BY ROBERT HASHEMIAN

Privacy. One of our most treasured rights under the Constitution. It allows us to do, say, and live however we please without the fear of persecution. Americans take their privacy very seriously and frown on anyone and anything that even minutely intrudes upon their private lives. Yet, as technology advances, we are more than ever confronted with the possibility that our personal information will be exposed — or worse yet, used against us. The horror stories of stolen identities, electronic espionage, and Internet abuse ( la the plight of poor Sandra Bullock) are all too familiar these days.

Even though most people are somewhat cognizant of the dangers lurking on the Internet, most (incredibly) remain indifferent towards Internet security. Some may not believe that they could become the target of hackers, while others may not consider their communications especially sensitive. Regardless of how you currently use this omnipresent medium, the Internet is about to be employed for a whole new way of communication: IP telephony. And with it there will be new concerns about “cybereavesdropping.”

IP Telephony’s Allure
By now, most of us have heard all the arguments in favor of IP Telephony. IP telephony promises 10 times the efficiency of traditional voice transmission. Such efficiency is made possible when digital technologies are employed to digitize, compress, and prioritize voice, making use of every iota of unused bandwidth to stuff multiple conversations over the same line that used to carry only one. This, in turn, translates into savings in terms of reduced number of phone lines as well as reduced charges per call. Clearly moving from the circuit-switched to the packetswitched model has tremendous advantages. But yet, amidst all this fanfare, something has been overlooked. Security.

Security, I Tell You. Security!
Network security was all the rage in the not too distant past. Now, it seems, the buzzword in town is QoS (Quality of Service). Security seems to have taken a back seat. But I believe before IP telephony becomes mainstream, the need to formulate air-tight security for IP telephony connections will have to be addressed. Without it, many potential users — corporate entities chief among them — will never jump on the IP telephony bandwagon. Without a large and influential ($$$) user community, IP telephony cannot and will not live up to its promise.

Spies And Otherwise
In terms of security, we all take phone calls for granted. To us, a telephone con-versation is as private as speaking to a person behind closed doors. We all have heard of wiretapping, eavesdropping, and conversations being recorded by the government’s spies, but the average person is fairly immune to such intrusions (my sources tell me otherwise, but I see no point in senselessly frightening anyone). Moreover, traditional wiretapping requires physical trespassing and breakin, and involves illicit interception of the phone companies’ circuits, making it unpleasant for even the most enthusiastic hacker to try.

Even so, there are devices such as the STU III (Secure Telephone Unit, used mostly by the government, or so my highly placed sources would have me believe) and Escrowed Encryption Standard (EES), a.k.a. the Clipper Chip, which can scramble and encode phone conversations to protect the parties’ privacy. When it comes to Internet telephony, voice enters the realm of data, leaving it open to the hordes of data pirates, hackers, and hacker wannabes. Once your voice becomes part of the ocean of digital signals traveling down the wire, your conversation becomes susceptible to interception, so much so that a determined teenager can listen in as easily as he could hack in to a NORAD mainframe to play tic-tactoe.

Everybody Calm Down
Does this mean you need to worry about your privacy? Well, not yet. IP Telephony hasn’t quite achieved widespread status, and I imagine that most conversations traveling through the Internet do not qualify as overly sensitive. For now, most businesses who opt for IP telephony do so on their own private Intranets, which gives them some semblance of immunity from external threats.

But (and this is a big but) the future of IP telephony is on the Internet. And as more people turn to this medium for voice services, security becomes priority number one. The packetswitched mode does inherently offer some security as data packets travel multiple routes before regrouping at their destination. This would make it difficult for a potential hacker, who would have to intercept and reconstruct all the packets, but this is hardly enough assurance for the average business user. An effective security strategy would:

• Authenticate the users, verifying that they are who they say they are.
• Encrypt the transmissions, rendering them unusable even if intercepted.
• Verify data integrity, making it immune to vandals.

It’s Already Working
These approaches are already in wide use to secure transmissions between Web browsers and Web servers. For example, SSL (Secure Socket Layer, based on RSA Data Security’s approach) is used by both Netscape Navigator and Microsoft Internet Explorer to encrypt and authenticate transmissions over the Internet. Digital signatures and public key technologies are also part of the scheme to make the Internet a more secure place to conduct business. Digital signatures are used to secure documents, making them unalterable except by the original sender. Public keys allow the sender to scramble the data using the public code advertised by the intended receiver, but only the receiver can decipher the data using a private code.

All these security techniques work fine when data does not require realtime transmission. This process of encryption and decryption does, after all, require time. When it comes to IP telephony, however, the market is very inflexible about voice delivery: It has to be realtime.

Let’s Ask The Experts
So, where does this leave the IP telephony industry? For now, many telephony gateway products are focusing on the Intranet where security is of less concern. According to Jeff Ford, chief technology officer at Inter-Tel , “There are risks associated with transmitting voice through Internet Service Providers that don’t have secure routers and facilities, and encryption introduces latency. That is why, for now, many telephony gateway vendors target the managed IP networks rather than the Internet.”

But work is already in progress to make secure connections a natural extension of IP telephony. “The Vienna.way Gateway can be integrated with currently available encryption devices,” explains Sheila James, product manager at Vienna Systems (www.viennasys.com). “We are currently demonstrating this capability with Timestep Corporation, a Newbridge Networks affiliate. Timestep uses a Secure Virtual Private Networking encryption technology and can be implemented between Vienna.way gateways or clients, and is optimized to substantially decrease latency.”

There is yet another side to the IP telephony security risk as pointed out by Natural MicroSystems’ IP Telephony product manager, Patrick Fetterman. That is the possibility of the PBX coming under attack through the IP telephony gateway.

According to Fetterman, “It is important where in your network you deploy the [telephony] gateway, as it provides an access point to your PBX. A successful hacker might be able to gain access to the front-end PBX and make calls all over the world on your account. Ideally, the gateway should be situated behind a firewall for added security. It makes configuring the gateway more complicated, but it is worth it in the long run.”

Salvation Is At Hand
Given its tremendous promise, IP telephony is finally ready for the big time. But regardless of what all the evangelists will have you believe, there are still issues that need to be addressed before it can take center stage. Security is one of them. In my opinion, the sooner the issue of security is addressed, the faster we’ll arrive at the gates of the IP gateway.

For more (a lot more) information on data security, visit the Cryptography FAQ pages on the RSA Data Security Web site at http://www.rsa.com/rsalabs/newfaq/

Please send comments regarding this column to rhashemian@tmcnet.com.