It is normal, when choosing a technology, equipment or telephony for our company, that we ask ourselves a series of questions and that we don’t want to make any mistakes. And the security of IP telephony is a very important question that we are going to analyse today; is it really safe?
IP telephony or traditional telephony?
IP telephony works through the Internet and that is why many people are suspicious of its security compared to traditional telephony. But traditional calls are no more difficult to locate or listen to than calls over networks and interconnections. In fact, it is more difficult to spy on a VoIP call because the data is encrypted.
This distrust results from the little information we have access to about the internet and how this type of telephony really works. If voice travels over the internet, then it must travel over a public network. This is the first myth that people fall into. There are free systems that can allow voice to travel over a public network, but if your company chooses IP telephony, a private network will be used for the calls made. A private network is not totally inaccessible, but it is much more secure, as to locate and listen to calls you would need to get administrator access to the network equipment. Having a Virtual Private Network (VPN) means a fairly high level of isolation and security against any external attack.
For this reason, an important factor when implementing IP telephony in a company is the training of personnel on security risks. Informing and educating employees to avoid the misuse of this technology can prevent future external attacks.
The security of IP telephony presents more benefits compared to traditional telephony, even if there are risks when using it.
The risks of IP telephony
We will look at some examples of what could be risks when using this technology, and thus analyse the security of IP telephony in greater depth:
- A common network : in the case of IP telephony there is only one common network through which both data and voice travel. This allows more flexibility, but is also dangerous when integrating voice data if no security measures are taken. This is why there are protocols (such as SIP) for initiating, modifying and terminating sessions to maintain control and you can install additional security measures or systems too.
- Global attacks : when attacking the network, if the company does not have a good security system, it can end up attacking other levels of the company as well, accessing customer or supplier information. Although this has an easy solution if a specific security system is used for voice data.
- Identity theft : the legitimate registration of the user is disabled; this is possible as the signalling messages are sent in a plain text and therefore the intruder can locate, modify and send them as he wishes. Furthermore, although authentication is required, the intruder can hack into the account and obtain the user’s password. Although fortunately this is a risk that can be prevented relatively easily; we must have a strong password, keep our computer free of malware, even activate the account in two or more steps, etc.
The security of IP telephony
Although it can be attacked from outside, the security of IP telephony can be ensured. There are a number of security controls that must be in place and also measures that can reduce most risks and external attacks.
- Keep systems updated: there must be a control of the systems, and the network administrator must be aware of new updates and their applications on these systems.
- Have a secure network infrastructure: It is recommended these anti-virus programs on the network so they can protect it against possible external attacks. Many attacks can be detected thanks to the installation of detection and prevention systems such as IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). These systems examine and analyse packages in search of suspicious data.
- Authentication, authorisation and encryption: as mentioned above, it is advisable to configure the devices so that they use more than one step when activating the account. And the devices could also have a limitation of the IP addresses from which they can receive traffic. Correct configuration can greatly reduce external attacks. Encryption can solve most problems of manipulation and playback of messages being exchanged.
- The Secure Real-time Transport Protocol (or SRTP) : a profile that provides authentication and protection when sending data. Using this type of profile as additional security is highly recommended and you can enable or disable the protocols it presents, so you can customize the encryption and profile settings to suit your needs.
The security of IP telephony is an important issue that can generate many doubts, but to which you should give a lot of importance. IP telephony is not infallible but with the right training and up-to-date systems it should not be a cause for concern to anyone.
IP telephony and WebRTC
Web Real Time Communication (WebRTC) is an open standard that provides VoIP features to websites. When a company decides on IP telephony, and has communication systems such as the virtual PBX or call center, if it chooses WebRTC it can use browsers such as Chrome to communicate (calls, messaging, video conferences…) without the need for plugins or external devices.
In other words, WebRTC is an easy way to get a VoIP communication system through the web. So, what can we expect from the security of IP telephony in this case?
What kind of security does WebRTC offer?
In the case of WebRTC, data transmission is carried out via the SRTP (Secure Real-Time Transport Protocol) so communication is direct, browser to browser and does not require a streaming server. In addition, the same browsers include security patches that are usually updated periodically.
The fact that this technology does not use hardware components or software applications means one less risk to worry about. Every new external application or hardware is a door that opens for hackers. Without these external systems, web technology is more secure than any other communication system that does need them.
Secure encryption is also guaranteed with WebRTC through DTLS (Datagram Transport Layer Security) protocols that provide privacy.
Therefore, the security of IP telephony is unquestionably improved when applied with a technology such as WebRTC that provides flexibility, quality and speed.