NIST offers guidelines for securing VOIP

Voice over IP technology offers potential cost savings and increased functionality, but it also may introduce new security headaches for systems administrators, the National Institute of Standards and Technology has warned.

"VOIP adds a number of complications to existing network technology, and these problems are magnified by security considerations," the agency said in a draft version of security guidelines released today for public comment.

Special Publication 800-58, Security Considerations for Voice Over IP Systems, is available online. Comments on the draft will be accepted until June 18.

Firewalls can delay or block call setups, and encryption can introduce unacceptable latency. Putting voice on data networks opens new potential avenues for attacks to the data network, and Network Address Translation complicates the process.

"VOIP is still an emerging technology," NIST said, and agencies considering it should carefully assess their understanding of the technology and the associated risks, and the maturity of both their IT and physical security. Because anyone with physical access to the LAN could potentially monitor voice traffic, access control to network elements is critical.

NIST recommends:

  • Separating voice and data traffic on logically different networks

  • Denying access to the voice gateway from the data network

  • Using firewalls designed for VOIP traffic

  • Using IPsec or Secure Shell as well as strong authentication for remote management and auditing

  • Encrypting voice traffic at the router or gateway if performance is a problem. Newer IP phones are able to handle Advanced Encryption Standard algorithms. Federal Information Processing Standard 140-2 certification is required for federal use.


Agencies also should consider how Enhanced 911 service, which provides the location of the caller to emergency dispatchers, will be provided. "Although most VOIP vendors have workable solutions for E-911 service, government regulators and vendors are still working out standards," NIST said.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.