[ISN] NIST raises VoIP concerns

InfoSec News isn at c4i.org
Fri Jan 7 07:41:29 EST 2005 

http://www.fcw.com/fcw/articles/2005/0103/web-voip-01-06-05.asp

By Florence Olsen 
Jan. 6, 2005

Government administrators may not understand the complexity of 
installing security systems for Internet telephony, a new government 
study suggests [1]. 

Officials at the National Institute of Standards and Technology 
released a Jan. 5 report that examines security vulnerabilities in 
Internet-based telephone systems and raises concerns about an emerging 
technology that otherwise appears to offer many advantages over 
traditional telephone networks. Security concerns described in the 
99-page report suggest that the cost and complexity of installing such 
systems is greater than people realize. 

Many government agencies, including the Defense Information Systems 
Agency, plan to use voice-over-IP networks. Military commanders rely 
heavily on such systems in Iraq and Afghanistan.

Some administrators mistakenly assume that they can plug voice-over-IP 
components into a secure network and have secure voice communications. 
But the report's authors say that security measures such as firewalls 
and encryption used in traditional data networks are incompatible with 
current Internet-based telephone systems and can cause serious 
deterioration in the voice quality possible on such systems.

The report states that "essential telephone services, unless carefully 
planned, deployed and maintained, will be at greater risk if based on 
voice over IP." For example, data networks must be adapted by adding 
firewalls designed specifically for voice over IP.

To compensate for the current security vulnerabilities of 
voice-over-IP technology, NIST officials made several recommendations, 
including: 

* Creating separate subnetworks for voice and data traffic on IP 
  networks, each with their own dynamic host configuration protocol 
  servers. 

* Ensuring that 911 emergency service is available. 

* Securing physical access to the network's voice components to 
  prevent unauthorized eavesdropping on conversations. 

[1] http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

More information about the ISN mailing list