The security pitfalls of VoIP

"Arrests Indicate Vulnerability of Web Phone Service to Fraud" blared a recent Wall Street Journal headline, though I doubt any readers thought broadband VoIP was invulnerable to hacking.

A few pages later, "Who's Watching Internet-Phone Services?" decried that US state and federal agencies regulating traditional telephony are largely hands-off with Internet telephony. So, while VoIP technology has proven ready for prime time, our attention needs to turn to security and management.

Such is the momentum behind VoIP - largely fuelled by almost irresistible economics - that security concerns, once paramount, are often left by the wayside. I spoke during a seminar tour a few years back on the topic of implementing VoIP in the enterprise, and security was always a focus of the question-and-answer sessions.

One network manager was so concerned about VoIP conversations being easily captured at any point on the network between the participants that he predicted his company would not use VoIP unless every conversation was encrypted.

While traffic between corporate sites is transmitted through secure VPN tunnels, intrasite traffic is handled differently. Because of the complexity and overhead of running VPN tunnels, they are rarely implemented in-building. Not only do tunnels have to be defined between each communicating pair, but the crypto functions also demand CPU resources, which could degrade your PC's performance.

In 2000, 3Com released a 10/100Mbps secure network interface card (NIC) that had a coprocessor to handle the encryption and decryption needed for IPSec VPN tunnel processing. Even though its market research probably showed that users wanted it, they really didn't. It never made the leap to gigabit, and the notion of many-to-many VPN tunnels went off into oblivion. (You can still buy that 3Com NIC for $100 if you want to try it.)

So, your on-campus voice isn't secure and can be compromised relatively easily by anyone with access to your switching infrastructure.

I can imagine the conversation between the exec and the tech: Q: "Is our VoIP secure?" A: "Yes, it is on a separate virtual LAN." The exec gives an appropriate harrumph - not having a clue what a VLAN is - and walks away satisfied. There is, of course, nothing inherently secure about a VLAN. It is simply a separate broadcast domain. No encryption equals no security.

Apart from the security of your own VoIP traffic, you need to be concerned whether your networking resources are being used without your knowledge or permission to route other people's VoIP traffic. The fraud alluded to in that Wall Street Journal headline involved such a situation.

In this case, a small Miami-based telecom company hacked into the networks of "as many as 15 other Internet phone providers to fraudulently route customers' calls . . ." through those networks. If the VoIP vendors themselves can be hacked by what is described as about a two-man operation, what does that mean for overall VoIP security? How do you know the next hacker won't try to use your corporate IP network the same way?

If your VoIP has not been compromised, consider yourself lucky - not safe. A prudent network manager will note that with the explosion in VoIP usage across the corporate and consumer landscape, every network and every conversation is at risk.