Voice over IP (VoIP) is rapidly becoming a pervasive technology as businesses embrace cost savings on calls whilst enjoying advanced communications applications sitting within the network. IDC believes 10% of all traffic is already transmitted with VoIP technology, and that the proliferation will continue, with InStat/MDR estimating the roll out of IP phones topping seven million by 2007. Whilst such numbers are encouraging and developments continue to unfurl the possibilities of VoIP, it is still important to realise that alongside the challenges of achieving PBX quality voice and meeting interoperability issues, there are growing concerns over securing IP calls.

Though the modern business world is becoming ever more data-centric, voice still reigns as king. If you want to create a client relationship, secure a business deal or safely discuss sensitive information your voice is your greatest tool. Voice over IP can, however, run foul of traditional security challenges that beset modern data communications, including address spoofing used to hijack a phone number, or Denial of Service (DoS) attacks (which is possible due to a shortcoming of TCP/IP during the establishing of a connection). Deploying a firewall will counter such traditional assaults, but does little to counter the more targeted attacks from sniffers and eavesdroppers.

Eavesdroppers can easily access software designed to convert misconfigured IP phone conversations into wave files for playback on ordinary sound players. To counteract such sniffer activities and secure voice calls, businesses need to seriously consider encrypting voice. One possibility is to do this via a virtual private network (VPN) tunnel, either using AES or DES (Data Encryption Standard) for the encryption the signaling and streaming components of a VoIP call. A second option is to use secure real time protocol (SRTP) for encrypting the streaming part of the VoIP call.


However, securing voice traffic raises new challenges for the technology as voice packets need to be submitted to encryption and traverse the firewall without suffering undue latency. Slowing of transmission, short breaks or interuptions in data communication is generally not going to be too noticable, but when it comes to voice the quality of service (QoS) is absolutely critical. As conversationalists we are highly conscious of correct audio, so latency issues causing breaks in speech therefore become rapidly tiresome.

For this reason, any business seeking to address the security of its voice calls over the Internet needs to ensure that any system deployed, as well as providing the aforementioned levels of encryption, also needs to address the demands of traffic management to ensure quality of service. This is especially important because voice packets are sent using the user datagram protocol (UDP) which offers no guarantee of delivery.