If there really was a threat, if we were seeing individuals intercepting phone calls and using them against a company, then we should be more concerned. But that just doesn't happen that often. Are employees careful about their conversations now?
I just don't think people think about it. The whole cell phone thing has made people close to oblivious about what they are saying. I am astounded by what I hear people say on their cell phones in public areas. Even at the supermarket, I hear incredible, often personal things. All this is driven by the fact that we've been eroding privacy for a long time. First everyone got put in cubicles. Then they started using the speakerphone. There are no more phone booths. It is ridiculous to spend millions of dollars to secure a communications medium if the people on each end don't care if the conversation is secure. Is there a difference between a hard phone and soft phone when it comes to security?
All of the voice traffic should be on a virtual LAN, separate from the computers on the network. If you run a soft client, then it is impossible to separate out the voice. So, yes, it is a bit of a security risk. What are the security concerns with circuit-switched voice?
Really, there is no security in that environment. I find it fascinating that everyone is so concerned with IP telephony security when no one has done anything to secure the existing phone system. It is
It does not open up any holes. If a call comes in from the outside, it is coming in over the public switched telephone network (PSTN). So there is no more risk there than there is with the phones today. Over time, there are likely to be some issues with soft clients on a PC. For example, someone could call you and, while talking to you, could download code to your PC. That should be blocked by a virus checker and the firewall. The most important thing is to block executable code.
The other issue is moving to an IP network. A lot of hackers may not go through the trouble of playing with a circuit-switched network, but they know a lot about IP networks. There is the threat of a denial of service attack, where the phone is flooded with calls so you cannot make any outbound calls. If that happens on a circuit-switched network, you can call the phone company and they can trace the call and stop it. With IP, who do you call? But in general, voice is not any more vulnerable than any other application on your network.
How does the situation change, if at all, when you move to IP?
With IP telephony, I could sit at a computer in an organization and plug into the local area network and, if I know what I'm doing, I can intercept phone conversations and record them. I don't have to know where the wiring closet is to do that. Does wireless IP telephony add to security problems?
In some ways it helps. As we move to the new security protocol, called Wi-Fi Protected Access (WPA), security will improve dramatically. Phones with WPA security will be on the way soon. With WPA, the air link will likely be the most secure part of the conversation. It will be encrypted with a rotating key. What kind of security measures should companies consider?
All calls should be sent over a virtual LAN (vLAN) and run only on switched Ethernet. Some vendors have encrypted phones. You could also use a virtual private network (VPN), but I don't recommend it. Using a vLAN doesn't make it impossible for someone to hack in, but it makes it tougher for the casual person to access your calls. Training staff is very important as well, so that people think about what they are saying and where they are saying it. After all, why go through the trouble to intercept a call when you can just go over and listen to the guy next you?
FOR MORE INFORMATION:
Browse our Topics on voice/data convergence
Get help from VoIP expert Carrie Higby