How VPNs could help secure VoIP

VPNs could be a way around some problems that arise with VoIP.

During a session at last week’s Spring 2006 VON conference, one speaker advocated using VPNs to encrypt VoIP packets as they pass from site to site in a business network.

He encouraged using encryption, just not the encryption supplied by VoIP equipment vendors. The reason he gave was that encryption performed by the VoIP gear itself denies other network devices such as traffic shapers and bandwidth managers from seeing exactly what’s in the packet.

In the event that a Trojan managed to take advantage of the VoIP gear and started sending data, for example, via the VoIP gear, intrusion detection systems would have no way to determine the traffic should be shut down. Disguised as encrypted VoIP packets, the unauthorized packets would be indistinguishable from actual VoIP packets and impossible to stop.

But if the traffic is unencrypted until it gets to a VPN concentrator, then it can be filtered by traffic shapers and intrusion detection gear before it is encrypted into a VPN tunnel.

A questioner pointed out that some businesses want to encrypt VoIP right on the LAN to prevent malicious behavior by company employees. How would the VPN solution deal with that?

The answer they both agreed on is that you currently can’t do both, so in practice, each business will have to determine which is more important, blocking internal hacking on VoIP or making sure VoIP is subject to filters before it starts its way onto the WAN.