VoIP can be made secure for business purposes

Published 21 November 2007

Many companies have security worries about VoIP, so they decide not to implement the technology even though it has many cost advantages over traditional telephony, Cisco’s Eric Vyncke argues that with proper attention and maintenance, VoIP can be made secure enough even for business purposes; A combination of secure switches, firewalls, and secure devices will not produce 100 percent security, but it can approach 99.9 percent,” he said

VoIP is becoming more and more popular for both business and residential uses. This is why Eric Vyncke made headlines in October 2007 when he told an audience at RSA Conference Europe 2007 that “nearly nobody” is deploying secure VoIP — even while acknowledging, in a separate interview, that there have been deployments of hundreds or thousands of VoIP phones at a time during the past five years. Vyncke should know: a distinguished engineer at Cisco Systems, and the author of the book LAN Switch Security: What Hackers Know About Your Switches. The question left unanswered by the journalistic coverage of Vyncke’s RSA Conference presentation was whether he thinks that VoIP can not be secured or whether he believes that businesses are not taking the necessary precautions. Paul Kretowski writes in VoIP News that a closer look makes it clear that Vyncke was asking VoIP users to think about their deployments and use available techniques and tools to secure them. His remarks should be regarded as a wake-up call rather than a fire alarm. Here are some security considerations, therefore, which come up in VoIP deployments, along with ways to make those deployments more secure.

There are two problems with VoIP today, Vyncke told security experts in London. First, many companies have shied away from deploying VoIP at all because of past security concerns. These problems have largely been solved, but Vyncke’s second point is that you should not just buy a VoIP product, turn it on, and forget about it — and still expect it to be secure. During an interview at the conference, Vyncke told ZDNet, “When people deploy [VoIP], they don’t deploy it in a secure way. What they’ve done is securing the network itself, which is a pretty good step, by using specific tracing to Layer 2 switches, preventing attacks like app spoofing. But [VoIP] telephony itself can be secured by encryption, authentication