Creating a secure and reliable VoIP solution
Deb Shinder
Published: 10 Aug 2007 14:09 BST
…generally won't provide excellent voice quality; broadband speeds are needed.
Latency or "lag time" can be even more important than speed. According to the International Telecommunication Union (ITU), the maximum acceptable delay for voice transmissions is about 150 milliseconds. DSL, cable and Wi-Fi all work well in this regard. Even dial-up is adequate in regard to lag time; however, cellular, with delays of up to 600 milliseconds, doesn't work so well until you get up to the 3G level.
VoIP QoS requirements
Expectations for the level of service and reliability of voice communications are generally different — and much higher — than the expectations for data communications. Acceptable voice-transmission quality requires low latency, so you don't have a long delay between the time one party speaks and the time the other party hears that speech. Long delays disrupt the easy flow of conversation. Variable delay (jitter) is even worse because it can result in echo.
Regular fax machines used on VoIP lines are also very sensitive to jitter and latency.
The security dilemma
Security mechanisms on an IP network almost always involve some overhead that affects performance. Again, when data is being transmitted, this may not even be noticeable; but the delays added for, as an example, the time required to encrypt and decrypt packets to secure the confidentiality of your VoIP conversations can adversely affect the quality of the call.
There's already a lot going on in a VoIP call. With a PSTN line, you dial a phone number and the telco's equipment processes that information and the switching system establishes a circuit to ring the called number. When you call a phone number on a VoIP line, the analogue signal must be converted to digital, data is compressed, the called number must be associated with the called computer's (or other VoIP endpoint's) IP address, and a number of complex protocols are involved.
Just as VoIP lines are more vulnerable than PSTN to the effects of delay, they are also more vulnerable to security breaches
Throwing security into the mix slows the process down. Firewall packet filters and application filters take time to examine packets as they enter or leave the network. Encryption protocols take time to encrypt and decrypt the data. Authentication and access-control mechanisms take time to perform their tasks. Although each of these delays is small, when you have a good, multi-layered security strategy, the effect is cumulative and can be enough to affect call quality.
This doesn't mean you should skimp on security for your VoIP network. Just as VoIP lines are more vulnerable than PSTN to the effects of delay, they are also more vulnerable to security breaches.
VoIP security: A multi-layered approach
A multi-layered approach to security of any kind works best. For example, in protecting your home and possessions against burglars, you probably take a multi-layered approach: you might erect a fence around the perimeter with a locked gate, place a large dog in the yard in case someone gets through the fence, put mortise locks on the doors and windows in case they get past the dog, install a security alarm system in case they manage to pick the locks, and place valuables in a safe in case someone circumvents all your other security measures.
Likewise, the best way to protect your VoIP network is with multiple layers of security mechanisms that can place as many obstacles as possible in the path of potential intruders or attackers. Let's take a look at some ways to create a multi-layered VoIP security strategy.
Defining the perimeter: voice/data-network separation
Before you can practice perimeter security, you need to have a defined perimeter. A popular mantra in data-networking circles in recent months is that "there are no perimeters". In truth, there are more perimeters than ever — and this seems to have caused some IT security experts to give up completely on the concept of protecting it. But it doesn't have to be that way. You can create defensible perimeters for your network just as you can put up fences to create defensible perimeters for your land.
The first step in creating the most secure VoIP network is to separate it from your data network. Total integration may seem ideal in terms of ease of management and interoperability, but it's less than ideal when it comes to security. Your best bet is to logically segregate the voice and data networks using VLAN-capable switches, so that an attack on the data network won't bring your VoIP system down with it. This means:
- Put VoIP phones on a separate VLAN with non-routable (private) addresses.
- Don't allow interaction between internet-connected PCs and VoIP components.
- Use access-control lists (ACLs) to prevent communications between the VLANs.
Protecting the perimeter: VoIP-aware firewalls
Perimeter protection in an IP network usually means a firewall, but just any old firewall won't do for a VoIP network. You need a firewall that's specifically designed to handle VoIP traffic. This means…
Previous
Did you find this article useful?
23 out of 27 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
