VoIP security has been called in question recently, though there is little evidence to indicate that VoIP security is any less than conventional telephony systems.

VoIP voice data is transmitted via a packet-switched data network using IP. VoIP systems can carry a significant higher number of calls, and very much faster, than traditional PSTN networks due to compression of the voice packets, modern broadband technology and a number of other gateway developments which have reduced the previous packet delivery problems to an extent that the protocol is now a viable mainstream telephony solution to most business needs.

VoIP security should therefore be shown to be at least as effective as that of traditional telephone systems.

There is actually very little difference between VoIP security and that required for any other type of data transmission system. Look on it the same as you do your email system. The same as your office LAN if you have one. You probably have a system in operation whereby only authorized personnel can use certain aspects of the network. VoIP security can, and do, use the same techniques.

However, having said that, let’s have a look at potential weak points in VoIP security that budding hackers may see as good points of attack.

IP PBX CALL MANAGEMENT BOXES

PBX stands for Private Branch Exchange, and is piece of software running on a server. It’s function is to deal with all the switches and connections involved in the telephone system. These can be attacked by hackers or viruses which could compromise sensitive data. VoIP security systems are designed with this risk in mind.

PBX equipment should be placed behind firewalls, locked down and regularly monitored for unwarranted intrusions using intrusion-detection software. It is also possible to put the server in a different domain from the rest of the system, making it much more difficult for intruders to reach. PBX security is a basic aspect of VoIP security systems

GATEWAYS AND DATA PACKETS

The gateway’s job is to convert voice to data packets, transmit them then receive and convert the packets back into voice. These are a potential VoIP security risk in that thy can be hacked into unless there is an access-control system in place to prevent unauthorized people from accessing the system. VoIP calls should only be permitted to specific people, and most good VoIP security systems allow only authorized user to operate VoIP systems under password control.

The data packets themselves can be hacked into using data-sniffing techniques. This can be a serious VoIP security risk and packet sniffers, as they are often called, capture binary data passing through your network and can reroute it to a computer on another network for decoding into a readable form. In order to do this, the ‘sniffers’ has to be on the same network wire as the packet is using to reach its destination. The problem in installing an effective VoIP security system is that there is usually a lot of information passing at any one time, and the hacker has a higher probability of getting useful information than from a conventional telephone system.

Encrypting VoIP traffic and routing it through a virtual private network would reduce the VoIP security risk, and most corporate systems have multiple encryption layers for external messages. Internal security could be improved by running internal VoIP messages through this corporate network. Small businesses should seek the advice of their supplier, or of a security expert if they feel that they may be subject to such attacks.

However, VoIP security advisors can point small to medium companies in the right direction. Corporate VoIP security is generally not so much problem in that it is normally contracted out to expert advisers.

In the final analysis, however, there are no real differences between VoIP security and the normal security concerns associated with any data network service, such as normal office internet and email LANs. The security firewalls and restricted access to use, common on these systems, should suffice to deal with VoIP security