A couple guys over at NetworkWorld pondered the question of How much encryption is ‘enough’ for VoIP? back in June:

“In fact, we’ll argue here that if anything, there is too much encryption of VoIP traffic. Why? It’s easy to encrypt IP traffic using techniques like IPSec and SSL, so any IP-based traffic - like VoIP - can be encrypted with minimal effort. In fact, many free or almost-free VoIP applications even encrypt traffic by default. Our concern here is that this readily available encryption makes lawful and appropriate monitoring of traffic for national security and law enforcement much more difficult than it should be.

(emphasis mine)

That’s the same thing as saying, “We shouldn’t wear bulletproof vests in case the police decide they to need to shoot us.”

Their core argument is, basically, that you never had crypto before, therefore you must not need it now, especially since it might be inconvient to anyone who actually wanted to eavesdrop on your calls. Umm…Earth to NetworkWorld…that’s the whole point of encrypting–if they have to eavesdrop rather than just being able to aske me about it, then I don’t want them to know! And the risk of Bad Things happening to me or my Right to Privacy due to abusive use of eavesdropping far outweighs any potential, amorphous benefit that Law Enforcement will potentially gain by being able to easily spy on my voice traffic.

In a corporate setting, to deliberately avoid a safeguard, especially if it’s on-by-default (as is the case with many consumer VoIP implementations), on the off chance that someone might “need” to intercept (attack) your voice traffic is absurd.

To make matters worse, if your employer suffered any sort of significant incident after explictly disabling a safeguard, you’re looking a world of hurt which will probably start with unemployment and could possibly go as far as a civil negligence case if the company winds up in the press and feels the need to “look tough.”

While I wouldn’t go so far as to call the PSTN a well-manicured neighborhood, I still prefer Phil Zimmerman’s (creator of PGP) assessment of the situation in a recent Wired article about his new encrypted VoIP start-up:

The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum,” Zimmermann said. “To move all of our phone calls from the PSTN to the internet seems foolish without protecting it.”

I tend to agree with the person who wrote in to NetworkWorld (no link, unfortunately) about the original article and said:

“My view is that VoIP is in fact ‘inherently unsecure’ because so many people have access to the LAN infrastructure before it goes across the WAN.”

My approach to VoIP security has been to start from a similar assumption. It is inevitable that some risks must be accepted in the course of a deployment. What I’ve done, though, is look at the currently-understood threats within the context of our environment and provided recommendations to mitigate the risks which are either cheaply & easily-mitigated (like encrypting calls for certain key staff members) or which are significant, like the loss or unavailability of some or all of the VoIP infrastructure.

Network integrity and Layer 2 security tops my list as being essential to ensuring Availability and QoS as well as reducing the risk of eavesdropping. I’m much more concerned about someone or something both accidentally or deliberately taking down the VoIP infrastructure with a worm, an exploit, or a poorly-implemented third-party tool or device than anything else. If we can secure the integrity of the switch fabric, the nature of switched ethernet will mitigate againist many of the currently-identified network attack vectors as well as many other yet-unknown threats.

In certain situations, however, where privileged conversations may reasonably take place with some frequency, such as between senior staff, Legal or HR, it seems a reasonable precaution given that most of these people will probably already have the capable hardware (nicer handsets which coincidentally also have the CPU power to do encryption). It simply becomes a matter of enabling it in those cases and accounting for the incremental memory & CPU increases on the VoIP servers.

This approach gives us redundant security in the places where a breach would have the greatest impact, provides some degree of future-proofing against vulnerabilities we are not currently aware of, and costs very little to implement.

A note: There’s a lot more to securing VoIP than just what I’ve listed here, but there are plenty of places you can look for more information.