NIST report urges caution with VoIP security

[David Farber <dave () farber net>]

------ Forwarded Message
From: Dewayne Hendricks <dewayne () warpspeed com>
Reply-To: <dewayne () warpspeed com>
Date: Thu, 27 Jan 2005 06:30:24 -0800
To: Dewayne-Net Technology List <dewayne-net () warpspeed com>
Subject: [Dewayne-Net] NIST report urges caution with VoIP security

[Note:  This item comes from reader Linda Wellstein.  DLH]

NIST report urges caution with VoIP security
  Softphone use should be avoided if possible, one recommendation says
News Story by Matt Hamblen
< http://www.computerworld.com/newsletter/0,4902,99258,00.html?nlid=PM>

   JANUARY 26, 2005  (COMPUTERWORLD)  -  A new report from the National
Institute of Standards and Technology urges federal agencies and other
organizations to take care in switching to voice-over-IP technology
because of security concerns.

  The 99-page NIST report, ³Security Considerations for Voice over IP
Systems,² includes nine recommendations for IT managers to help them
implement VoIP in a secure manner. ³Lower cost and greater flexibility
are among the promises of VoIP for the enterprise, but VoIP should not
be installed without careful consideration of the security problems
introduced,² the report says.

  ³Administrators may mistakenly assume that since digitized voice
travels in packets, they can simply plug VoIP components into their
already-secure networks and remain secure. However, the process is not
that simple,² the report says.

  The report, authored by NIST computer security experts Richard Kuhn
and Thomas Walsh, as well as Steffen Fries of Siemens AG, appeared in
draft form last June and was formally released in final form earlier
this month. Today, NIST included excerpts from it in an e-mail
newsletter.

  Among its recommendations, the report calls for building logically
separate voice and data networks where practical, instead of building a
single converged network. It also calls for using VoIP firewalls and
routinely testing them.

  Another recommendation says that ³if practical,² VoIP softphones
should not be used where either security or privacy is a priority. A
softphone involves using an ordinary PC with a headset and special
software instead of a typical telephone unit.

  Many analysts and even VoIP hardware vendors have discussed VoIP
security for years, but the predominant thinking seems to be that such
systems can be installed in a secure way (see story).

  Many analysts believe that a bigger concern for enterprises weighing
VoIP use is whether enough business-centered applications can be used
atop a VoIP system to make it worthwhile, not whether the systems can
be made secure.

  One analyst, Zeus Kerravala at The Yankee Group in Boston, noted today
that the report doesn¹t seem to have had much impact on companies
deploying the technology. Many large enterprises and many federal
agencies, some with tens of thousands of users, are already deploying
VoIP systems effectively and securely, he said.

  ³Obviously it¹s important to think about security with VoIP, but to
say some of what they¹ve said, especially about softphones, shows a
little bit of backwards thinking,² Kerravala said. ³I think, somewhat,
it¹s written by Luddites.²

  Kerravala said that softphones can be made secure, depending on the
desktop software being used. ³I think that if you are the head of the
CIA, you already probably have a secure desktop environment that will
support a softphone,² he said.

  Vendors are beginning to treat VoIP phones as true computing devices,
and Cisco Systems Inc. and other vendors have started installing
digital certificates on IP phones, Kerravala said. ³The more IP
telephony becomes an appliance, you have to think it will be more
secure,² he said.

[snip]

Archives at: <http://Wireless.Com/Dewayne-Net>
Weblog at: <http://weblog.warpspeed.com>


------ End of Forwarded Message


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/