IP telephony and voice over IP are by no means the standard for carrying enterprise voice just yet. But these technologies have been in the real world long enough for users to have learned some tricks for protecting a converged infrastructure against network threats, both external and internal from inside the firewall.

From their work in the field, these IP telephony veterans - including users and consultants - give the following five essential tips for ensuring security in a converged voice/data infrastructure.

Start with the basics.

"Viruses are a paramount concern in any organization, on any server or application," says Ray Ortega, senior consultant for voice at ThruPoint Inc., an integrator of IP telephony networks. "One key thing users need to do is to stay on top of their (IP PBXs) and make sure they have the latest virus protection and patches applied. One thing we make sure of is that clients know that call servers need to be maintained and monitored."

Ortega says common-sense precautions such as intrusion-detection software and good firewalls go a long way in keeping IP voice running in the event of a network or virus attack. Disabling or limiting Web access to phones and IP PBXs - as many of these devices run mini-Web servers for management purposes - is another step.

CERT, the independent network security organization, recommends filtering inbound traffic to Session Initiation Protocol (SIP) devices and denying traffic to those devices that are not intended to handle public services. Similarly, such boxes rarely need to initiate SIP sessions, so filtering outbound traffic that is initiating sessions can prevent these machines from being used to launch attacks, CERT says.

Treat phones as IP clients.

Intruders can spoof IP addresses to make illicit gear seem to be a trusted device, which can then intercept traffic. This behavior can be blocked by requiring endpoint IP address authentication, many users and experts say.

Businesses want to make sure users authenticate themselves to the network before using IP phones, says Iain Stevenson, service director for access at analyst firm Ovum Ltd. "With VoIP you have a highly portable client (softphone). Authorizing the user is very important so you don't get anyone dialing out and making long, international calls."

Many experts also recommend setting up logon prompts and PINs for IP phones. Disabling auto-configuration of IP phones from an IP PBX could also be useful in preventing unauthorized IP telephony clients from making calls via your IP PBX.

Keep converged voice and data separate.

It sounds contrary, but completely mixing voice and data can be bad, some experts say.

"You want to limit the kind of communication on IP PBXs strictly to the devices that they need to communicate with," Ortega says. These include IP phones, PCs running softphones and application servers that need to interact with the IP PBX, such as mail or contact center servers.

He also recommends putting voice on its own virtual LAN segment, and always running site-to-site VoIP links over dedicated WAN circuits.

This is the practice of one aerospace parts manufacturing company, with offices on the East Coast and in Europe. The company uses IP PBXs in its branch offices, which are connected by private ATM links leased from a carrier. "We don't let any (VoIP) traffic go beyond our private LAN and WAN," an IT administrator for the firm says.

QoS as a security measure.

While many VoIP users recommend quality of service (QoS) to maintain voice quality, making voice packets a high priority can help in the event of a security incident, some say.

"We use Layer 3 switches that give voice the highest priority over any other traffic types," says John Orbaugh, director of MIS for the Tyler Independent School District in Texas. The school deployed Nortel Networks Corp.'s Business Communication Manager - a branch IP PBX - to four high school campuses, with a Nortel Meridian PBX acting as a central call switch.

Orbaugh says he uses network security basics - firewalls and some intrusion detection.

"With QoS we should still be able to push voice through" in case of a network-saturating worm or denial-of-service attack, he says. "Quality might go down a bit, but it would still be up and running."

Encrypt calls where it makes sense.

Eavesdropping by people intercepting the voice stream is possible and can be thwarted by encrypting the voice traffic with Secure RTP.

This is key in any VoIP deployment, says Kameran Ahari, general partner in Napa Consulting Group. "True VoIP requires real-time protocol support in the context of the overall security strategy. But, the security issues are no different than some of the data applications," Ahari says.

While some might equate VoIP encryption to paranoia, it is a must for running IP voice to home users.

"At all costs, avoid going directly over the Internet" with VoIP, ThruPoint's Ortega says. If organizations want to extend access to a PBX or IP PBX to home users, encrypted VPN tunnels over a broadband link are best.