Securing Voice over IP (VoIP) traffic remains one of the biggest obstacles to its mainstream enterprise use. As a general rule, VoIP traffic flows across the Internet in unencrypted packets. What this means is that anyone with a protocol logger who happens to be on a network segment between the sender and the recipient can intercept VoIP packets and use those captured packets as a recording of the phone conversation. In fact, there is a hacker tool named
VoIP traffic tends to be unencrypted, but that doesn't mean that it has to be. For example, large corporations often use IPsec-encrypted VPN tunnels for VoIP traffic. Doing so hasn't proven to be a perfect solution, though.
A VoIP tunnel does a good job of securing traffic between sites. For example, if a corporation has an office in Miami and another in Las Vegas, a VoIP VPN tunnel can be used to encrypt the VoIP traffic that's flowing between the two locations. The traffic flowing between the two facilities is encrypted, but traffic flowing between two points within a single building is not. This may not seem very important, but numerous reports have stated that the vast majority of security breaches are inside jobs conducted by trusted employees.
It's not that VoIP traffic can't be encrypted between two PCs within a single building, but using a VPN-based solution just isn't practical for PC-to-PC VoIP encryption. VPN tunnels can be complex to configure, and they typically have to be configured individually for each pair of computers that will be communicating over the tunnel.
One possible solution for corporations using VoIP internally is to create a group policy that requires all network traffic to be secured by IPsec. Of course, doing so consumes a lot of processor time and adds to network congestion.
So why is it that the majority of VoIP traffic is unencrypted? It can't be that hard to encrypt VoIP traffic, right? After all, we encrypt everything else.
The lack of encryption is due in part to a lack of standards. As VoIP technology has emerged, there have been lots of competing -- but not necessarily compatible -- standards. This is starting to change. For example, a relatively new encryption product for VoIP, known as Zfone, seems to be gaining rapid popularity.
Zfone was created by Philip Zimmermann. If that name sounds familiar to you, it's because he was the person who created the PGP protocol used to encrypt email messages. Zfone uses a protocol known as ZRTP to encrypt VoIP traffic.
The ZRTP protocol may eventually be integrated into standalone VPN devices or into network routers. For today, though, it may be run on a computer (Windows XP, Mac OS X and Linux are all supported). The basic idea is that both the caller and the recipient run a copy of Zfone. In doing so, Zfone is able to encrypt the conversation. If one person is running Zfone and the other is not, then the conversation remains unencrypted. The Zfone interface clearly displays whether or not the current call is secure.
Today, there are lots of ways to encrypt VoIP traffic. It remains unclear which method will emerge as the encryption standard for VoIP. The important thing is that if you are using VoIP, you need to implement some kind of encryption for your own privacy.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.
This was first published in August 2006