10.2. Security for IP Telephony
IP telephony security boils down to three risk factorsthe application, the network operating systems, and the infrastructure. Secure these, and you secure the VoIP network. Here are the most common types of security risks to data networks today:
In the world of convergence, access control, call-accounting, and telephony features are aspects of the same extensible network. Depending on whether your IP telephony applications come from the phone company or from the local softPBX, your ability to control and customize them varies. If you've chosen a VoIP technology that is open and standards-based, like VOCAL or Asterisk, you can build exacting security policies, precise call-accounting and logging systems, and limitless authentication features.
Supporting the telephony application is a network operating systemusually Linux, FreeBSD, or Windowsthat has its own security concerns. Anybody who's run an Internet server for even a short time knows the importance of hardening the network operating system against viruses, security exploits, and bug-ridden software agents .
Finally, the network infrastructurethe protocols and connectivity equipmenthas a set of security issues that must be addressed. This can mean establishing policies for network access via firewalls or authenticating VoIP devices as they attempt to communicate. This also means auditing network traffic, discouraging network intrusion, and promoting privacy.
The application, the operating systems, and the network infrastructure each have many layers of security features and provisions. Like QoS systems, you may not use them all. As a VoIP network maintainer, your security duties will boil down into three categories: access control, software maintenance, and intrusion prevention.