Stolen Voices - The Challenge of Securing VoIP
by John Porter - Marketing Director, Eicon Networks Ltd. - Monday, 4 April 2005.
Voice over IP (VoIP) is rapidly becoming a pervasive technology as businesses embrace cost savings on calls whilst enjoying advanced communications applications sitting within the network. IDC believes 10% of all traffic is already transmitted with VoIP technology, and that the proliferation will continue, with InStat/MDR estimating the roll out of IP phones topping seven million by 2007. Whilst such numbers are encouraging and developments continue to unfurl the possibilities of VoIP, it is still important to realise that alongside the challenges of achieving PBX quality voice and meeting interoperability issues, there are growing concerns over securing IP calls.

Though the modern business world is becoming ever more data-centric, voice still reigns as king. If you want to create a client relationship, secure a business deal or safely discuss sensitive information your voice is your greatest tool. Voice over IP can, however, run foul of traditional security challenges that beset modern data communications, including address spoofing used to hijack a phone number, or Denial of Service (DoS) attacks (which is possible due to a shortcoming of TCP/IP during the establishing of a connection). Deploying a firewall will counter such traditional assaults, but does little to counter the more targeted attacks from sniffers and eavesdroppers.

Eavesdroppers can easily access software designed to convert misconfigured IP phone conversations into wave files for playback on ordinary sound players. To counteract such sniffer activities and secure voice calls, businesses need to seriously consider encrypting voice. One possibility is to do this via a virtual private network (VPN) tunnel, either using AES or DES (Data Encryption Standard) for the encryption the signaling and streaming components of a VoIP call. A second option is to use secure real time protocol (SRTP) for encrypting the streaming part of the VoIP call.

However, securing voice traffic raises new challenges for the technology as voice packets need to be submitted to encryption and traverse the firewall without suffering undue latency. Slowing of transmission, short breaks or interuptions in data communication is generally not going to be too noticable, but when it comes to voice the quality of service (QoS) is absolutely critical. As conversationalists we are highly conscious of correct audio, so latency issues causing breaks in speech therefore become rapidly tiresome.

For this reason, any business seeking to address the security of its voice calls over the Internet needs to ensure that any system deployed, as well as providing the aforementioned levels of encryption, also needs to address the demands of traffic management to ensure quality of service. This is especially important because voice packets are sent using the user datagram protocol (UDP) which offers no guarantee of delivery.

One essential element in managing traffic while ensuring security is the traversal of the network address translation device (NAT) and of the firewall. NAT helps to ensure security since each outgoing or incoming request for an Internet Protocol address must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request.

For that reason, businesses seeking to deploy a Voice over IP infrastructure must therefore ensure proper traversal of both NAT and Firewall, which can be accomplished by either integrating an application level gateway (ALG) or by using STUN, enabling the Simple Traversal of UDP through the NAT.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th