Secure Your Internet Phone

Now that I have scared you into rethinking Internet phones, let's look at some ways to protect yourself against some of the attacks that threaten your phones. In this section, I show you steps you can take to secure your Internet connection and your phone service.

Analyze the risks

Who are you talking to, and what are you saying? If the worst thing that passes your lips is some juicy gossip about a neighbor, chances are that VoIP security is fine for your needs. If, however, you deal with corporate trade secrets or nuclear launch codes, you will probably want something with a little more heft.

Like a shoe phone.

Let's put this in perspective. Standard phones can be tapped. Older cellular phones could be eavesdropped on (much to the chagrin of certain royal highnesses). The advent of personal communications service (PCS) technology made cellular communications much more secure but still not impenetrable. If you are comfortable with standard phones and cellular phones, feel safe with VoIP.

Use a gateway

One way to increase security not only for VoIP calling, but also for all Internet communications is to use a gateway that includes firewall functionality (Figure 7.4). Available from your local big-box electronics retailer or online from many merchants, these devices (manufactured by Linksys, Netgear, D-Link, and others) do a very good job of providing basic network protection.

Network Address Translation (NAT)

The Internet gateway uses network address translation (NAT) to enable multiple connected internal devices to share your Internet connection. By using only one public Internet address, your attack surface the portion of your network exposed to attack is dramatically reduced.

NAT tracks all outbound and inbound communications, and ensures that the correct traffic is routed to each device on your network. As long as these devices are compatible with NAT, you should have no problems setting up this feature of your gateway.

Firewalls

Most gateways include firewall functionality to protect your network further. With a firewall, inbound communications must be in response to established outbound requests, or they will not be allowed to enter your network. Attempts to break in are silently discarded.

If you host services behind the firewall that rely on inbound traffic to initiate the connection (such as a Web site or a game server), you can manually designate open ports and the internal system that is to receive connection attempts on these ports. This method, called port forwarding, ensures that no unauthorized traffic enters your network. The internal system that receives the traffic needs to be monitored for unauthorized access attempts, however, and you should check frequently to be sure that the shared application on this system does not have any known vulnerabilities that have not been fixed. You can do this by checking frequently with the manufacturer of the application.

Web Access Monitoring and Parental Controls

The ability to monitor Web site requests and prevent access to objectionable content is included with many gateway devices. If you have small children, it is helpful to use these features to ensure that your youngsters don't accidentally wind up someplace scary.

Parental controls work by blocking access to objectionable sites. Block lists are updated frequently as new sites are discovered.

Secure your wireless network

If you brought home a wireless network gateway and plugged it in without setting up security, chances are that your neighbor kid has been enjoying free broadband for some time now.

By enabling wireless security protocols, you make it more difficult to see into your network not only for the neighborhood kids, but also for anyone who happens to drive by. These protocols extend protection to your VoIP calls by ensuring that the local IP address for your TA is not known or visible to anyone who attempts to crack it.

All wireless gateways include some encryption features. If you purchased your gateway in 2005 or later, chances are that it can even stop someone from breaking the encryption. If this discussion has you heading to the store to get a new one, be sure that it supports 802.11i/WPA2 wireless encryption.

Use encryption for direct calls

Services like those provided by Vonage and BroadVoice use devices on the provider's network called session controllers to manage call processing. Having known endpoints for the Internet phone communication provides some assurance that you are connecting with your VoIP provider's networks. If you choose a service that directly connects users to one another, such as Free World Dialup (FWD), you need to be more careful. You may even want to encrypt your communication when using these services, because you have no idea what Internet backwaters your traffic might pass through on its way to your acquaintance. Some services have their own encryption. The Skype softphone includes its own proprietary encryption to protect the contents of your call from others.

If you are using direct calling services like these, there is no reason you cannot use additional security measures such as Internet Protocol Security (IPSec) encryption to create a virtual private network (VPN) to protect your call. When using these methods, you'll need to configure both ends of the communication. VPN connection endpoint capabilities are available as features of some Internet gateway devices. The manufacturer instructions explain how to set up and configure these features.

Avoiding SPIT

Folks who see black helicopters warn that VoIP systems might in the future be subject to spam-style attacks by mass marketers. Called Spam over Internet Telephony (SPIT), this technology would lead to mass placement of advertising directly in subscriber's voice-mail boxes.

Although many providers steadfastly claim that this is not possible with their networks, theorists hold that it may yet come to pass. Whether this happens remains to be seen.

If you receive unsolicited calls, ask to be placed on the caller's Do Not Call list. Better yet, subscribe to the National Do Not Call Registry at www.donotcall.gov. If you receive messages that arrive without the phone's ringing at all, notify your provider. The provider will know whether the caller attempted to call when your phone was not available and can initiate an investigation into the possibility of a SPIT attack.