Voice over IP exposed

Editor's note: This is the last of a three-part series on networking. The first part, which appeared in the June 13 issue of Federal Computer Week, focused on efforts to consolidate networks. The second part, which appeared in the June 20 issue, focused on satellite communications.

If you are thinking of adding voice-over-IP capabilities to your existing infrastructure without upgrading network security, think again. You could be inviting disaster. Agency officials can't expect security systems designed to protect data traffic to adequately secure their VOIP communications, experts say.

"The idiosyncrasies of voice data may strain your security system to the breaking point," said Richard Kuhn, a computer security specialist at the National Institute of Standards and Technology. "You definitely need specialized security products and different architectures when moving to VOIP."

NIST recently issued a report titled "Security Considerations for Voice Over IP Systems," which focuses on security problems and recommendations for secure communications.

Basically, with VOIP, voice data generated during a phone call moves in packets via internal IP networks or the Internet, just as Web pages and e-mail messages do.

A handful of agencies, such as the Education and Defense departments, are in various stages of deploying VOIP, seeking the lower costs and efficiency Internet telephony can offer compared with traditional phone communications.

VOIP can offer greater efficiency in a consolidated voice and data network by enabling users to receive calls on desktop computers. Users can also forward voice mail and e-mail from VOIP phones. Employees traveling to branch offices can have their full phone resources and office numbers transferred to their temporary locations. Additionally, VOIP can be used to keep communications running during a disaster or emergency, giving employees access to their phone resources from IP phones at other locations.

But as agencies explore the benefits of VOIP, they must strengthen firewalls, gateways, encryption and authentication methods, and other security components to better protect such traffic, experts say.

VOIP hubs can be hacked more easily than traditional PBX phone switches. Even if hackers can't eavesdrop on conversations, they will have access to routing data, such as the number of calls to and from each user, according to a report by the Cyber Security Industry Alliance. Moreover, automated tools can send spit, the VOIP version of spam, to all voice mailboxes within a certain range of the provider, address space or area code.

Traditional firewalls might not be as effective in blocking attacks on combined voice and data networks. Firewalls examine packets and block suspected ones at the digital communications port. However, phone calls require opening many communications ports on the firewall — some sessions may need 10 or more ports. Firewalls that aren't configured for VOIP security might leave a large number of ports continually open, increasing the network's vulnerability.

To compound the problem, voice communications are more time-sensitive than data or even video. Firewalls that look too deeply into voice packets or block too many of them can degrade the quality of phone service. Few users would notice if data packets are slow getting through the firewall, resulting in a slight delay in loading Web pages or even a short pause in a video.

But "3 [percent] to 5 percent loss of data packets in a VOIP, and your system is unusable," Kuhn said. A few seconds of latency and jitter, and users will hang up and reach for their cell phones, he said.

Kuhn said that although VOIP technology is still emerging, a sufficient number of proprietary products are available to secure a VOIP network. For example, a stateful inspection firewall, which validates traffic by inspecting the contents of packets up through the application layer, can dynamically open and close the correct ports. Still, setting up a secure VOIP network is not merely a matter of purchasing the right products. Kuhn said it requires an overall strategy in which you add to the network incrementally and test each phase as you go.

That's the plan at Education. The department's initial forays are all within its internal network.

"The current system is a hybrid," said Peter Tseronis, Education's director of converged communications and networking. "If I'm calling someone at Education, I dial a certain prefix on my phone, and it goes over the IP network. If I'm dialing out, it goes over the traditional lines."

Aside from deploying VOIP services to more users, a future step at Education might be to provide voice and video via the Internet to some users. That will allow those users to hold videoconferences and take advantage of VOIP while at home or on the road.

Many experts expect that most government agencies will follow Education's strategy of getting its internal VOIP network in place before running VOIP services on the public Internet. Roger Farnsworth, marketing manager for secure IP communications at Cisco Systems, said that besides enhancing security, restricting VOIP services to an internal network or virtual private network eliminates compatibility issues.

The industry currently supports two VOIP standards: H.323 and Session Initiation Protocol (SIP). H.323 allows dissimilar devices to communicate with one another by using a standard protocol. SIP is a standard for initiating an interactive user session that involves multimedia functions such as video, voice and chat. SIP is gradually replacing H.323, but most experts suggest buying components that can support both.

But doing so doesn't mean that agency officials will be able to easily and safely use VOIP outside their networks. "There are differences among vendors' implementations of those standards so that you can't count on two different systems interoperating the way you'd like," Farnsworth said. For example, it is difficult to use encryption with VOIP when traffic is moving across two vendors' systems, he said.

Although Farnsworth acknowledged that government agencies need to use caution in setting up their systems, they can take some comfort in the knowledge that eavesdropping on unencrypted voice communications is more difficult than capturing and reading e-mail messages via the Internet.

"It's not a trivial matter to intercept a VOIP packet stream and reassemble it and come up with usable playback," Farnsworth said.

Nevertheless, NIST experts advise users to consider using encryption at the router or other gateway instead of at the VOIP phones. Most VOIP phones are not powerful enough to perform encryption quickly. However, some newer phones offer Advanced Encryption Standard at a reasonable price.

Keeping services available

For many organizations, availability is at least as important as security. "When users pick up a VOIP phone, they have the same expectations as when they pick up a plain old telephone," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "They want an immediate dial-tone and no delay in placing a call."

For the government, expectations not only come from employees using VOIP phones but also from residents who don't know or care what technology the phones use, they just want to get through quickly.

"The phone is what enables a lot of national security and emergency services," Kurtz said. Accordingly, he and others suggest a layered approach, with sufficient redundancy built in to provide the availability appropriate to the service.

Even for agencies not involved in emergency preparedness, customer service requirements demand availability levels above 90 percent.

Lodovico Loquercio, principal network solutions architect at Nortel Federal Solutions, said a voice-grade local-area command and control network must be designed to ensure that there is no single point of failure.

"Before going live, prove that if any element fails, your session will remain up and the redundant equipment will take over in 2 seconds or less," he said.

That goal does not come cheaply. "In many cases, in order to get [99.999 percent] uptime and security, it may require a complete rip-out or at least a major refresh of technology," Loquercio said.

He estimates that for DOD to replicate its current level of voice communication service, which includes functions unique to the military and end-to-end security, it would have to spend tens of billions of dollars.

Not all agencies need that level of service, but ensuring satisfactory uptime will help sell the project to managers. Jim Dolezal, lead telecommunications consultant at Suss Consulting, expects that concerns about downtime will delay many projects for at least two years.

"I think senior managers in agencies are concerned when their [local-area network] goes out and the restore is far longer than they are initially told to expect," Dolezal said. "They don't want to have that happen to their voice communications."

In addition, he sees a cultural problem in agencies that maintain separate staffs for phone and data networks. "They are moving closer, but they are not yet one and the same, and that's what will be necessary for VOIP to work," he said.

Major VOIP vendors can provide secure, highly available enterprise-level systems, but the technology is still emerging.

"Right now, it's hard to get a complete picture of what a fully mature VOIP system that works across many government agencies and in use by private citizens will contain," Kuhn said.

So far, all solutions use proprietary elements, which limits interoperability. But Kuhn said open-system products might become available in the next two to four years. "At that point, we may be looking at a system that looks much more like the standard phone communications we're all used to," he said.

Stevens is a freelance journalist who has written about information technology since 1982.