NIST suggests VoIP caution

Links Special Publication 800-58

IP telephony, or voice over IP, poses significant security problems that are challenges at the moment but will become easier eventually, security experts at the National Institute of Standards and Technology say in a draft report released this month.

The authors of the new report say it could be several years before the uncertainty about competing standards is resolved and VoIP systems become mainstream. In the meantime, federal agencies should be careful to acquire the right hardware and software for making their VoIP systems secure.

The authors, Richard Kuhn, Thomas Walsh and Steffen Fries, warn that attempting to integrate VoIP into an already congested data network "could be disastrous for an organization's technology infrastructure."

Because it is unknown which signaling protocol will emerge as a winner in the marketplace, federal agency officials interested in VoIP should buy gateways and other network devices that support both the H.323 protocol and the Session Initiation Protocol, or SIP.

Agency officials must also weigh VoIP security considerations when they select a virtual private network. The NIST document discusses in detail the pluses and minuses of end-to-end VPNs versus firewall-based VPNs.

Security measures can cause numerous complications in VoIP applications, not least of which are firewall-induced delays in setting up calls or encryption-produced latency, the report says.

Another source of complication is the common use of Network Address Translation, a security technique that permits several computers within a local-area network to share an IP address. NAT creates a situation analogous to a telephone network in which several phones have the same telephone number.

Readers can comment on the Special Publication 800-58 draft until June 18 by submitting their suggestions to Rick Kuhn at sp800-58@nist.gov.