Reader Question:

Hi Ken,
Here is my question:
Can security features affect call quality? I’ve heard that some security features can add latency. Is this a concern for VoIP?
Thanks!

This is one of those really huge question that books have been written about. At a very high level, how you implement security can directly impact call quality in a huge way.

I'm going to start by pointing to two recent blog posts here:

Reader Question: I understand that VoIP call quality is measured through metrics like delay, jitter and lost data. I've also heard of echo - where does that fit in?

Reader Question: I’m trying to make sure that my VoIP deployment is secure. Are there VoIP specific challenges in addition to normal network security challenges?

I point to those two posts, because in many ways your question envelopes both of them.

First we have to accept that security, in general terms, is overhead. It's something we add to the base transport of packet data. As such, security impacts performance, and call quality is one aspect of performance. To achieve total operational support, we have to balance many factors. For some people it's the simple balance of security vs. quality. That's like a scale, but reality is far more complex.

Finding balance in the network is much more like balancing the tire on a car. There are many angles and aspects to consider. For simple managemetn overview, I tend to use a model I call the tradeoff triangle.  You have to balance performance, security and cost. If you change any of those, the other two also change.

Let's take firewalls as an example. When you inspect packets in a firewall, you add latency or delay. We often call this nodal delay. If you think of the firewall as a node in the network, through which traffic must be processed, just inserting a firewall adds delay. Firewalls operate through a rules engine that inpsects each packet and compares it to a set of rules. This takes time, and delays processing.

The same types of delays can be added by intrusion detection systems, antivurs engines and an number of security measures. The trick is to achieve the best possible security without degrading VoIP services.

To achieve this balance, it's important to perform a solid network readiness assessment test. You need to evaluate your requirements, your network, and the ability to meet those requirements. This is all part of the design phase of building your VoIP service. Then you have to test your assumptions about security and call quality to ensure validity. Can your netwokr really support VoIP services without redesign.

I'll make the bold statement that oftentimes it cannot. Far too often people deploy VoIP without assessing the readiness of the network and truly documenting requirements. VoIP requirements are too easily left assumed rather than documented and tested. This leads to poor call quality and unhappy users.

I'd like to tell you it ends there, but it doesn't. Once you've deployed VoIP, you absolutely need to perform some consistent monitoring of network performance to measure ongoing call quality. The security posture of a corporate network changes constantly. New attacks surface, Traffic patterns change. Firewall rules change. And this happens every day. Each of these impacts the call quality your users experience. Effective monitoring of a corporate environment with something like NetIQ's  VoIP Management Platform or Prognosis is crucial to delivering acceptable call quality.

Perhaps the most important thing to remember is that all delay is cumulative and impacts end-to-end delay. Delay absolutely impacts call quality. So many things we do to strengthen security add delay, that maintaining a balance between call quality and security is vital. That means you need to deply the right tools. tools to monitor quality and performance, and tools to monitor security. It also means that the service delivery team who supports VoIP services will need to work closely with the network security team.

VoIP is unlike email. It's an end-to-end service that requires care and attention to assure appropriate call quality. But, when managed well, it brings values in cost savings and efficiency that far outweigh the labor effort. It really needs to be viewed from a holistic approach as a total service.

Technorati Tags
VoIP
IP Telephony
Voice Over IP
VoIP security
VoIP firewalls
delay
QoS
tradeoff triangle