NIST suggests VoIP caution

Links Special Publication 800-58

IP telephony, or voice over IP, poses significant security problems that are challenges at the moment but will become easier eventually, security experts at the National Institute of Standards and Technology say in a draft report released this month.

The authors of the new report say it could be several years before the uncertainty about competing standards is resolved and VoIP systems become mainstream. In the meantime, federal agencies should be careful to acquire the right hardware and software for making their VoIP systems secure.

The authors, Richard Kuhn, Thomas Walsh and Steffen Fries, warn that attempting to integrate VoIP into an already congested data network "could be disastrous for an organization's technology infrastructure."

Because it is unknown which signaling protocol will emerge as a winner in the marketplace, federal agency officials interested in VoIP should buy gateways and other network devices that support both the H.323 protocol and the Session Initiation Protocol, or SIP.

Agency officials must also weigh VoIP security considerations when they select a virtual private network. The NIST document discusses in detail the pluses and minuses of end-to-end VPNs versus firewall-based VPNs.

Security measures can cause numerous complications in VoIP applications, not least of which are firewall-induced delays in setting up calls or encryption-produced latency, the report says.

Another source of complication is the common use of Network Address Translation, a security technique that permits several computers within a local-area network to share an IP address. NAT creates a situation analogous to a telephone network in which several phones have the same telephone number.

Readers can comment on the Special Publication 800-58 draft until June 18 by submitting their suggestions to Rick Kuhn at sp800-58@nist.gov.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.