This article can also be found in the Premium Editorial Download "Information Security magazine: Unwrapping Windows Server 2003: An exclusive first look at Microsoft's new OS."
Download it now to read this article plus other related content.
In many ways, Doug Haluza, director of engineering and new technology at Lexent, is just like any other IT professional who's recently deployed VoIP throughout his company. Since he was implementing a new WAN and changing service providers, he did his research and made sure Lexent's network could support VoIP.
If you're deploying a VoIP system, continually test and monitor it...to stay one step ahead of the potential bad guys who are out there.
national practice manager for information security,
But rather than rely on perimeter security, as many VoIP adopters apparently do, Lexent, which knows a thing or two about IP telephony as a solution provider to both enterprises and telecommunications companies, has taken additional steps to prevent voice transmissions over its LAN and WAN from being intercepted.
VoIP is an option that more organizations are considering, particularly those that make a lot of international calls.
Haluza limits the company's exposure to the Internet, sending outbound voice through a single carrier's IP backbone. And all IP telephone devices have private addresses, so they're not globally routable. "You can't make a call [from the outside] using our gateway, because you can't get to it," Haluza explains. In addition, packetized voice is encrypted with a Cisco IPSec-compliant VPN as it moves from one location to another. "IPSec obviously is not for the faint of heart," he warns. "It's complicated, and you have to be able to stick with it until you get it right."
And older VPN software wasn't designed to handle the traffic that VoIP generates. Pushing voice through a VPN can, in some cases, degrade quality of service to the point of being unacceptable, experts say.
Lexent avoided this problem by using new Cisco routers with hardware encryption. "Once you have IPSec running, it's actually harder not to encrypt the voice," Haluza said, "As long as the encryption is done in hardware, there's no performance penalty for encrypting voice."
Those that have dabbled in both voice and data should have fewer problems moving their telephony away from traditional environments, Haluza says. "If you're used to working with both technologies, then voice really does become just another application. At the end of the day, that's all it is--a real-time application."
Since August, Joel Pogar, national practice manager for information security at Siemens, has evaluated networks for numerous clients wanting to deploy VoIP. "None of them passed our initial assessment," he says.
That's not surprising. "Networks have to be designed to support VoIP. We're looking at a lot of networks designed three to five years ago, when VoIP was not a mainstream technology."
The trick with VoIP is to reconfigure a network to accommodate the technology without compromising security, Pogar says. For Siemens customers, Pogar goes through several pages of potential holes or problems to be addressed. The older the network, the more time and money the deployment is likely to cost.
At Lexent, IPSec-compliant VPNs with VoIP already has paid off in savings, from $48,000 monthly with a fully managed service provider to less than $20,000 in monthly expenses doing the work in-house. Future consolidation is expected to bring the monthly tab closer to $10,000.
While address spoofing and packet sniffing are frequently cited as chief security concerns, Pogar believes the biggest vulnerabilities lie within call-handling software, which usually resides on Linux or Windows servers, and other VoIP necessities, such as call-routing switches, which are increasingly subject to denial-of-service attacks.
"If you're deploying a VoIP system, continually test and monitor it," Pogar says. "As standards evolve and new security weaknesses are discovered, you'll want to be sure to stay one step ahead of the potential bad guys who are out there."
This was first published in April 2003