printer friendly version

Securing VoIP

Voice over IP (VoIP) is seen as a reliable, cost effective medium for voice communications the world over. However, since it’s based on IP (the Internet protocol), it is also vulnerable to the dangers facing other uses of IP, such as data transactions over the Internet. Hi-Tech Security Solutions spoke to Chris Sutherland, brand manager for Miro to find out more about VoIP as well as the security implications of using this technology.

Hi-Tech Security Solutions: VoIP is being marketed as a good communications medium, but it still depends on network performance and prioritising voice over other data. What kind of bandwidth does a company need to ensure good voice communications over VoIP?

Chris Sutherland: The network speed actually isn’t too much of a concern as VoIP takes up a very minimal amount of bandwidth. On a straightforward 100 Mbps network, you would be able to have thousands of VoIP calls with no issues. The problem is network architecture and how reliable your network is. Many companies have built networks and upgraded networks by simply bolting on extra switches and devices with no concern for network architecture or reliability. This means that the more networking hardware you have in a company, the more latency, lost packets and variability in latency you will have, especially when using low cost network equipment such as cheap switches. These latency issues and lost packets are absolute killers for VoIP traffic and will have a large effect on your voice quality.

The next thing you have to worry about is what type of traffic is the VoIP data going to have to share the infrastructure with. If the company is simply going to be browsing the Internet and sending e-mails through their network, then VoIP will happily run alongside this traffic as there will be plenty of spare network speed/throughput available. If the company is going to be maxing out their network lines by transferring large files such as AutoCAD drawings and the like, this can affect the performance of VoIP considerably and a separate, dedicated cable network should rather be considered for the VoIP infrastructure. If a separate cabled infrastructure is not an option, then you should segment your network and separate the VoIP traffic from the other standard network traffic by means of QoS. This allows you to give priority to the VoIP traffic, and ensure top quality voice calls. This type of setup can be achieved with network routers such as MikroTik, and by making use of managed network switches such as Edgecore, which will understand and operate with advanced network protocols such as VLAN.

Hi-Tech Security Solutions: What about when you break out into the Internet? We’ve all had Skype calls that are patchy even on supposedly good lines, how do you ensure quality when using infrastructure that does not belong to you and is not controlled by you?

Chris Sutherland: With Internet connectivity, there is unfortunately no guarantee of line quality. If you are going to be using standard Internet lines, QoS (Quality of Service) is key here. Being the owner of your network, you should know the types of traffic that are coming in and leaving your network, and you should put top priority to your VoIP traffic over any other type of Internet traffic. This doesn’t have to be an expensive exercise either.

The best option for VoIP connectivity is a closed system. Most top end VoIP providers are able to provide you with a breakout connection such as a wireless link, Diginet line, Fibre line etc., which communicates on a closed network, meaning the breakout link is only capable of carrying VoIP traffic, and no Internet connectivity is available. The VoIP providers are in direct control of these lines and can assure a much better voice quality and service. This closed system will of course also add a great deal of security to your system, as no outside Internet attacks are possible. I would not recommend ADSL lines for VoIP, regardless of whether or not they are dedicated to the VoIP provider, as ADSL is a heavily oversubscribed service and cannot offer the quality that VoIP requires.

Hi-Tech Security Solutions: We’ve also all heard about hackers and vulnerabilities involved when transmitting data over the Internet or even a corporate WAN, how does one secure VoIP traffic to prevent people listening?

Chris Sutherland: The only way to truly secure your VoIP traffic, is to secure your network. Firewalls, appropriate wireless security methods (WPA2) and managed Internet lines are top priority here and not just for VoIP traffic, but all traffic. VoIP trunks themselves can have an encryption method turned on, but the VoIP provider will need to support this feature. Of course, one of the best things to do is make use of a closed breakout connection which your VoIP provider will supply. This is an outbound line, but with no Internet traffic. It is purely dedicated to carrying voice traffic to and from your VoIP provider, and nowhere else, meaning there is no chance of outside tampering.

Hi-Tech Security Solutions: How can one secure against people, for example, hacking into the company WiFi network and then using the VoIP infrastructure to make calls or inject malware into the organisation? Is this something that can happen?

Chris Sutherland: This is a very large possibility, and again, it all comes down to security. Many people do port forwarding to their VoIP server so that they can access it remotely and perform remote configurations and remote VoIP calls. This is a great feature of VoIP, but is a massive security risk as this opens the door for others to remotely see your server and start their hacking attempts. This often results in VoIP servers being compromised, and thousands of Rands in phone calls being placed within a few hours, resulting in a large, unexpected phone bill.

The best way to avoid this scenario, but keep the remote functionality, is to make use of VPNs. VPNs are secure, robust and provide you with all of the remote access you need. You can now remotely configure the PBX from anywhere in the world, make phone calls from anywhere in the world, but not before you dial up to your network with an encrypted username and password.

Share this article:

Further reading: