Calling all networks

VOIP how to

NIST recommendations


In Special Publication 800-58, Security Considerations for Voice Over IP Systems, the National Institute of Standards and Technology makes recommendations for securing VOIP networks.


NIST cautions that VOIP is an emerging technology still sorting out what protocols it will use, but offered these general guidelines:

  • Develop an appropriate network architecture. Voice and data traffic should be logically separated, and remote management of equipment should be avoided.

  • A mechanism for allowing VOIP traffic through firewalls is necessary. Use VOIP-ready firewalls and other security tools.

  • Ensure the organization has examined and can mitigate risks to the IT infrastructure introduced by VOIP. The more critical the mission of an IT system, the less risk is acceptable.

  • Consider Enhanced 911. Standards for enabling E911, which lets emergency dispatchers know where a call is coming from, still are being developed.

  • Securing physical access is important in a VOIP environment because anyone with access to the LAN could monitor voice as well as data traffic.

  • Consider the cost of backup power systems.

  • Avoid softphone systems, used on PCs via software, to reduce exposure to vulnerabilities.

  • If mobile VOIP devices are using WiFi connections, employ WiFi Protected Access security.

  • Review privacy, record retention requirements.


  • Network readiness


    Telchemy Inc. of Atlanta provides VOIP performance management, a new area of practice getting the attention of IT administrators as they try to accommodate voice traffic on data IP networks.

    Telchemy suggests a six-step program to ready a network for VOIP:
  • Define high-end VOIP requirements to determine bandwidth needed between locations. These needs will determine the equipment used.

  • Map existing WAN and VPN capabilities so bandwidth can be budgeted between sites, and verify that routers can prioritize Real-time Transport Protocol traffic.

  • Verify LAN readiness. Even with switched Ethernet, duplex mismatch, excessively long Ethernet segments or bad cable connections can cause problems.

  • Verify intersite readiness before deployment by testing under real-world network conditions.

  • Service level agreements with service providers should be clearly defined using VOIP performance metrics. Acceptable conditions on a data network might be unacceptable for voice.

  • Define performance management architecture and tools when negotiating with a service provider.

  • There is a real push to save costs, and that is the big selling point.'

    'NIST's Richard Kuhn on the merits of voice over ip

    Voice over IP is slowly catching on, but agencies should proceed cautiously. NIST and others offer guidance for the VOIP-ready network.

    When IT specialist Dale Baskerville arrived at the Federal Law Enforcement Training Center's new D.C.-area facility in May 2002, she saw a rare opportunity to build a telecommunications system from scratch. FLETC is an interagency organization under the Homeland Security Department that does refresher training for officers on the job.

    'Our organization was brand new,' Baskerville said. 'Why not start off with brand new technology, rather than go back to copper and then forward again?'

    In telecommunications today, brand-new usually means voice over IP'the ability to route phone calls through an IP infrastructure. The FLETC facility at Cheltenham, Md., put its voice and data traffic on a single VOIP network that Baskerville said has simplified network administration, cut costs and increased her control over telecom resources. And the agency continues to build out.

    The facility began with only 20 people, and the VOIP implementation was small. It started with phones and small switches from Avaya Inc. of Basking Ridge, N.J. Then the system expanded, with an Alpine 8800 switch from Extreme Networks Inc. of Cupertino, Calif., at the core and smaller Avaya switches at the edge. VOIP now also reaches a FLETC facility in Charleston, S.C., and the agency hopes eventually to link all its far-flung sites with VOIP, from headquarters in Glynco, Ga., to another training center in Artesia, N.M.

    Overall, Baskerville is pleased with her agency's move to VOIP, but it's not without issues. The lessons she and other government experts have learned can help guide agencies through what can be a significant technology rollout.

    Most government telephone traffic still is carried on the public switched telephone network (PSTN), but interest in moving to VOIP networks is growing.

    'There is a real push to save costs, and that is the big selling point,' said Richard Kuhn, a computer scientist in the National Institute of Standards and Technology's Computer Security Division.

    But those savings can come at the cost of added network complexity. Putting voice on an existing IP network can be trickier than building a converged network from scratch. Not to mention that when voice traffic runs on an IP network, it is subject to some of the same security threats data networks face.

    Voice lessons

    In practice, VOIP can take a variety of forms. An organization can put voice traffic on its own IP enterprise and link with the PSTN through an IP public branch exchange. Or it can use a service provider to carry its voice traffic over the service provider's IP network. What's more, organizations can use VOIP to different extents'end-to-end or, for example, just between private branch exchanges, with calls eventually routed to the end users over regular lines.

    'Today, people are knocking down our doors,' said Pete Sandrev, president of hosted service operations for Broadvox Ltd. of Cleveland. 'Is there still hesitancy? Of course there is. But the barriers to entry are down.'

    One of the initial barriers has been the quality of service. Traditionally, VOIP calls haven't been as clear and jitter-free as regular phone calls. Sandrev said Broadvox addresses that concern by managing its own IP network and by managing expectations.

    'I've learned to manage my expectations in the cellular realm, and so too in the VOIP realm,' he said.

    CommPartners Ltd., a VOIP service provider based in Las Vegas, tries to stay away from the Internet.

    'As a transport vehicle, it has weaknesses,' said Mark Peterson, vice president of sales and marketing.

    CommPartners acts as a competitive local exchange carrier with interconnection agreements giving it access to the PSTN to 'take the voice call off the public Internet as quickly as we can,' Peterson said.

    Both Broadvox and CommPartners see most adoption occurring in small and midsize businesses that need to squeeze every bit of value out of their phone systems. Security is not their primary concern, Sandrev said. However, that's the polar opposite of government requirements.

    'Security is the biggest issue in the federal government,' he said.

    'VOIP should not be installed without careful consideration of the security problems introduced,' NIST warned in a January report co-authored by Kuhn.

    Industry understands and is taking measures to help. Equipment vendors and service providers see VOIP as poised to make the leap from early adoption to mainstream implementation. To help ensure the transition is not interrupted by security and management concerns, a handful of companies and research groups have formed the VOIP Security Alliance.

    'History shows us that hot technologies are widely deployed before the security aspects are fully examined,' said David Endler, director of TippingPoint Technologies' Digital Vaccine line of intrusion prevention filters. 'We felt that the time was right to form a group of like-minded people.'

    TippingPoint, which in January became a division of 3Com Corp. of Santa Clara, Calif., announced formation of the alliance in February. The goal, Endler said, was to get a head start on hackers.
    'I think in the next couple of years we're going to see an increase in attacks on the VOIP infrastructure,' he said. 'We all want VOIP to be successful. In order to be successful, it has to be secure.'

    But security need not be a big concern, FLETC's Baskerville said.

    'You have to be more mindful of viruses,' she said. 'But if you have your security battened down, you're OK.'

    Secure with Unix

    The fact that Avaya equipment runs with Unix operating systems rather than Windows was a major selling point for Baskerville, because most widespread exploits are targeted at Windows.

    'It cuts out 50 percent of any terrorism,' she said. 'They never get around to my Unix world.'

    To date, there have been few, if any, specific VOIP attacks, because adoption has not been broad enough to attract hostile attention, TippingPoint's Endler said.

    'In the near term, the threats are the same as the ones to your data network,' he said. But exploits of VOIP vulnerabilities are only a matter of time.

    TippingPoint does intrusion prevention. One of its goals in creating the VOIP Security Alliance was to develop testing tools and methodologies for assessing VOIP vulnerabilities, and best practices for fixing them.

    Because VOIP is IP, there already are tools for securing the traffic.

    'I think the components are there,' Endler said. But performance and usability still are challenges.

    As NIST points out in its report, VOIP demands often conflict with security devices such as firewalls and can run afoul of Network Address Translation, a tool used to stretch the IPv4 address space by letting a number of endpoints use the same IP address.

    'Packet networks depend on a large number of configurable parameters,' NIST says. 'Many of these network parameters are established dynamically every time network components are restarted, or when a VOIP telephone is restarted or added to the network. Because there are so many places in a network with dynamically configurable parameters, intruders have a wide array of potentially vulnerable points to attack.'

    Configuring and securing a network for VOIP is complicated by the technology's lack of standards.

    'VOIP is still an emerging technology, so it is difficult to develop a complete picture of what a mature worldwide VOIP network will one day look like,' the report says.

    Malicious behavior is not the only threat to successful VOIP, said Alan Clark, president of Telchemy Inc. of Atlanta.

    'VOIP is a very appealing technology in many ways, but it is susceptible to problems,' Clark said. 'There is a conflict between security and quality.'

    Telchemy's business is VOIP fault and performance management. It uses monitors on an IP network to measure quality of service and identify problems'not an easy job. 'VOIP problems can be transitory and occur in a variety of places,' he said. Temporary congestion can result in packet loss or delays not noticed in data traffic and difficult to pinpoint or correct after the fact.

    Gathering lots of data for analysis is one key to fixing problems, and making sure your network is ready for the quality of service demanded by VOIP is another.

    In the end, Baskerville said, better control over telecom resources trumps the challenges posed by VOIP.

    'All you pay for from the telephone company is the pipe and a block of numbers,' she said. 'You now own all the numbers. When somebody new comes in, I can do it myself. I don't have to call the phone company and wait one, two, three days or a week or more to get it done. You don't have to pay them $25 to unlock a mailbox and wait for them to do it.'

    Which is not to say FLETC's move to VOIP has been flawless.

    'I've had problems with jitter on the line and feedback, but we work our way through it,' she said. 'You're always going to hit speed bumps.'

    The key to getting past the bumps is experienced support from your vendor, she said.
    'When you do an implementation, make sure you have a heavy hitter,' she said.

    Long-term outlook

    The public switched telephone network still sets the standard for voice quality and availability, and although new technologies and business models are turning the telecom industry upside down, VOIP is not yet poised to kill the PSTN.

    'We don't think the PSTN is going away anytime soon,' said CommPartner's Peterson. 'Particularly in the enterprise space.'

    Sandrev at Broadvox gives PSTN another 15 or 20 years but acknowledges that he could be selling the traditional network short.

    But there is no denying that VOIP is becoming a part of the telecom technology mix that network administrators must plan for.

    'You have to think it through and do it in phases,' said Baskerville. 'But in the long run, it saves so much wear and tear on your IT systems.'

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above