A focus on security is essential to convergence

Like any other communications initiative, security is paramount

One of the issues that has held up broader application of voice over IP by government agencies has been a concern over the security of voice traffic running over IP networks. In the current security environment, where the threats are even more diverse, that concern also figures to be a potential brake on the development of converged communications.

Misapplied security can also badly affect VOIP performance because quality of service is fundamental to its operation. If not configured correctly, firewalls can delay or block call setups, for example, and encryption can introduce latency and garble-producing jitter.

The National Institute of Standards and Technology lays out the pros and cons of VOIP in its Special Publication 800-58, the document that forms the baseline security requirements for VOIP for all federal agencies.

“VOIP has a very different architecture than traditional circuit-based telephony, and these differences result in significant security issues,” the NIST document states. “Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure. However, the process is not that simple.”

One of the biggest barriers in any early discussion with agencies about VOIP and converged communications is the use of IP, said Bill Long, vice president of enterprise voice services at Level 3 Communications. They see it as voice running over the public Internet, and they have to be convinced that it is voice actually running over a private IP connection. Only after that can you talk about the tools you can use with VOIP and tricks that were never possible with time-division multiplexing.

That fear, mistaken or not, led to policies at many agencies that forbade IP voice communications. Even today, said Ron Hayes, solutions architect at Avaya Government Solutions, he runs into roadblocks because agencies still have a physical separation between voice networks and their data networks, which makes it difficult to have any meaningful discussion about such things as unified communications.

The answer is for voice and other data networks to be logically separated on the converged IP network, but convincing agencies of that solution is still an uphill battle in many cases, though there are some early glimmers of hope. Security-conscious intelligence agencies have begun to converge their networks using logically separated virtual local-area networks, said Scott Anderson, vice president of cloud strategy at Avaya Government Solutions.

“However, they’re doing that on the classified side first because that is already physically separated from the [public switched telephone network],” he said. “They are only now getting to the point where they are evaluating doing the same for the unclassified network.”

The latest version of NIST’s SP 800-58 holds out hope for broader adoption of VOIP in government because it now includes the security requirements of the Defense Department and intelligence agencies, which it previously didn’t.

NIST’s VOIP security recommendations

1. Develop an appropriate network architecture that includes logically different networks for voice and data, a mechanism to allow voice-over-IP traffic through firewalls, stateful packet filters, remote access security, and encryption at the router rather than endpoints to ensure performance.

2. Ensure that the organization has examined and can acceptably manage and mitigate the risks to its information, system operations and continuity of essential operations when deploying VOIP.

3. Give special consideration to Enhanced 911 emergency services communications.

4. Be aware of physical control requirements and deploy accordingly.

5. Ensure that sufficient backup power is available.

6. Use VOIP-ready firewalls and other appropriate mechanisms.

7. If practical, do not use softphone systems, which implement VOIP via software on an ordinary PC.

8. If mobile units are integrated with the VOIP system, use Wi-Fi Protected Access security.

9. Carefully review statutory requirements regarding privacy and record retention with competent legal advisers.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at [email protected]