[ISN] NIST raises VoIP concerns
isn at c4i.org
Fri Jan 7 07:41:29 EST 2005
By Florence Olsen
Jan. 6, 2005
Government administrators may not understand the complexity of
installing security systems for Internet telephony, a new government
study suggests .
Officials at the National Institute of Standards and Technology
released a Jan. 5 report that examines security vulnerabilities in
Internet-based telephone systems and raises concerns about an emerging
technology that otherwise appears to offer many advantages over
traditional telephone networks. Security concerns described in the
99-page report suggest that the cost and complexity of installing such
systems is greater than people realize.
Many government agencies, including the Defense Information Systems
Agency, plan to use voice-over-IP networks. Military commanders rely
heavily on such systems in Iraq and Afghanistan.
Some administrators mistakenly assume that they can plug voice-over-IP
components into a secure network and have secure voice communications.
But the report's authors say that security measures such as firewalls
and encryption used in traditional data networks are incompatible with
current Internet-based telephone systems and can cause serious
deterioration in the voice quality possible on such systems.
The report states that "essential telephone services, unless carefully
planned, deployed and maintained, will be at greater risk if based on
voice over IP." For example, data networks must be adapted by adding
firewalls designed specifically for voice over IP.
To compensate for the current security vulnerabilities of
voice-over-IP technology, NIST officials made several recommendations,
* Creating separate subnetworks for voice and data traffic on IP
networks, each with their own dynamic host configuration protocol
* Ensuring that 911 emergency service is available.
* Securing physical access to the network's voice components to
prevent unauthorized eavesdropping on conversations.
More information about the ISN