Interesting People mailing list archives
NIST report urges caution with VoIP security
From: David Farber <dave () farber net>
Date: Thu, 27 Jan 2005 09:55:41 -0500
------ Forwarded Message From: Dewayne Hendricks <dewayne () warpspeed com> Reply-To: <dewayne () warpspeed com> Date: Thu, 27 Jan 2005 06:30:24 -0800 To: Dewayne-Net Technology List <dewayne-net () warpspeed com> Subject: [Dewayne-Net] NIST report urges caution with VoIP security [Note: This item comes from reader Linda Wellstein. DLH] NIST report urges caution with VoIP security Softphone use should be avoided if possible, one recommendation says News Story by Matt Hamblen < http://www.computerworld.com/newsletter/0,4902,99258,00.html?nlid=PM> JANUARY 26, 2005 (COMPUTERWORLD) - A new report from the National Institute of Standards and Technology urges federal agencies and other organizations to take care in switching to voice-over-IP technology because of security concerns. The 99-page NIST report, ³Security Considerations for Voice over IP Systems,² includes nine recommendations for IT managers to help them implement VoIP in a secure manner. ³Lower cost and greater flexibility are among the promises of VoIP for the enterprise, but VoIP should not be installed without careful consideration of the security problems introduced,² the report says. ³Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VoIP components into their already-secure networks and remain secure. However, the process is not that simple,² the report says. The report, authored by NIST computer security experts Richard Kuhn and Thomas Walsh, as well as Steffen Fries of Siemens AG, appeared in draft form last June and was formally released in final form earlier this month. Today, NIST included excerpts from it in an e-mail newsletter. Among its recommendations, the report calls for building logically separate voice and data networks where practical, instead of building a single converged network. It also calls for using VoIP firewalls and routinely testing them. Another recommendation says that ³if practical,² VoIP softphones should not be used where either security or privacy is a priority. A softphone involves using an ordinary PC with a headset and special software instead of a typical telephone unit. Many analysts and even VoIP hardware vendors have discussed VoIP security for years, but the predominant thinking seems to be that such systems can be installed in a secure way (see story). Many analysts believe that a bigger concern for enterprises weighing VoIP use is whether enough business-centered applications can be used atop a VoIP system to make it worthwhile, not whether the systems can be made secure. One analyst, Zeus Kerravala at The Yankee Group in Boston, noted today that the report doesn¹t seem to have had much impact on companies deploying the technology. Many large enterprises and many federal agencies, some with tens of thousands of users, are already deploying VoIP systems effectively and securely, he said. ³Obviously it¹s important to think about security with VoIP, but to say some of what they¹ve said, especially about softphones, shows a little bit of backwards thinking,² Kerravala said. ³I think, somewhat, it¹s written by Luddites.² Kerravala said that softphones can be made secure, depending on the desktop software being used. ³I think that if you are the head of the CIA, you already probably have a secure desktop environment that will support a softphone,² he said. Vendors are beginning to treat VoIP phones as true computing devices, and Cisco Systems Inc. and other vendors have started installing digital certificates on IP phones, Kerravala said. ³The more IP telephony becomes an appliance, you have to think it will be more secure,² he said. [snip] Archives at: <http://Wireless.Com/Dewayne-Net> Weblog at: <http://weblog.warpspeed.com> ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- NIST report urges caution with VoIP security David Farber (Jan 27)