There is a slow but sure increase in the extent of deployment of IP Telephony. An increasing number of organizations are deploying IP Telephony over their existing IP networks. There is significant adoption of services like Skype, Gtalk and Yahoo Messenger for voice and video calling. A large number of people make international calls using a service like Skype from their mobile phones, potentially reducing the telco to a data-pipe provider rather than a voice carrier. While IP-Telephony might offer compelling benefits, there are some security issues to consider and deal with.
1. Eavesdropping on conversations:
If an attacker is able to intercept VoIP packets then that attacker will be able to listen to the voice carried in those packets. Eavesdropping can be mitigated by two methods
a). Network Segmentation: In this method the data and voice traffic is segmented in such a way that devices on the data network cannot access the data on the voice network and vice-versa. Theoretically if a switched L2 (often Ethernet in the wired world) is being used, it is hard to sniff traffic on the entire LAN segment. If the L2 fabric supports VLANs then this can be used to segregate the voice and data traffic. While this approach might look appealing, there are ways to circumvent segmentation that do not require very high sophistication. Also if the traffic is being routed between LAN segments, it may be difficult to ensure end-to-end voice and data traffic segregation. Therefore by itself, network segmentation has limited value in preventing eavesdropping.
b). Encryption: The VoIP packets can be encrypted. Typical deployments of IPSec type encryption operate at a gateway-to-gateway level. This may be fine in a situation where the source and destination LAN segments have good segregation, but will not be effective if network segmentation cannot be ensured. In that case the encryption must be phone-to-phone. Not all phones can support encryption on the device.
a). Proprietary call control: There is not a lot of standardization in the call control protocols and implementation of features in IP telephony. There are a number of proprietary protocols in use and each might have its own vulnerabilities.
b). Server and Application Vulnerabilities: A telephony server is subject to the same type of attacks and may suffer the same type of vulnerabilities that any type of server does. All the standard hardening, intrusion protection and vulnerability management practices that are relevant to any application running on any server are relevant in this scenario also.