Trilight Zone

[tricore]

With the world, and not just enterprises, rushing to implement Voice over IP (VoIP) in order to realize the cost and scalability benefits it provides, it's only responsible to secure communications as we build our infrastructure.

VoIP traffic is not inherently encrypted, and the protocols are well understood. It's perfectly possible for third parties to monitor communications if they were positioned to do so, had the right software, and had no qualms.

But fortunately, the defining characteristic of VoIP is that it's just data. You can encrypt it like any other data on the network, at the cost of some processing on both ends and some other minor costs. Rather than develop special encryption protocols for VoIP, it's more straightforward and secure to set up a virtual private network (VPN).

For strategic, persistent connections used by large, distributed enterprises and VoIP service providers, there are products and services to provide optimal and secure connections, such as VeriSign's PBX IP Connect service.

The VeriSign service uses a certificate-based VPN to secure all communications external to the enterprise or service. By tunneling all of the VoIP data through the VPN, including the SIP-based signaling, the voice network becomes hardened against signal-based attacks such as denial of service attacks.


But managing a few high-value, high-speed connections is also easier in a way because you can pay a lot of attention to them and put some money into securing them. The bigger, harder problem to manage is how to secure all those endpoints.

Consider people who work at home, a rapidly growing trend in business for a variety of reasons. They have a telephone at home and they have a cell phone, but they're still not as accessible as if they were in their office where everyone knows how to reach them, and where the company voice mail and address book and other expensive, useful facilities are most available.

If users have broadband at home (and who doesn't these days?) and they could connect their phones to the VoIP system at work, their productivity could be greatly increased. Bad weather, minor sick days, and other problems that keep employees out of the office needn't keep them unproductive.

But of course you don't want your business voice traffic traveling unprotected on the network of the employee's broadband provider and the Internet at large. One possibility is to give them a VPN router, which is relatively inexpensive, and connect their network to the corporate network. The voice traffic, and indeed all of the home network traffic, would be protected.

This would work, but it has a number of disadvantages. As was just said, all of the home network traffic would route over the corporate LAN, including the kids playing World of Warcraft. It's also a difficult configuration for most users to accomplish, as VPNs can be complex, and it's not always possible for an IT department to pre-configure it, send it back with the user, and expect it to work.

The answer is an IP phone with VPN capabilities built in. A number of companies make such phones; one interesting model is the Avaya 4600 with VPNremote software installed.

VPNremote is essentially a different version of firmware for the Avaya 4600 phone with a VPN client built into the firmware. Before the user takes the phone home, administrators back at the office configure it with proper connection parameters and authentication credentials. When the phone boots back at the user's home, before establishing a VoIP connection of any kind, it establishes a tunnel back to the enterprise according to the configuration entered into it.

Cisco also makes VPN software for its IP phones, called the Cisco Unified PhoneProxy. One prominent difference is that the Cisco solution is tied to the company's own VPN connections, while the Avaya solution works with many different VPN solutions and is highly configurable.

Such phones work fine behind typical home routers, and can communicate through NAT. Theoretically, there could be performance issues, especially if the kids log on to iTunes and start blowing their allowance.

Typically, in the face of network contention, VoIP conversations become choppy and experience delay. But there are ways around this with most routers. They usually have a prioritization function for certain ports or hard-coded IP addresses, and (ironically) these are usually designated for the "gaming" PC, under the theory that it's the gamer in the home that needs the most reliable bandwidth. It's up to the user to decide who runs the router in that family.

For as cutting edge a technology as VoIP is, these security technologies are very well-developed and mature. You should be afraid to put certain things on the Internet, but if you have the right products to run it, you shouldn't fear for your phone system.