Securing VoIP

Regis J. Bates

Published by






Reviewed by

Jim McGhie CEng, MBCS CITP


8 out of 10

The author starts with a brief history of telephony and how it has evolved to what it is today. He also explains how it has evolved from a network service using dedicated buildings, networks, signalling and cabling into a shared data and service network.

The remainder of the chapter is devoted to the reasons why attacking or eavesdropping of telephone networks might prove advantageous to a third party and exactly which assets are considered to be at risk if and when an attack takes place.

The next section looks at the need for security policies, which have emerged due to the mix of networks, suppliers and equipment that make up a Voice over IP (VoIP) network. These policies are necessary to protect and defend the VoIP system from potential risks along with an associated disaster recovery plan and the implementation of a change management process.

VoIP on virtual private networks (VPN) is considered next. The concept of a VPN, the types of VPN available and the associated advantages and disadvantages in each case are all explained.

Chapter four considers cryptography and encryption in the context of protecting a VoIP network. It only provides the reader with sufficient background and technical knowledge to engage meaningfully with suppliers when discussing security tools offered as part of a VoIP solution.

Authentication, that is the process of making sure that a person is who they claim to be, is the subject of chapter five. The use of the 802.1.X protocol used to authenticate users is considered along with other methods of securing voice services such as a VoIP firewall and encryption of the traffic and call control information. The different emergent protocols that can be employed against people attempting to attack VoIP networks and how they can be deployed are then covered.

The next chapter looks at the business case for securing VoIP. Given that most organisations are dependent upon both voice and data services to function day to day, many do not prioritise communications network security. The reasons for this are discussed in this section, which advocates the use of the guidelines contained in RFC 2196 to be used in the building of a business case for VoIP security.

The author also shows how VoIP security might be implemented in a commercial environment using a layered approach using a combination of security best practices and unique VoIP security measures. The final chapter is devoted to some thoughts on supplier issues and the overall control of security risks.

Throughout the book good use is made of illustrations to explain the more technical aspects of the subject matter and a comprehensive index is included at the back of the book. I found the book to be a well-written, varied and informative treatment of the subject. It has the potential to appeal to a wide range of business and technical readers alike. I can award the book 8 out in 10 in terms of coverage of the subject and value for money.

Further information: Syngress

February 2015