Securing VoIP - a framework to mitigate or manage risks
School of Computer and Information Science, Edith Cowan University
Place of Publication
Perth, Western Australia
Computing, Health and Science
School of Computer and Information Science, Centre for Security Research
In Australia, the past few years have seen Voice over IP (VoIP) move from a niche communications medium used by organisations with the appropriate infrastructure and capabilities to a technology that is available to any one with a good broadband connection. Driven by low cost and no cost phone calls, easy to use VoIP clients and increasingly reliable connections, VoIP is replacing the Public Switch Telephone Network (PSTN) in a growing number of households. VoIP adoption appears to be following a similar path to early Internet adoption, namely little awareness by users of the security implications. Lack of concern about security by VoIP users is probably due to the relatively risk free service provided by the PSTN. However, VoIP applications use the Internet as their communications medium and therefore the risk profile is significantly different to the PSTN. This paper reviews the risks for two VoIP implementation models now being increasingly used in Australian homes; the PC softphone and the Analogue Telephony Adaptor (ATA). An overview of each of the VoIP implementation models is given together with a description of the respective technologies and protocols utilised. The VoIP security threats, applicable to the two VoIP implementation models considered, are enumerated and vulnerabilities that could be exploited are considered. Available security mechanisms that address the identified vulnerabilities are discussed. A practical and pragmatic VoIP security framework is proposed that will enable a user to mitigate or manage the risks associated with using the VoIP implementation models considered. By applying the VoIP security framework a user will be able to deploy a secure VoIP solution appropriate for residential use.