VoIP VPN

Last updated

A VoIP VPN combines voice over IP and virtual private network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data, the VoIP VPN solution accomplishes voice encryption quite simply, applying standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

Contents

The VoIP gateway-router first converts the analog voice signal to digital form, encapsulates the digitized voice within IP packets, then encrypts the digitized voice using IPsec, and finally routes the encrypted voice packets securely through a VPN tunnel. At the remote site, another VoIP router decodes the voice and converts the digital voice to an analog signal for delivery to the phone.

A VoIP VPN can also run within an IP in IP tunnel or using SSL-based OpenVPN. There is no encryption in former case, but traffic overhead is significantly lower in comparison with IPsec tunnel. The advantage of OpenVPN tunneling is that it can run on a dynamic IP and may provide up to 512 bits SSL encryption.

Advantages

Security is not the only reason to pass Voice over IP through a virtual private network, however. Session Initiation Protocol, a commonly used VoIP protocol is notoriously difficult to pass through a firewall because it uses random port numbers to establish connections. A VPN is also a workaround to avoid a firewall issue when configuring remote VoIP clients.

However, latest VoIP standard STUN, ICE and TURN eliminate natively some NAT problems of VoIP.

Installing an extension on a VPN is a simple means to obtain an off-premises extension (OPX), a function which in conventional landline telephony required a leased line from the private branch exchange to the remote site. A worker at a remote location could therefore appear virtually to be at the company's main office, with full internal access to telephone and network.

Disadvantages

The protocol overhead caused by the encapsulation of VoIP protocol within IPSec dramatically increases the bandwidth requirements for VoIP calls, thus making the VoIP over VPN protocols too "fat" to be used over a mobile data connections like GPRS, EDGE or UMTS. Although VoIP over VPN is not as usable in mobile environments, it is sometimes used to create "encrypted VoIP trunk" between different sites of a corporations, running VoIP PBX interconnections over a VPN connection. [1]

New solutions

The recent publication of new VoIP encryption standards built into the protocol, such as ZRTP and SRTP, allow the VoIP client to run without the VPN overhead, integrating with standard features of VoIP PBX without having to manage both the VPN gateway and the PBX.

Free implementation

VoIP VPN solution may be accomplished with free open source software by using a Linux distribution or BSD as an operating system, a VoIP server, and an IPsec server.

Related Research Articles

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

Network address translation Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of remapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to avoid the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the networks address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet telephony, broadband telephony, and broadband phone service specifically refer to the provisioning of communications services over the Internet, rather than via the public switched telephone network (PSTN), also known as plain old telephone service (POTS).

Virtual private network Allows a private network to go through a public network

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, although not an inherent, part of a VPN connection.

The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

Inter-Asterisk eXchange (IAX) is a communications protocol native to the Asterisk private branch exchange (PBX) software, and is supported by a few other softswitches, PBX systems, and softphones. It is used for transporting VoIP telephony sessions between servers and to terminal devices.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

Internet security is a branch of computer security specifically related to not only Internet, often involving browser security and the World Wide Web, but also network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information, which leads to a high risk of intrusion or fraud, such as phishing, online viruses, trojans, worms and more.

In computer networks, a tunneling protocol is a communications protocol that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

A session border controller (SBC) is a network element deployed to protect SIP based voice over Internet Protocol (VoIP) networks.

VoIP phone

A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet, instead of the traditional public switched telephone network (PSTN).

Network address translation traversal is a computer networking technique of establishing and maintaining Internet protocol connections across gateways that implement network address translation (NAT).

Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

T.38 is an ITU recommendation for allowing transmission of fax over IP networks (FoIP) in real time.

Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.

A network extrusion is a kind of VPN tunnel where a subnet is moved to another location, without any router advertisement changes. Such a subnet is routed to normally, but then send via a VPN tunnel to appear anywhere else on the internet. This type of VPN connection is often used for:

OpenConnect is an open-source software application for connecting to virtual private networks (VPN), which implement secure point-to-point connections.

SoftEther VPN Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

References

https://www.pcmag.com/article/365673/when-to-use-a-vpn-to-carry-voip-traffic

Sources

  1. Gallagher, Sean (March 12, 2014). "NSA's automated hacking engine offers hands-free pwning of the world". Arstechnica. Retrieved April 11, 2014.