BOSTON -- Experts at the Next Generation Networks conference said even though VoIP security threats are large in
number and scope, it is possible to maintain a secure enterprise VoIP architecture.
During a Tuesday conference session that focused on the security issues surrounding VoIP, Ramesh Lakshmi-Ratan, president of the VocalTec Americas division of VocalTec Communications Ltd., said the move to a VoIP-based phone system is essential from the infrastructure providers' perspective because the public switched telephone network (PSTN) is expensive, outdated and ultimately unsustainable.
"Today's PSTN is not a nice place," Lakshmi-Ratan said. "There's no longer one owner, and it's not located in any one place. It's a very promiscuous way to connect phone networks to each other."
While many enterprises were once afraid of the security ramifications of placing voice calls over the Internet, he said that's no longer the case.
"These new [VoIP] networks are not scary anymore because they're starting to work well and companies are making money from them," Lakshmi-Ratan said.
However, Lakshmi-Ratan said VoIP requires a new thinking on security because there are so many different aspects that need to be secured, such as the phone device, the transport mechanism and the network. Complicating matters further are future federal rules that many expect will eventually mandate that such systems provide a way to "lawfully intercept" VoIP calls.
Ashley Johnston, director of business development for Texas Instruments' VoIP division, said IP telephony technology has evolved immensely since its early days, but it's still relatively easy for voice packets to fall prey to eavesdropping, tampering and tricks that can cause repudiation.
Johnston said different mechanisms are needed to secure voice on the Net versus those used to secure data. That's because a different set of key exchange, authentication and encryption methods are needed to help users quickly establish high-quality connections.
"VoIP basically has to adhere to what people are used to," said Johnston, namely picking up the phone and being able to quickly make a call, since methods that may work well for securing data packets would decrease call quality too dramatically.
Another challenge is ensuring that VoIP is as user-friendly as a system using a traditional PBX. For instance, a system requiring a user to log in with a passcode may in some cases be too easy for a rogue user to overcome, while one that requires a complex procedure with multiple authentication steps may be too tedious.
Bruce Robertson, senior manager of network design with Nortel Networks, said it's essential for an enterprise to establish data encryption and user security policies prior to a VoIP implementation. Large companies must then make careful configuration changes to firewalls, packet filters and encryption processes.
Robertson said some companies should consider what he termed a VoIP safe zone, which means establishing a constant, minimum level of internal security mechanisms such as internal stateful firewalls and encryption that is initiated with the onset of any call.
Johnston said regardless of the exact security method used, end-to-end security is essential. "Security needs to start with the device you use to make the call, and end with the other person's device," he said.