VoIP (Voice over IP), voice communication via an IP network. The voice traffic is compressed, encrypted, and encapsulated into the data packets that are sent across the IP network like any other data stream.
VoIP services provide their clients with phone numbers in order to be reachable at PBX type terminals, fax machines or normal mobile phones. This makes it possible to make voice calls between them via VoIP protocols without having to use a conventional POTS line. The voice quality depends on the medium used for transmission, but most providers offer telephony rates that can be chosen for call setup depending on bandwidth availability or desired voice quality.
There are different methods of encrypting voice communications over IP networks.
Transport Layer Security (TLS) is a cryptographic protocol that ensures privacy between communicating applications and their users on the Internet. It allows client/server applications to communicate across an insecure network in a way that is designed to prevent eavesdropping, tampering, and message forgery.
A TLS session is composed of two phases: the handshake phase and the data transfer phase. During the handshake phase, which takes place at the beginning of each connection, information about encryption keys, compression algorithms etc. are exchanged in order to set up the desired security settings before actual voice transmission begins. The voice stream itself can be encrypted by using DES or 3DES encryption methods both during data transfer and voice call setup. However, it should be noted that these methods are no longer considered secure.
Voice encryption over TLS with SRTP is currently considered the most secure voice call setup option available for VoIP communications. SRTP establishes a TLS session between two communicating parties and adds voice encryption to it, so that all voice packets are encrypted but still contain information about source and destination identifiers. Due to this design voice calls stay interoperable which is important if the voice communication needs to be routed via different servers or providers.
This method can be used by both endpoints (e.g., phones) of a voice call, as long as they support TLS & SRTP (and its mandatory cipher suites). The computers must then handle voice compression, decompression, and packetizing voice data into appropriate RTP packets before sending them to voice encryption module for encrypting.
Encryption can be enabled by voice over TLS with SRTP by using a voice-enabled version of OpenVPN – all voice packets will automatically be encrypted and decrypted within the VPN tunnel. When running voice over an IPsec VPN, it is also possible to use SRTP instead of RTP protocol that uses UDP transport. This might cause issues when connecting two geographically separated networks i.e., satellite connections where packet loss is more likely to happen. However, this method of voice encryption requires all computers on both sides to have voice capabilities, since voice compression/decompression has to take place on both sides inside the IPsec tunnel before sending them via encryption module for secure encapsulation into data packets. The voice packets are not encrypted by the data encryption module.
If VoIP is used through a site-to-site VPN tunnel, voice traffic can be compressed before being sent across the tunnel which reduces voice latency and packet loss during voice transmission. The compression ratio for VoIP traffic may vary depending on codec, but it could be between 40% and 50%. This will reduce the bandwidth consumption that is necessary to transfer voice packets but will still deliver good voice quality (if there is no packet loss).
This VoIP implementation via VPN channels only works if all end points support voice capabilities. Otherwise, this method is not of use due to latency issues caused by using compression/decompression engine on both sides of the tunnel as well as heavy CPU utilization.
If VoIP is used for branch office to main office communication, the voice traffic is transmitted via the organization’s private network. This method does not require voice capabilities on either side of the VPN tunnel because voice data are transferred as data packets without voice compression/decompression. However, this method demands high bandwidth consumption due to voice latency introduced by voice packetizing and transferring.
Voice calls that are routed through a site-to-site or remote access VPN tunnel will be more secure than those that are routed directly over the Internet. Traffic running inside a VPN tunnel is encrypted with encryption algorithms such as 3DES, Blowfish, CAST128 etc., which makes it harder for an outsider to tap into conversations without being detected. It also hides the voice data inside the TCP/IP protocol, which further reduces voice latency and packet loss during voice transmission.
This VoIP implementation via VPN requires voice capabilities on both sides of the tunnel but provides better voice quality and lower voice latency than when using compression/decompression engines provided by computer hardware. This method is most effective if all communicating parties support voice capabilities because voice packets are transferred directly from source to destination without any form of encryption.
If VoIP is used through a site-to-site or remote access VPN, it will provide the same level of security as private leased line or ATM connections between branch offices and main offices. This method demands high bandwidth consumption due to voice latency introduced by voice packetizing and transferring.
If VoIP is used for voice communication between branch offices and the main office, voice packets have to be routed through multiple network layers by using a site-to-site VPN tunnel. This will add voice latency due to voice packetizing and transferring through different networks before reaching the destination. The number of hops determines voice latency, which means that each network layer will add voice latency. Also, this method demands high bandwidth consumption due to voice packetizing/decompressing on both sides of the VPN tunnel as well as encrypting voice data with encryption algorithms such as 3DES, Blowfish, CAST128 etc., before transferring them via VPN tunnels.
There are many methods that can be applied for implementing VoIP in an organization. The method that is most suitable for each situation depends on each client’s requirements; voice quality, voice latency, security requirements and bandwidth consumption should all be considered when choosing the best method to implement VoIP within an organization.
For more information or to request a free consultation or quote – click here.
