NIST report urges caution with VoIP security

VOIP Security

JANUARY 26, 2005 (COMPUTERWORLD) - A new report from the National Institute of Standards and Technology urges federal agencies and other organizations to take care in switching to voice-over-IP technology because of security concerns.
The 99-page NIST report, "Security Considerations for Voice over IP Systems, includes nine recommendations for IT managers to help them implement VoIP in a secure manner. "Lower cost and greater flexibility are among the promises of VoIP for the enterprise, but VoIP should not be installed without careful consideration of the security problems introduced," the report says.

"Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VoIP components into their already-secure networks and remain secure. However, the process is not that simple," the report says.

The report, authored by NIST computer security experts Richard Kuhn and Thomas Walsh, as well as Steffen Fries of Siemens AG, appeared in draft form last June and was formally released in final form earlier this month. Today, NIST included excerpts from it in an e-mail newsletter.

Among its recommendations, the report calls for building logically separate voice and data networks where practical, instead of building a single converged network. It also calls for using VoIP firewalls and routinely testing them.

Another recommendation says that "if practical," VoIP softphones should not be used where either security or privacy is a priority. A softphone involves using an ordinary PC with a headset and special software instead of a typical telephone unit.

Many analysts and even VoIP hardware vendors have discussed VoIP security for years, but the predominant thinking seems to be that such systems can be installed in a secure way Many analysts believe that a bigger concern for enterprises weighing VoIP use is whether enough business-centered applications can be used atop a VoIP system to make it worthwhile, not whether the systems can be made secure.

One analyst, Zeus Kerravala at The Yankee Group in Boston, noted today that the report doesn't seem to have had much impact on companies deploying the technology. Many large enterprises and many federal agencies, some with tens of thousands of users, are already deploying VoIP systems effectively and securely, he said.

"Obviously it's important to think about security with VoIP, but to say some of what they've said, especially about softphones, shows a little bit of backwards thinking," Kerravala said. "I think, somewhat, it's written by Luddites."

Kerravala said that softphones can be made secure, depending on the desktop software being used. "I think that if you are the head of the CIA, you already probably have a secure desktop environment that will support a softphone," he said.

Vendors are beginning to treat VoIP phones as true computing devices, and Cisco Systems Inc. and other vendors have started installing digital certificates on IP phones, Kerravala said. "The more IP telephony becomes an appliance, you have to think it will be more secure," he said.

Ray Bjorklund, an analyst at Federal Sources Inc. in McLean, Va., said the report might be especially valuable for federal agencies involved in war or national security efforts in which network security is paramount. "If an operation overseas were suddenly relying on IP to transmit voice through a satellite or through the Public Switched Telephone Network with many places for potential failure, that's a particular problem for the national security community," he said.

Even a large corporation such as a bank might not have the level of security need that a wartime agency would want, he said. Some federal agencies are already deploying VoIP, at least within divisions or branches, he said. Included in that number is the U.S. Marine Corps, which is deploying combat systems that rely on Internet phones. The Defense Information Systems Agency is also developing a strategy for departmentwide VoIP usage, officials said last year.
Bjorklund said the NIST report is noteworthy if only because NIST is a government agency and independent of market influences. "This is worth noting, and not like a white paper from a vendor, which could be just a little biased," he said.

He agreed that VoIP can be made secure for most administrative and business applications, although he questioned whether it can be made secure with today’s technology for the most sensitive government needs. "Someday, vendors will get the technology so that government will feel comfortable with it, but that day's not here yet," he said.

One of the authors, Kuhn, said in an interview today that NIST provides advice on all kinds of technologies and nothing in the VoIP report is designed to warn people away from using the technology entirely.

"VoIP is moving ahead very, very fast" in the commercial and government sectors, Kuhn said. "We don't want to scare people away from this. But we want to point out that this is complex technology and there are a lot of security considerations that they may not have thought of. It's more than just moving data."

The range of security products for VoIP security is "pretty good" and has advanced appreciably in the last year since the report was started, he said. "You can get the security tools, and it's a question of finding the right vendor for your needs," Kuhn said.



Source: by Matt Hamblen