How to assure VoIP security Featured

7:00pm EDT December 31, 2006

Are Voice-over-Internet phones ‘safer’ than land lines?As the quality of Voice over Internet Protocol (VoIP) telephone systems improve to more closely match the sound of the land-line-based telephone system, more attention is being given to security questions.

VoIP systems are vulnerable to many of the same impersonation-based attacks “phreakers” or hackers attempt against traditional telephone and cellular services. Their goals may range from harmless curiosity to identity theft, information theft and toll fraud. Those exploiting the system for illegal and unethical gain are picking up new ways to gain access to the emerging technology.

“In some ways, VoIP is more secure than traditional phone service,” says John Curry, owner of Curry IP Solutions. “It is relatively easy for the thief to gain access to the hard-wires of the traditional phone service by tapping into the junction box outside the building or the network of wires in the basement. The important thing is to be aware of the vulnerabilities and develop ways to prevent intrusions into the system.”

Smart Business asked Curry for his thoughts on ways to secure your VoIP system.

What are the first steps in protecting your VoIP system?

You first need to look at VoIP traffic as you look at data traffic. You put data behind a firewall and you should do the same with VoIP. The next step is using encryption. Many companies already send their e-mails and file attachments encrypted. They can use the same technology to send voice traffic.

Secure logins and passwords to send or retrieve messages are the next step. Make sure your service provider has and uses the ability to provide for unique logins and passwords that secure the carrier’s network with the equipment.

Is a separate firewall required?

No; the same firewall can be used as long as it is properly designed to handle VoIP traffic. VoIP uses the IETF Session Initiation Protocol (SIP) and the Real-time Transport Protocol (RTP) for call signaling and voice-message delivery. Firewalls that are SIP-aware, that can detect and counterattack against SIP signaling messages, and that can process RTP media streams without adding significant latency, should be used.

What encryption advice do you have?

Since most companies are already using encryption for e-mails and attachments, they already have policies that can be applied to their phone system.

Companies planning to develop their VoIP network need to make a long-term decision on the hardware they plan to use. Since there is no industry standard for encryption equipment, manufacturers develop preparatory encryption that works on their hardware only. So if you are planning your network for multi-site locations and want to ensure security within your network, you should be consistent with your selections.

Each phone should also have a unique alphanumeric signature or login and password. This will make it more difficult for the phone to be used fraudulently by an unauthorized user. A password of eight to 12 characters requiring a combination of alpha and numeric characters is the toughest to break.

How often should a person change his or her login and password?

If you notice anything suspicious, you should change both your login and password immediately.

With VoIP, the login and password provides secured registration with the VoIP Service provider and the IP phone. If your organization has an administrator, you should contact him. If your service is directly connected to a VoIP service provider, you will need to contact the service provider. The login and password is typically controlled by the service provider. In most cases, the service provider makes these changes without contacting the customer.

Anything else that you’d like said about security?

There is another type of security to be considered. That is in the case of a natural or other disaster. In today’s environment, there is access to cell, land and VoIP. If any disaster should occur in an area, one of those three should be available if any suffer gridlock.

More and more cities, including Pittsburgh, are establishing wireless broadband networks that can play a key role if emergency communications were needed. Cities could take control of their own WiFi network and have their staff use WiFi in case of such occurrence. In that case, VoIP could be the most usable and effective communication, since the city could block casual users. I know myself last year when the Pittsburgh Steelers won the Super Bowl, there was gridlock on the Public Switched Telephone Network and cell phones, with fast busies and recordings. VoIP, however, was available.

JOHN CURRY is owner of Curry IP Solutions (www.curryip.com) which caters to business clients. Reach him at (412) 307-3600, ext. 9007 or john@curryip.com.