videophones and PC-based softphones, can encrypt traffic with other endpoints during calls. Even some consumer VoIP services, such as Skype, offer a version of call encryption. Businesses that handle highly sensitive or confidential information can also invest in digital certificates and user authentication systems to guarantee caller identity and prevent fraud. Centralized management systems can detect rogue phones or unauthorized detection and collection devices, and shut down network access to unauthorized endpoints.

Back to Top

About the Author

Gail Meredith Otteson is a freelance writer based in Northern California.

iQ Magazine, Third Quarter 2006