VoIP traffic encryption tools

Securing Voice over IP (VoIP) traffic remains one of the biggest obstacles to its mainstream enterprise use. As a general rule, VoIP traffic flows across the Internet in unencrypted packets. What this means is that anyone with a protocol logger who happens to be on a network segment between the sender and the recipient can intercept VoIP packets and use those captured packets as a recording of the phone conversation. In fact, there is a hacker tool named vomit that can convert captured VoIP packets into a WAV file.

VoIP traffic tends to be unencrypted, but that doesn't mean that it has to be. For example, large corporations often use IPsec-encrypted VPN tunnels for VoIP traffic. Doing so hasn't proven to be a perfect solution, though.

A VoIP tunnel does a good job of securing traffic between sites. For example, if a corporation has an office in Miami and another in Las Vegas, a VoIP VPN tunnel can be used to encrypt the VoIP traffic that's flowing between the two locations. The traffic flowing between the two facilities is encrypted, but traffic flowing between two points within a single building is not. This may not seem very important, but numerous reports have stated that the vast majority of security breaches are inside jobs conducted by trusted employees.

It's not that VoIP traffic can't be encrypted between two PCs within a single building, but using a VPN-based solution just isn't practical for PC-to-PC VoIP encryption. VPN tunnels can be complex to configure, and they typically have to be configured individually for each pair of computers that will be communicating over the tunnel.

One possible solution for corporations using VoIP internally is to create a group policy that requires all network traffic to be secured by IPsec. Of course, doing so consumes a lot of processor time and adds to network congestion.

More on VoIP encryption Phil Zimmermann discusses Zfone in this Q&A interview: VoIP security, PGP style Security expert Andrew Graydon looks at Traffic logging and VoIP encryption Is there a standard for encryption of traffic between IP phones?

Because of these types of security issues, corporations have been slow to adopt VoIP. The consumer market is a different story, though. VoIP adoption in the consumer market has been fueled by tantalizing economics (the promise of cheap phone bills). Unfortunately, in the mad dash to save a few bucks and to say goodbye to the phone company forever, security has gone out the window. Most consumer-grade VoIP solutions do not encrypt VoIP packets.

So why is it that the majority of VoIP traffic is unencrypted? It can't be that hard to encrypt VoIP traffic, right? After all, we encrypt everything else.

The lack of encryption is due in part to a lack of standards. As VoIP technology has emerged, there have been lots of competing -- but not necessarily compatible -- standards. This is starting to change. For example, a relatively new encryption product for VoIP, known as Zfone, seems to be gaining rapid popularity.

Zfone was created by Philip Zimmermann. If that name sounds familiar to you, it's because he was the person who created the PGP protocol used to encrypt email messages. Zfone uses a protocol known as ZRTP to encrypt VoIP traffic.

The ZRTP protocol may eventually be integrated into standalone VPN devices or into network routers. For today, though, it may be run on a computer (Windows XP, Mac OS X and Linux are all supported). The basic idea is that both the caller and the recipient run a copy of Zfone. In doing so, Zfone is able to encrypt the conversation. If one person is running Zfone and the other is not, then the conversation remains unencrypted. The Zfone interface clearly displays whether or not the current call is secure.

Conclusion
Today, there are lots of ways to encrypt VoIP traffic. It remains unclear which method will emerge as the encryption standard for VoIP. The important thing is that if you are using VoIP, you need to implement some kind of encryption for your own privacy.

About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchUnifiedCommunications.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT VoIP Security Security concerns for enterprise Skype SIP tutorial Unified communications security risks and countermeasures Can outsiders access my VoIP line and gather confidential data? Top VoIP Chapter Downloads of 2007 Best practices for instant messaging security Top rated VoIP security tips of 2007 Voice over IPv6: Architectures for Next Generation VoIP Networks VoIP vulnerability threatens data How to Cheat at VoIP Security Unified Communications Tech Tip Streaming Cisco's IP Communicator to an HP thin client Demystifying unified communications deployment strategies Presence management and security Presence: SIMPLE versus XMPP Four factors driving videoconferencing Consider IBM Lotus SameTime for UC, not just Microsoft OCS An introduction to SIP, part 1 What's the value of unified communications? The benefits and challenges of presence within unified communications Will we get reliable unified communications? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary vishing  (SearchUnifiedCommunications.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.