• United States

Common sense about VoIP conversation security

Sep 22, 20042 mins

* What to worry about - and what not to - when it comes to VoIP security

As we’ve already discussed, the most impressive finding in the soon-to-be-released 2004 Webtorials VoIP Report is that security concerns have leapfrogged other factors – even budgetary issues – to become the primary impediment to deployment. As it turns out, concerns about security of the infrastructure outweigh concerns about conversation content. Nevertheless, there is considerable concern about conversations being intercepted as well.

We find this to be most curious. Exactly how much security is needed for ordering a pizza – even if you have to give a credit card number? During a recent briefing, a network security vendor told us, “Everybody knows that it’s easier to intercept a call with VoIP than with traditional telephony.” This is simply not true.

Intercepting a call in the public switched telephone network (PSTN) is a piece of cake. You can even buy an analog “butt set” at your friendly local hardware store. Digital signals are in decades-old TDM formats. And encrypting conversations end-to-end takes special equipment.

Let’s contrast this with VoIP conversations. You have to somehow tap the information in a data format. Then you have to pick it out of a packet stream rather than a TDM format. Then you have to decode which coding algorithm is used. And many programs – even free programs and services like Skype – encrypt conversations.

While we can never tell you not to be concerned about security – that’s a decision you must make for yourself – we do urge you to consider the following:

1) The least secure portion of a VoIP (or traditional) conversation is the truly “wireless” portion. No, we’re not talking about cell phones or WLAN. We’re talking about the part of the conversation going through the air from your mouth to the mouthpiece. People get excited about encryption – then they sit on a crowded plane and discuss business deals.

2) It’s true that protecting the VoIP infrastructure is a major issue. So make sure you put your efforts where the biggest risk is. Protect the equipment and the integrated applications. Protect the signaling path.

3) Is there possibly too much security available? Does the ease of encrypting VoIP conversation content actually cause more problems than it solves by making it even more difficult for legitimate law enforcement organizations to monitor illegal activities?

We would love to hear your experiences and attitudes on this.