Thursday, March 1, 2007

This isn't Your Fathers Phone

As I mentioned previously I started blogging after being a guest on the "2 Guys Named Joe" podcast (http://twoguysnamedjoe.libsyn.com/).

Recently I was invited back to discuss VoIP AKA Voice over IP (http://www.answers.com/main/ntquery?s=voip&gwp=13) for their current podcast 2gnj Episode 30: Ed Wants VOIP (http://twoguysnamedjoe.libsyn.com/index.php?post_id=185540).

I really enjoy doing the podcasts and decided I'd do a follow-up blog entry on VoIP security.

The Basics:

First one basic non-security fact VoIP requires broadband (http://www.answers.com/main/ntquery?s=broadband&ff=1) which roughly translates into DSL, Cable or FiOS (http://www.answers.com/main/ntquery?s=fios&gwp=13).

Second anyone who is using a broadband connection should be running a hardware router/firewall. These devices are under $100 and considering the cost of broadband at $30-$50 a month they are well worth it.

Location, location, location:

Just like in real estate location matters. For security reasons you should place the phone adapter behind your firewall.

I have seen many recommendations and diagrams for placing it in front of the firewall. This has only one goal which is to prevent calls to the helpdesk. This is good for your VoIP provider, but not for you.

The best thing for the VopIP customer is to give the phone adapter a static IP address, or use the MAC address (http://www.answers.com/main/ntquery?s=mac+address&gwp=13) to have your router always provide the same IP address to your phone adapter. Then have your router UDP port 5060-5061 to your phone adapter's IP address.

In The Clear

Everything you say can be heard by anyone...

Just like a regular phone everything you say is transmitted in the clear, or understandable to anyone with the right tools. When it comes to old fashioned phones there are wiretaps and good old standard thunderbirds (these are used for troubleshooting and allow the user to listen in on a phone call). To be able to protect your conversation you would need to purchase a special phone and the person you call would need one as well.

With VoIP there seems to be a viable inexpensive option Zfone (http://zfoneproject.com/getstarted.html).

Zfone was created by the same man that created PGP Phil Zimmerman (http://zfoneproject.com/aboutphil.html) . As is to be expected both users have to use Zfone for it to work. Presently it only works with "soft phones," such as x-lite (http://www.xten.com/index.php?menu=X-Series), due to the fact that the currently available implementations run the same computer. Additionally there is a Software Development Kit (SDK) available on the site.


Zfone utilizes ZRTP and has been submitted for acceptance as a standard (http://zfoneproject.com/zrtp_ietf.html) which will allow it's inclusion in any VoIP product.

ZRTP is an extension to Real-time Transport Protocol (RTP) which describes a method of Diffie-Hellman key agreement for Secure Real-time Transport Protocol (SRTP). It was submitted to the IETF by Phil Zimmermann, Jon Callas and Alan Johnston on 5 March 2006.
- http://en.wikipedia.org/wiki/ZRTP

1 comment:

Dan said...

Leonard,

Glad to see this post and your participation in the podcast. A couple of other sites you might like to know about. The VoIP Security Alliance (VOIPSA) is an industry consortium focused on VoIP security at:

http://www.voipsa.org/

We have a weblog at http://www.voipsa.org/blog/ and an active mailing list at http://www.voipsa.org/VOIPSEC/ We also produce a weekly podcast focused entirely on VoIP security called "Blue Box" at:

http://www.blueboxpodcast.com/

We also have put out a list of VoIP security tools at:

http://www.voipsa.org/Resources/tools.php

Again, great to see posts about VoIP security and please do feel free to join our mailing list or join in the conversation on our blog.

Regards,
Dan York (member of VOIPSA board)