While network data security typically refers to packets of data information, the proliferation of Voice over IP (VoIP) technology in the workplace encourages a closer examination of packets of phone conversations traversing the business infrastructure. Conversations between higher-level employees and outside entities must be secured from lower-level employees and outside parties. Without creating and enforcing strict VoIP network security policies, businesses run the risk of having conversations recorded or tapped.
VoIP takes a standard telephone call, transforms the analog telephone voices to digital packets and transmits the packets over the internal network infrastructure in the same way all other data is transmitted. While there are many different types of VoIP (MGCP, SIP, H.323) with many different encoding and de-coding options, they all follow the same principles of transmitting conversations.
In typical small- and medium-sized businesses (SMBs), network data security plans do not include specific protection for VoIP packets. Many SMBs do not understand that their communications are highly susceptible to being recorded or tapped by lower-level employees because the employee is curious about the company’s current state, is searching for information about higher-level employees or feels he or she may find useful information in the communications. Tools to enable an employee to record, tap or join a call in progress are free and available on the Internet, making it easy to gather sensitive information.
The most common VoIP security breach is done through recording. When a call is converted into packets and sent across the network, the employee can create a “packet capture” – essentially record the data stream over the network to a stored file on his or her own computer. The user is able to replay the information as voice playback and listen to both sides of the conversation. He or she then has a stored file of the entire phone call and the opportunity to hear all of the information discussed on the call.
Fortunately, there are many ways to police an employee’s ability to record voice streams. One key way to prevent this is to divide voice and data communications into Virtual Local Area Networks (VLANs). This practice seperates the nodes on a network into Voice Endpoints (VLAN1 – telephones) and data endpoints (VLAN2 – computers). When separated properly, this will prevent computers from being able to see the traffic streaming between telephones and will not allow for packet captures to record the information.
This solution has a second benefit which is often greater than security. The practice of implementing VLANs also enables your business to enforce rules across the network to ensure that voice packets are transmitted in a higher priority than data packets, removing echo and choppiness from phone conversations.
The second way of snooping for information contained in VoIP calls is through “tapping” – adding oneself to the call or any other way of accessing the phone call while it is happening. In some VoIP environments, a tool called “Listen In” brings the audio of the conversation to the phone of the employee who presses the button. However, neither party on the phone is notified of the call tap, and the employee cannot be heard on the call. In most cases, this featured can be disabled or assigned only to users who have permission, but SMB operators need to know if this feature exists on their VoIP systems and also how to disable it.
With all of the benefits of VoIP solutions, the systems are here to stay. However, as with all new technology, there are intricate pieces of VoIP solutions that need to be explained to all VoIP solution adopters, and the ability to communicate securely is paramount.
