As voice over IP (VoIP) installations increasingly evolve from PBX trunking over private data networks to IP telephony (IPT)-based solutions -- and, in some cases, incorporating public networks -- it becomes increasingly important to recognize and address associated security issues. The risk and threat to enterprises deploying IP telephony are very real, and although few incidents have been reported in public, these are expected to increase in number as IP telephony deployments increase in number and size. Unless protective security measures are taken, the enterprise will be left open to privacy violation, fraud, and malicious attacks.
To mitigate these threats appropriately, the actual risks must be identified and mapped to a security framework. This framework can then be used to establish security requirements for the products used to obtain an appropriate level of security for the IPT solution. However, since IP telephony is a service that enables direct communication between end-user IP phones throughout an enterprise, it is critical that security measures allow this type of peer-to-peer traffic flow while protecting the telephony service. The telephony service is a convergence of the enterprise voice and data infrastructure, so it is critical that a security strategy be implemented on an enterprise-wide level within the enterprise-wide security framework. These measures must be taken as VoIP projects are planned and executed, and if properly implemented, most risks can be adequately mitigated.
Information Security Research Library
