How to: Encrypt Your VoIPBy: VoIP Now, on April 24, 2007
As VoIP becomes ever more popular, the security of these systems becomes more of a concern. VoIP can be vulnerable to a number of attacks due to the nature of VoIP calls. In short, VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept these packets — essentially allowing them to create a recording of your conversation. How can you help secure yourself against these types of attacks? One way to help protect your privacy is to encrypt these conversations so that they aren't simply floating around out there for potential hackers to latch onto. Be advised, however, that some of the best encryption methods aren't something any layperson can do. They're at the network level and would be better left for the IT department to handle.
- Zfone — Created by Phil Zimmerman (who also created some of the first and most widely used e-mail encryption software), Zfone is a relatively new way to protect your VoIP. The software is free to download from the Web and is relatively easy to install and use. It is, in fact, one of the few ways to encrypt your VoIP that you can implement without some serious tech knowledge. One of the advantages of Zfone is that it works with almost all existing VoIP clients, with the exception of proprietary systems such as Skype. Zfone can help defend against a number of different types of attacks including man in the middle, call hijacks, and spoofing. Once installed, the program will let you know what calls you make that are secure, and what calls aren't. What might not be secure? Well, that is one of the drawbacks of Zfone technology. In order for a call to be secure, both users have to have the program installed. So calls to places not using a VoIP service, like the bank for example, would not necessarily be secure.
- Built-in Encryption — Many VoIP clients have responded to customer concerns over security by building encryption into their existing software. Skype, for example, has built-in encryption capability in their proprietary software. Worried about trusting an encryption service that you can't see or evaluate for yourself? Luckily, someone else has already evaluated it for you. Skype's encryption was found to make a VoIP call, text chat, video or file transfer more secure than conventional phone lines or e-mail. Check with your VoIP client to find out if they provide encryption for your calls, as many are trying hard to address concerns about security and might have services you aren't aware of to protect your privacy.
- Transport Layer Security and IP Security — Transport Layer Security (TLS) and IP Security (IPSec) are some of the most common ways businesses encrypt their VoIP calls and they could work for your business as well. TLS and IPSec differ in which level they encrypt data. TLS encrypts information, like a VoIP call, that is traveling between two applications while IPSec encrypts data for two devices and all the applications running on them. These protocols are designed to keep outsiders from tampering with your calls, eavesdropping, or creating false calls, and they are almost impossible to manipulate from the outside. So which should you use? TLS is gaining favor as the preferred method of security because it has proven to be more efficient and eats up less of your network bandwidth. The decision is really up to you and many networks opt to have both (better safe than sorry, right?).
- Secure Real-Time Transfer Protocol — SRTP is ideal for protecting Voice over IP traffic because it has a minimal effect on the quality of the calls it encrypts. For each call you make, a unique encryption key is created, which makes eavesdropping almost impossible. That alone makes it a good choice for day-to-day calls as well as private ones. Some companies, such as Ingate Systems, have already incorporated this technology into their programs. SRTP could be a simpler way to incorporate additional security into your VoIP network.
- Virtual Private Network — If you've got a business with locations in multiple cities, a Virtual Private Network (VPN) solution might work best for securing your VoIP. Many companies already have VPN set up for securely transmitting data, but adding VoIP can be relatively simple. An organization that wants to tie two offices together would add the VoIP equipment at each end, giving it an IP address. This process is similar to how they add a PC or server to a traditional network. Calls on the VPN would then be secure, allowing users from remote offices, or even from their laptops to communicate with other offices on the VPN network. VPNs also have the advantage in that users don't have to worry about firewalls, which are often an obstacle to clear VoIP calls. The downside to VPN? VPN isn't a practical option for calls being made within the same building. It's also not a silver bullet for VoIP security. It only protects the data from gateway to gateway. Once calls are on your LAN, you'll need an additional means of protection.
No matter what you choose, the reality is that with the increased usage of VoIP, there will be increased predation on users. Therefore, security is now less of a luxury and more of a necessary component of your VoIP network. Even if your calls usually just include chit chat about the latest reality TV show or what you're having for dinner, you deserve to be protected from intrusions on your privacy. Look into security for your VoIP before it ever becomes an issue. You'll be glad you did.