If the Voice over IP Security Alliance (VOIPSA) proves anything, it's that voice over IP (VoIP) security is something that a whole lot of people take very seriously. "The reason why our membership has mushroomed is that the industry as whole is saying 'we're concerned," VOIPSA secretary and Sonicwall senior director Jonathan Zar says. "The carriers are saying 'we're ultimately responsible for integrating all of these products and we know there are problems."

Many of VoIP's security vulnerabilities are nothing new; they are simple the consequence of routing voice traffic over IP networks. Traditional telephony has been spared the kind of denial of service (DoS) attacks and worms that have bedeviled the Internet since Robert Tappan Morris set the first worm loose in 1988. However, the transport medium changes everything, even if VoIP lets users make and receive telephone calls with the same ease as with traditional phone service.

"You have to consider the underlying infrastructure," Infonetics directing analyst for enterprise voice and data Matthias Machowinski says. "If worms and viruses bog down your network, it's a data security issue, of course, but that's also going to affect voice quality and reliability."

In fact, real-time traffic like voice is particularly susceptible to any attacks on the IP network carrying it. Few users, Machowinski notes, will notice a network hiccup when they're downloading an e-mail attachment, but the same minute delay could play havoc with voice data. The bottom line is that VoIP security is only as good as the overall security of the network it's on, but even that's just a starting point.

"VoIP inherits every one of the denial of service vulnerabilities that you have on the net," Zar says. "It's also vulnerable to DoS attacks that are protocol-aware."

With that in mind, the first step to ensuring VoIP security is to plug the holes in the network. "It's important to look holistically at security," Machowinski. "It has to be an overall strategy for data as well as voice."

Nevertheless, VoIP's vulnerabilities don't end with the IP network. Zar says that there are a number of security risks specific to IP telephony that VOIPSA has categorized, catalogued and presented in a thorough taxonomy. A good number of these relate specifically to the perils inherent in moving voice traffic from the closed circuits of the public switched telephone network (PSTN) to the wide-open Internet.

Traditional telephone calls aren't usually encrypted, primarily because they don't have to be. They're carried end-to-end on a managed network subject to rigorous regulation and controls. In theory at least, tapping a traditional phone requires some kind of physical intervention.

"Internet phone traffic isn't protected like that," he says. "The IP protocols were never really intended to be attack resistant, but there's also the question of privacy."

Unencrypted voice packets can be intercepted. Neither Zar, nor Machowinski think that packet interception is a widespread problem -- yet -- but it will probably become more common as VoIP goes increasingly mainstream. And it's not technically difficult, Zar says. "You have to know the art, but it's not a black art," he says. "As with viruses, there are two groups of people who are interested in these things. There are those who like to develop the tools to do it, and the less sophisticated people who use the tools."

Few users regularly encrypt their e-mail, gambling that, with the number of packets flying around the Internet, interception is unlikely, so why encrypt voice calls? "Yes, it's a needle in a haystack," Zar says. "But not all haystacks are the same."