Are you looking for a good reason to justify purchasing a VPN or looking for yet another use for your existing VPN? Well, if Voice over IP (VoIP) is on your radar, a VPN is a perfect solution to the often overlooked security vulnerabilities associated with this form of communication. Running VoIP traffic over VPNs is nothing new, but something that's certainly becoming more popular given the proliferation of VoIP in today's enterprises.
While everyone knows that credit card numbers sent in clear text can be vulnerable, at the same time everyone seems to think that the same data spoken over a VoIP is secure. Unfortunately, it's just as susceptible to the various network-based attacks that we're familiar with on our data networks. Whether you're using VoIP for interoffice communications or telecommuter connectivity, a VPN can encrypt voice traffic and eliminate the vulnerability of someone using a network analyzer to capture the data and replay it. You can also use a VPN to authenticate remote sites to make sure that communications via the VoIP network are coming from trusted sources.
So, is there any special type of VPN that must be setup to do this? Not really – you can just use a standard IPSec or similar VPN. These are pretty simple to setup for site-to-site configurations for securing VoIP connections that traverse the Internet. In addition, once you get around the typical client compatibility problems, client-to-site connectivity is possible as well which can help secure remote softphones. Keep in mind, though, that if the VPN only protects communications from gateway to gateway and not handset to handset, there's always a chance that the VoIP traffic can be intercepted, modified, etc. once it's on the LAN.
A major consideration when setting up a VPN for VoIP is latency. Encrypting VoIP communications takes extra processing power and any delay over 150ms (the ITU-recommended one-way maximum delay) can create problems. The stronger the encryption method used, the more time it will take. Of course, there's always the option of using a VPN accelerator for offloading the encryption processing to another CPU. If you go with a hardware-based VPN solution, there's a great chance you'll minimize any latency potential. However, don't overlook the functionality and cost savings associated with software-based VPNs (a VPN where you install/configure software on a traditional server). The great thing about software-based VPNs is that you can often download and try it before you buy it with relative ease compared to no trial or a hassle-prone trial with a hardware-based solution.
By sending VoIP data over a dedicated VPN channel, you can (somewhat) control QoS since the voice traffic is separate from other data transfers. It often depends on your VPN hardware/software solution as to what type of traffic control capabilities you'll have. You could even use a managed VPN service for your VoIP traffic so you don't have to worry about ongoing management and monitoring at all. In addition, if your managed VPN provider supports VoIP, you can lean on them for QoS issues if they can guarantee it – something that can be worth its weight in gold.
Once you secure your VoIP communications channels, you will have taken a big step in the right direction towards secure phone calls. However, a VPN is not the security silver bullet for VoIP. Check out my SearchNetworking.com webcast on VoIP security basics for more tips on securing it.
Kevin Beaver, CISSP, is an information security advisor with Principle Logic, LLC specializing in security assessments and incident response. He is the author of several information security books including the new book titled Hacking For Dummies by John Wiley and Sons.