VoIP is rapidly becoming the norm for business communications. However, as with any technology that relies on using the internet, it raises issues surrounding security.
Running voice over your data network is not inherently less secure than any other internet application. However, there are still challenges in ensuring that it is implemented safely and securely.
Business VoIP providers technology
Voice over IP isn’t new, the technology has been around for many years, but it’s only the advent of faster, fibre-based networks in recent years that has really seen it take off as the preferred method of offering voice services.
It’s understandably attractive to enterprises because VoiP can offer dramatically lower call costs compared with traditional PSTN services. There are other advantages, not least of which is flexibility. It’s easier to scale the service as the business expands or to cope with seasonal variations in demand. As businesses look to replace their PABXs, switching to VoIP also offers the opportunity to cut hardware costs and reclaim some space by hosting call handling in the cloud.
The fact that major telephone providers are looking to switch off their PSTN services and go over completely to VoIP means that it will be coming to most organisations sooner rather than later, so it’s a good idea to plan for it now.
Voice and Ethernet
Internally, your VoIP traffic will be carried on your Ethernet backbone. You may worry that this leaves it open to eavesdropping by anyone on the network, but this is not the case. It might have been true in the past when Ethernet traffic was daisy-chained on a co-ax cable, but today almost all Ethernets are switched.
This means that although, in theory, you can reach any endpoint on the network, the traffic between two points on the network is only available to those two points. This means that the VoIP packets making up a conversation are only available to the endpoints taking part and the switches in between. Interception of the call is therefore not impossible, but it does require specialist equipment and actually represents a lower risk than that associated with traditional telephony.
While it is, of course, possible to ‘sniff’ network packets, this is difficult compared to tapping a conventional voice call. Sniffing a VoIP packet means that you need access to the switches or the network. Given that this network is probably also carrying confidential data from other sources, it should be secured anyway.
The transmission method makes a difference to security too. Fibre optic cables are much harder to tap than copper wire because they don’t emit radio frequencies that can be intercepted. Even if signals are intercepted, getting at the contents of a VoIP call is still difficult because the actual call is tucked away inside the protocol stack. A hacker would, therefore, need to know in what format the information is transmitted and to be able to decode the packets. It’s hard to do in real time, so archived call data is more likely to be at risk.
Voice and internet
As we have seen, running voice over your internal network is pretty secure. But what happens when the traffic goes out onto the internet? Making a connection to the outside world opens your servers up to access from all sorts of people.
Unlike PSTN telephone systems where phone numbers are centrally issued, there is relatively little control over the use of IP addresses. This means an environment where spoofing of IDs is relatively easy and where DDoS attacks could be used to take down or disrupt your voice calling capability.
Of course, these problems affect all internet traffic, not just voice. When you conduct any transactions over the internet, your traffic is passing through multiple different servers, some of which may not be as secure. There is, therefore, more risk in sending your VoIP traffic over the web. But consider that you are likely to be sending emails and other sensitive information over the same network without too many reservations, that puts the risk in context.
When venturing into VoIP it’s important to know a bit about the protocols used to manage traffic. Most common is Session Initiation Protocol (SIP). This is able to secure calls using encryption, with SSL, PGP or S/MIME all available. Where SIP is weakest is in authentication mechanisms which could allow caller identity to be compromised.
The newer H.323 protocol addresses some of SIP’s shortcomings. For example, it can reroute calls in the event of gateway failure. However, this comes at the expense of slower routing of data which could affect call quality. It also supports encryption by H.235 or SSL.
No network system is ever completely secure. If someone is determined to access it they will find a way. But VoIP is generally no less secure than PSTN.