NIST issues recommendations for secure VOIP

NIST issues recommendations for secure VOIP

The National Institute of Standards and Technology has offered some cautionary advice for offices considering moving their telephone systems to voice over IP.

'VOIP introduces both security risks and opportunities,' NIST said in a recently released report. 'Lower cost and greater flexibility are among the promises of VOIP for the enterprise, but VOIP should not be installed without careful consideration of the security problems introduced.'

The report, Security Considerations for Voice over IP Systems, offers recommendations for using VOIP. According to NIST, the need to logically separate voice and data traffic, provide backup power and ensure business continuity could seriously compromise the promise of a single, inexpensive voice and data network.

NIST Special Publication 800-58 is the final version of a draft report published in April by the agency's Computer Security Division.

Complications introduced by VOIP include the need for quality of service so that voice calls sound acceptable. Common network security components such as firewalls can degrade voice quality and interfere with the setup of calls.

Making sure networking equipment and security tools are compatible with VOIP protocols is also a challenge. There are emerging standards for session initiation, but no standard has become dominant and proprietary protocols still are being used.

'VOIP is still an emerging technology, so it is difficult to develop a complete picture of what a mature worldwide VOIP network will one day look like,' NIST said.

Enterprises climbing on the VOIP bandwagon before it matures will have to pay special attention to ensuring their networks will accommodate the added complexity and new security considerations.

According to NIST, an appropriate network architecture should include separate voice and data subnets, if feasible, and the VOIP protocols should not be allowed onto the data network. A mechanism for allowing VOIP traffic through firewalls is needed, and encryption might have to be moved from the end device to a router or other gateway if end devices are not powerful enough to handle this chore.

'The integration of a VOIP system into an already congested or overburdened network could create serious problems for the organization,' NIST said.

The agency recommended that organizations conduct risk assessments, especially if VOIP is to be deployed in a mission-critical operation.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.