A Guide to Understanding the VoIP Security Threat
Note: VN has a good article about VoIP Security threats how what to make of them.
"At its heart, a VoIP system is a data network. This means VoIP deployments are vulnerable to the same internal and external threats that plague any enterprise data local area network (LAN) or wide area network (WAN).
Enterprises pondering voice over Internet protocol (VoIP) primarily focus on the technology's cost benefits. Yet, in their zeal to converge voice and data networks and shave telephony costs, many organizations are failing to adequately consider VoIP's single drawback: security.
In-Stat, a US technology research firm, predicts that the number of business IP phones sold will grow from 9.9 million in 2006 to 45.8 million in 2010. Yet, the company ominously notes that over 40 percent of the enterprises it surveyed don't have any specific plans for securing their VoIP deployments. Additionally, when asked to rate their VoIP security knowledge, most enterprise managers In-Stat contacted characterized themselves as being "somewhat knowledgeable," the lowest rating the survey offered.
Locking Down Your System
There's no such thing as a bulletproof VoIP implementation, but there are a handful of fundamental steps you can take today to ensure that your system, or the systems that you're planning, will be highly secure.
According to network vendor Cisco, preventing unauthorized access to the network is a smart first step in a voice security program. For an additional layer of protection, in case somebody does gain unauthorized access, organizations can also encrypt voice traffic. Voice and video-enabled VPN (V3PN) technology, available in many routers and security appliances, encrypts voice as well as data traffic using IP Security (IPsec) or Advanced Encryption Standard (AES). Encryption is performed in hardware so that firewall performance is not affected.
Many security experts also recommend limiting VoIP data to a single virtual local area network (VLAN). A VLAN will keep voice network traffic hidden from data network users, providing an additional layer of security. The technique can also limit the scope of damage to the VLAN in the event of an attack. An additional side benefit is that a VLAN help prioritize VoIP data over other types of network traffic.
When creating the VLAN, be sure to place its equipment behind separate firewalls. This practice will restrict traffic crossing VLAN boundaries to applicable protocols and prevent viruses and other kinds of malware from spreading from clients to servers. When looking for firewall technology, be sure to examine products that support both leading standards: Session Initiation Protocol (SIP) and the International Telecommunication Union's H.323 protocol.
Data and Physical Security
To install multiple encryption layers, turn to Transport Level Security (TLS), which encrypts the entire call process. The Secure Real Time Protocol (SRTP) is useful as well for encrypting communication between endpoints.
A secure gateway, properly configured, is a VoIP system's cornerstone. The gateway will limit system access to authenticated and approved users while keeping hackers safely on the outside. Gateways themselves, as well as the networks that lie behind them, can be protected through the use of a stateful package inspection (SPI) firewall and network address translation (NAT) tools.