Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Live Show Report IP Telephony Security

Scott Bradner

I'm presently sitting in a session at the Next Generation Networks Conference in Boston entitled "IP Telephony Security: Threat and Countermeasures." Moderated by Scott Bradner, university security officer for Harvard University (pictured at left, Scott is a proud Macintosh user, interestingly enough), this panel session hopes to answer the following questions:

  • Is it possible for an enterprise VoIP system to be as secure as a traditional PBX system?
  • What's the best way to balance the need of VoIP services with the needs of law enforcement (wiretapping)?
  • Is it feasible to apply existing telephone industry best practices to VoIP service?
  • What regulatory and standards efforts are under way to support E911?

The panelists are:

  • Ashley Johnston, director of marketing for VoIP at Texas Instruments
  • Dr. Ramesh Lakshmi-Ratan, president of VocalTec
  • Bruce Robertson, senior manager, Network Design, CTO's Office at Nortel Networks

What follows are my notes from this session. I hope you find them helpful.


For Ashley Johnston, director of marketing for VoIP at Texas Instruments, there are four security goals for VoIP:

  • privacy
  • integrity
  • authentication
  • non-repudiation

The basic system in place now needs to secure both signaling and voice media. And all equipment may be wired or wireless. It's structured like so:

Telephony interface (circuits) --> DSP (voice/media sec) --> Micro (signal security) --> IP network --> Micro --> DSP --> land or mobile phone.

Thinking about key exchanges, when you type in a password, you'd like it to be easy. But if you do that for every system, you expose yourself quite a bit. On the other end of the scale, you use a very difficult password from IT, which you write somewhere so you won't forget it. In either case, you're in trouble. So we need a key exchange that makes sense for the application we're using. There are a few options available here:

  • Symmetric Keys
  • Public Keys
  • Hybrid Keys
  • Diffie-Helman (DH)

And for encryption, there are three types available:

  • DES/3DES
  • AES (Rinjndael)
  • Rivest Cipher (RC4)

For wireless LAN security for VoIP, the industry has evolved from WEP to WPA and now to 802.11i (the holy grail) and 802.1x.

Interesting note: Regardless of how you secure VoIP, performance is the biggest factor. Algorithms like AES takes 50 ms, Key generation takes 500 ms. An IPSec exchange takes one to five seconds on each end.


Dr. Ramesh Lakshmi-Ratan, president of VocalTec, did not want to talk about technologies and how-tos. Instead, he shared with us his "musings and personal insights of a well-worn engineer who's been trying to do this for a long time."

VoIP started at the core of what we call class-4 networks. It was just a means of transport between trusted endpoints (between telephony gateways). As VoIP migrates to the edge, you can now do amazing things like eight-way conferencing. But you can also do dangerous things from a business point of view because of a number of challenges:

  • security
  • routing
  • QoS
  • interoperability
  • billing
  • management
  • spam

Here's how security maps out for him:

  • Network security: firewalls, NAT, PAT, VPN
  • Call security: authentication and authorization, SIP
  • Transport: IPSec
  • Device security: hardening, access control
  • Customer security: billing and customer care, securing user details
  • Lawful interception
  • 1