There are a lot of ways to attack voice systems. These range from old-school "phreaking" (Search for the 1980s era back-issues of the hacker magazine 2600 for some very interesting reading), to denial of service, to your run-of-the-mill eavesdropping. What's challenging about protecting these systems is that the nature of "convergence" means that there are many more "attack vectors". For instance, you can attack an IP telephony system by phone, or from the network/TCP/IP side, or by applications like integrated e-mail/voicemail, or the HTTP, LDAP and XML interfaces many IP phones support.
But in this tip, we'll start by covering the default security issue: encryption. The first thought most network administrators have is that encryption would be impractical for VoIP because of the CPU-intensive overhead that comes from all that crazy math. The fear is that delay and jitter the encryption process might add would make the conversation quality intolerable. This is certainly a factor to be considered, but most networks today (especially domestic ones) are finding that they have plenty of room in their delay budgets to afford encryption.
If confidential voice is a requirement in your organization (it probably isn't, as nearly all legacy phone systems lacked any encryption capabilities), then you also need to decide what device will do the encryption. It may be the case that you only need to encrypt a VoIP trunk that passes through a provider's network, in which case you can use regular IPSec tunnels with "VPN accelerators" or other hardware-based encryption devices. These devices usually add fewer than 10 ms of delay, which is usually easy to accommodate.
If you need to encrypt all voice conversations from end-point to end-point, then you're probably looking at vendor-specific implementations. While some IP phones and gateways on the market support encryption, such as that provided by IPsec, many don't.
Fortunately, there is a draft IETF standard in the works for Secure Real-Time Protocol. Once this becomes widely implemented, encryption will be as simple to use as SSL in a browser. You may find a few phones that support this today, and if you're interested in application development as well, you can download the open-source libsrtp implementation from Sourceforge.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.