Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

NIST Reports on VoIP Security

NIST Reports on VoIP Security
by M. E. Kabay, PhD, CISSP
Associate Professor, Information Assurance
Norwich University, Northfield VT
Voice over IP (VoIP) technology digitizes sound and sends the data stream in packets through
the Internet. One would think at first that normal network security technologies would suffice to
protect the packet stream against interference. Unfortunately, voice transmission imposes timing
constraints on the data stream; if packets are not received quickly enough to ensure
reconstitution in the right order in real-time, people will perceive the sound as distorted.
International standards have set an upper bound of 150 ms on the delay (latency) in packet
delivery; this requirement imposes severe demands on the throughput of security equipment and
software – demands that exceed the norms common to data processing applications for networks.
D. Richard Kuhn and Thomas J. Walsh of the National Institute of Standards and Technology
and Steffen Fries of Siemens AG publish the final version of NIST Special Publication 800-58
in January 2005. I usually like the NIST SPs, but this one is particularly thorough and wellwritten.
After a brief introduction of the project scope (Chapter 1), the authors turn to an overview of
VoIP technology (Chapter 2) and then discuss the fundamentals of quality of service (QoS)
including latency, jitter (irregular delivery of bursts of packets followed by gaps in the
transmission), packet loss, effective bandwidth (much reduced in practice from the theoretical
bandwidth) and resilience (power failure backups, secondary systems) and susceptibility to
denial-of-service (DoS) attacks.
Chapter 4 reviews the International Telecommunication Union (ITU) standard H.323 that
specifies details of audio and video communications across packet networks. The authors
provide definitions, diagrams and summaries of the protocols involved in different types of calls.
They review security profiles and end with encryption issues (performance is a constant
problem to consider).
Chapter 5 deals with Session Initiation Protocol (SIP), the Internet Engineering Task Force
(IETF) standard used for VoIP. As in Chapter 4, the authors present the fundamental
architecture and terminology of SIP. They then review several aspects of security features
already integrated into SIP.
Chapters 6, 7, and 8 summarize the technological infrastructure of VoIP including specialized
gateways, firewalls, network address translation (NAT), call initiation, encryption and IPsec.
Chapter 9, “Solutions to the VOIPsec Issues,” discusses the following approaches:
 Encryption at the End Points
 Secure Real Time Protocol (SRTP)
 Key Management for SRTP – MIKEY
 Better Scheduling Schemes


Compression of Packet Size
Resolving NAT/IPsec Incompatibilities.
The final chapter is entitled “Planning for VOIP Deployment.” One of the most interesting
sections is a brief warning about the privacy implications of VoIP technology. The caller’s voice
is being carried over data networks and so there is some confusion over precisely which legal
privacy protections apply to these transmissions.
The authors end on a cautionary note:
“The construction of a VOIP network is an intricate procedure that should be studied in great
detail before being attempted. New risks can be introduced, and vulnerabilities of data packet
networks appear in new guises for VOIP . . . . The integration of a VOIP system into an already
congested or overburdened network could be catastrophic for an organization’s technology
infrastructure. There is no easy “one size fits all” solution to the issues discussed in these
chapters. . . . VOIP can be done securely, but the path is not smooth. It will likely be several
years before standards issues are settled and VOIP systems become a mainstream commodity.
Until then, organizations must proceed cautiously, and not assume that VOIP components are
just more peripherals for the local network. Above all, it is important to keep in mind the unique
requirements of VOIP, acquiring the right hardware and software to meet the challenges of VOIP
security.”
***
For further reading
Kuhn, D. R., T. J. Walsh & S. Fries (2005). Security Considerations for Voice Over IP Systems.
NIST SP 800-58.
< http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf >
***
A Master’s degree in the management of information assurance in 18 months of online study
from Norwich University – see
< http://www.msia.norwich.edu/ > for details.
M. E. Kabay, PhD, CISSP is Associate Professor in the Division of Business and Management at
Norwich University in Northfield, VT. Mich can be reached by e-mail at <
mailto:mkabay@norwich.edu >; Web site at < http://www.mekabay.com/index.htm >.
Copyright  2005 M. E. Kabay. All rights reserved.
Permission is hereby granted to Network World to distribute this article at will, to post it without
limit on any Web site, and to republish it in any way they see fit.
Related documents
EAgent_VOIP_Integration
EAgent_VOIP_Integration
- deepakdeshwal.in,Deepak Yadav Meerut,Deepak
- deepakdeshwal.in,Deepak Yadav Meerut,Deepak
ANSWERS - Weebly
ANSWERS - Weebly
(Avaya) Updated 9-5
(Avaya) Updated 9-5
Safety First!
Safety First!
TNM HW # 3 – Enterprise Network Management
TNM HW # 3 – Enterprise Network Management
Fact Sheet - ConduIT Corporation
Fact Sheet - ConduIT Corporation
Download