Jim Louderback was laying down the gauntlet and challenging me, his newly minted VOIP/Telecom topic center editor, when he wrote "Security Holes Make VOIP a Risky Business." But he flings his glove upon some incorrect assumptions.
First, he appears to be mixing up the hobbyists early adoption of Voice-over-the-Internet with the more sober, secure, and sonorous VOIP- based telephony systems that businesses now install. The former dawned about 1995 with VocalTec software you could buy in a box at CompUSA for $50, and was used primarily by technophiles speaking voice packets home to Mom in India, over the open Internet. Voice quality was choppy and delayed.
The latter—enterprise IP telephony—takes place almost exclusively over managed data networks, using leased lines, a companys own fiber on its own campus, or frame-relay connections. VOIP conversations sent as the payload of IP packets, using IP protocol, therefore should not be confused with "Voice over the Internet," which traverses the open, vulnerable medium: what Jim ends his column by calling "the dirty net." Managed WANs dont touch that dirty net.
Voice Inherits Data Nets Security Mechanisms
The short answer to the security question is that when voice is sent as IP-encapsulated data, it relies on the same firewalls, intrusion detection systems, VPN technology, authentication and partition safeguards as data networks, and is as secure as that data.
Discussions of VOIP security also have to begin by recalibrating users notions about voice security on traditional phone systems. There isnt much; traditional central office (CO) lines are very easy to tap, usually through enclosures outside a building or on a telephone pole. Who besides the feds and the military encrypts their voice conversations? Nobody, yet. CEOs who want to be sure theyre not tapped get on planes and meet each other.
If it comes to that, both TDM (traditional, time-division multiplexed) and IP voice traffic can be encrypted, but few of us have sufficiently high-tech enemies or prized secrets to justify the expense. According to Chris King, managing partner at Principal Security Group (www.psgsite.com), the proper place to put that encryption is on the codec, in a chip in the IP phone itself or in the VOIP gateway -- wherever voice is digitized and packetized. This would avoid the latency problem of link- or network-layer encryption and add perhaps $50 to the cost of an IP phone. Cisco -- who makes the best-selling IP phone -- is not doing this yet. Except for its federal government customers.