VoIP Security - Could Someone be Listening In?

The question of VoIP security often comes up on various VoIP forums, and it's a good one. Could someone be listening to your conversation? While it's theoretically possible, here are a few security tips that will help keep your network secure. The first thing we'd like to point out is that VoIP can actually be much easier to secure than traditional telephone service! Most people are unaware that POTS lines are often very easy to tap. The demarc (the point at which the telephone company's network ends and your home wiring begins) is often mounted on the outside wall of a house, at ground level. A small FM transmitter could be attached in a matter of seconds. Even if your demarc is mounted inside, the wires have to come from somewhere, and are often still attached to the home at ground level, or obscured by trees. For this same reason, if you are concerned about security, you may wish to avoid distributing VoIP throughout your home by way of an outdoor-mounted demarc. The second thing we'd like to mention are a few security tips. Since VoIP runs over IP networks, simple network security rules apply. Let's start with one we were recently surprised to discover is overlooked by a great deal of VoIP users. Use extreme caution when placing your VoIP device in DMZ. If you're doing it for very brief periods for testing, that will likely not be a problem, but this can expose your VoIP device's configuration to anyone. The easiest way to secure your VoIP device is to place it behind a "restricted cone NAT" router with no port forwarding. If your VoIP provider handles NAT properly, this will work, and nobody but you and your VoIP provider will know that your VoIP device even exists. If you have a wireless router, use encryption such as WPA. The older WEP encryption is not as good as WPA and can be cracked relatively easily. Once someone is able to access your wireless network they can tap VoIP calls in a variety of ways, such as spoofing a configuration file, changing the SIP server to one they control, or configuring your router to send copies of VoIP data to them. We rarely advocate replacing working hardware, but if any of your equipment only supports WEP, you should replace it. Or, better still, don't use wireless. (Mango's personal opinion here.) If you do not use wireless or your wireless router is secure, it becomes harder to access your network. For most people, a hacker physically entering their home and accessing their network is relatively unlikely. The next weak point in the network are the computers connected to it. A user could be enticed to install software that would allow the hacker control of the user's computer, and thus access to the network. Be sure to keep your antivirus software up to date and use common sense when opening email attachments and installing software. Finally, you should also set relatively strong passwords for both your router's and your VoIP devices' administration. If your network is secure, this will theoretically not be necessary, but it is good defense against "Oops!" situations. While very few methods of communication are completely secure, basic network security practices will provide more than ample levels of security for the average residential or small business VoIP customer.