A reader posed this question. Response is both here and in the Realtime VoIP Community forum on VoIP Security

I’m trying to make sure that my VoIP deployment is secure. Are there VoIP specific challenges in addition to normal network security challenges?

This isn't just a great question. It's one that could stir up a lot of varied opinions. Achieving balance can be a huge challenge. We can approach this question from two very different perspectives. From the security perspective, we can evaluate the new potential risks that VoIP brings to the network. From the VoIP perspective, we must remain mindful of the impact security measure can have on VoIP call quality.

On the one hand, I'm inclined to say that network security, done thoroughly and well, encompasses all the services on the network. But the truth is that VoIP as a service introduces a new set of concerns. There are nuances associated with VoIP that have a more direct impact on service delivery than on traditional bursty data services like email or web-based applications.

VoIP, like any new service, can present a new set of risks. Implementing VoIP services involves introducing new network elements and devices into an existing environment. These can bring new protocol or application vulnerabilities as well. VoIP introduces, for many companies, a new set of protocols. Whether you choose to use H.323, SIP, SCCP (aka Skinny). or even some proprietary solution, the potential exists for vulnerabilities within the protocols themselves.

In a paper on SeachWindowsSecurity.com, entitled Five VoIP security recommendations Gerhard Eschelbeck from Qualys Inc. made these five simple recommendations:

1. Make sure your network and security infrastructure, including firewalls, IDSes, VPNs, etc., are voice-optimized and capable of supporting the advanced security requirements for VoIP.
2. Critical security vulnerabilities are being identified on a regular basis, leaving systems vulnerable for denial of service and even more severe buffer overflow attacks.
3. Always properly secure any remote access and configuration capabilities to individual VoIP devices to eliminate any backdoors.
4. If your VoIP traffic goes over unsecured channels, such as the Internet, use encryption technologies like IPsec tunnels to secure the VoIP traffic.
5. Structure your network and leverage VLANs to separate voice and data devices and traffic.

Call Quality, QoS and Security
There's a finely managed balance between delivering call quality and security. Almost every active security measure we deploy introduces overhead in some form. Firewalls may increase latency in the network as they perform traffic inspection and process flows through their rule set. Intrusion detection systems might be passive listeners to network traffic, but when you incorporate intrusion prevention methods, an active component is again inserted directly into the traffic flow. We call this latency nodal delay. It's important to remember that latency or delay is cumulative. It matters end to end in a VoIP call. Security measures can add to delay and reduce perfomance.

Careful design and testing to ensure security methods don't degrade call quality are absolutely necessary to ensure a successful VoIP deployment. If you secure the VoIP service completely, but degrade the call quality, it won't matter that ist's secure because users expectations won't be met.

Balance between security and call quality is crucial for VoIP success.

I've recently written an e-book, Enterprise VoIP Security, sponsored by NetIQ. It isn't available yet, but will be very shortly. We'll certainly announce it here when it's available. There are also two very good papers available in the Realtime VoIP Community Reading Room:

• VoIP Security Intro from NetIQ
• VoIP Security using Knowledge-Based Service Assurance from NetIQ