[ISN] NIST report urges caution with VoIP security

InfoSec News isn at c4i.org
Thu Jan 27 02:27:20 EST 2005


By Matt Hamblen 
JANUARY 26, 2005

A new report from the National Institute of Standards and Technology
urges federal agencies and other organizations to take care in
switching to voice-over-IP technology because of security concerns.

The 99-page NIST report, "Security Considerations for Voice over IP
Systems," includes nine recommendations for IT managers to help them
implement VoIP in a secure manner. "Lower cost and greater flexibility
are among the promises of VoIP for the enterprise, but VoIP should not
be installed without careful consideration of the security problems
introduced," the report says.

"Administrators may mistakenly assume that since digitized voice
travels in packets, they can simply plug VoIP components into their
already-secure networks and remain secure. However, the process is not
that simple," the report says.

The report, authored by NIST computer security experts Richard Kuhn
and Thomas Walsh, as well as Steffen Fries of Siemens AG, appeared in
draft form last June and was formally released in final form earlier
this month. Today, NIST included excerpts from it in an e-mail

Among its recommendations, the report calls for building logically
separate voice and data networks where practical, instead of building
a single converged network. It also calls for using VoIP firewalls and
routinely testing them.

Another recommendation says that "if practical," VoIP softphones
should not be used where either security or privacy is a priority. A
softphone involves using an ordinary PC with a headset and special
software instead of a typical telephone unit.

Many analysts and even VoIP hardware vendors have discussed VoIP
security for years, but the predominant thinking seems to be that such
systems can be installed in a secure way (see story) [1].

Many analysts believe that a bigger concern for enterprises weighing
VoIP use is whether enough business-centered applications can be used
atop a VoIP system to make it worthwhile, not whether the systems can
be made secure.

One analyst, Zeus Kerravala at The Yankee Group in Boston, noted today
that the report doesn't seem to have had much impact on companies
deploying the technology. Many large enterprises and many federal
agencies, some with tens of thousands of users, are already deploying
VoIP systems effectively and securely, he said.

"Obviously it's important to think about security with VoIP, but to
say some of what they've said, especially about softphones, shows a
little bit of backwards thinking," Kerravala said. "I think, somewhat,
it's written by Luddites."

Kerravala said that softphones can be made secure, depending on the
desktop software being used. "I think that if you are the head of the
CIA, you already probably have a secure desktop environment that will
support a softphone," he said.

Vendors are beginning to treat VoIP phones as true computing devices,
and Cisco Systems Inc. and other vendors have started installing
digital certificates on IP phones, Kerravala said. "The more IP
telephony becomes an appliance, you have to think it will be more
secure," he said.

Ray Bjorklund, an analyst at Federal Sources Inc. in McLean, Va., said
the report might be especially valuable for federal agencies involved
in war or national security efforts in which network security is
paramount. "If an operation overseas were suddenly relying on IP to
transmit voice through a satellite or through the Public Switched
Telephone Network with many places for potential failure, that's a
particular problem for the national security community," he said.

Even a large corporation such as a bank might not have the level of
security need that a wartime agency would want, he said. Some federal
agencies are already deploying VoIP, at least within divisions or
branches, he said. Included in that number is the U.S. Marine Corps,
which is deploying combat systems that rely on Internet phones. The
Defense Information Systems Agency is also developing a strategy for
departmentwide VoIP usage, officials said last year.

Bjorklund said the NIST report is noteworthy if only because NIST is a
government agency and independent of market influences. "This is worth
noting, and not like a white paper from a vendor, which could be just
a little biased," he said.

He agreed that VoIP can be made secure for most administrative and
business applications, although he questioned whether it can be made
secure with today's technology for the most sensitive government
needs. "Someday, vendors will get the technology so that government
will feel comfortable with it, but that day's not here yet," he said.

One of the authors, Kuhn, said in an interview today that NIST
provides advice on all kinds of technologies and nothing in the VoIP
report is designed to warn people away from using the technology

"VoIP is moving ahead very, very fast. in the commercial and
government sectors, Kuhn said" "We don't want to scare people away
from this. But we want to point out that this is complex technology
and there are a lot of security considerations that they may not have
thought of. It.s more than just moving data."

The range of security products for VoIP security is "pretty good" and
has advanced appreciably in the last year since the report was
started, he said. "You can get the security tools, and it's a question
of finding the right vendor for your needs," Kuhn said.

[1] http://www.computerworld.com/networkingtopics/networking/story/0,10801,98961,00.html

More information about the ISN mailing list