Can only you hear me now?

The advantages of voice over IP (VOIP) are obvious. Voice communications via your existing broadband connection can save a lot of money. And VOIP is easy to integrate with other Web applications, such as conferencing software.

But when the National Institute of Standards and Technology released its findings on VOIP security nearly a year ago, many people's first reaction was consternation. Was NIST saying agencies shouldn't use VOIP? Was VOIP insecure?

NIST wasn't warning agencies and departments not to use VOIP. It was urging those implementing it to heed nine recommendations. What threw information technology workers at the time, however, was that some of the recommendations seemed impossible or extremely expensive to implement. It seemed the cost of implementing good security could erase any savings VOIP might provide.

That was then, this is now. Meeting NIST's recommendations is not only possible, it's cost-effective.

The fast-moving VOIP industry was working on security before NIST issued its recommendations, and the pace has accelerated. A number of manufacturers can meet all the recommendations.

"This field is probably changing faster than anything in IT right now," said Rick Kuhn, a computer scientist at NIST who co-authored the recommendations document. Kuhn said agencies need to make sure they are up-to-date on current VOIP security offerings so they won't be shortchanged.

The first thing to remember is that VOIP is really, deep down inside, data. "There are solutions available for data security," said Olle Westerberg, chief executive officer of VOIP firewall maker Ingate Systems in Stockholm, Sweden. "If you applied those solutions to this, you should be able to do the things you do in the data world."

Westerberg added that because VOIP is a real-time application on an IP network, good data security practices are just as important for VOIP as they are for any other type of data communications.

Differences must be taken into account, however. It's no secret that the content of VOIP messages — the actual voice conversation between users — must be encrypted. But the signaling information — which tells the phone or PBX on the other end how to handle the call — must also be protected.

To accomplish this, you need to do two things. First, make sure your firewall is VOIP-aware. Although most firewalls can let the voice content through, the signaling is more problematic. Not all firewalls support the two most common VOIP protocols, H.323 and Session Initialization Protocol (SIP). In addition, you must protect those packets so that the call can't be hijacked, intercepted or spoofed.

"You should encrypt your signaling as well as the content," Westerberg said. "The solutions are there. It's just a question of using them."

Ingate makes a firewall designed to handle VOIP, including the SIP signaling that most new IP phone systems are adopting.

Need to know

The basic concepts of VOIP security are fairly simple, but the details aren't. For example, there's general agreement that the signaling and content of VOIP calls must be encrypted, but there's not a consensus on how this should happen. As a result, encryption — especially content encryption — works well only if both ends of the VOIP conversation use equipment from the same company.

Still, it helps to know something about what's going on. Here's a primer.

An IP PBX is the central server for handling VOIP calls in most organizations. It handles the process of connecting and sending phone calls. Although some VOIP phone systems don't use a PBX, they target small businesses and consumers.

You must protect your IP PBX against threats from outside and inside your organization just as you would any other server holding mission-critical information. This includes physical security, intrusion detection, network segmentation and firewalls.

VOIP-aware firewalls are like other firewalls, but they're designed to protect against threats to voice traffic in addition to data traffic. You can use a VOIP firewall as your only enterprise firewall, but more likely, you'll have one designed for normal data traffic and another for VOIP.

A media gateway is designed to fit between your internal voice network and outside phone systems. The gateway may route voice calls to the public switched telephone network (PSTN) or other VOIP networks. It may also handle other tasks and should include security features that protect your voice network against intruders that would enter through it.

A handset is a telephone. In the VOIP world, it connects using an Ethernet port. A VOIP handset may be able to encrypt signaling and content. It must use the same signaling protocol the rest of the network uses; you can't use a SIP phone on an H.323 voice network, for example.

Transport Layer Security (TLS) is a form of authentication that works on the basis of a shared secret between the two ends of a VOIP conversation. Because of this, it's difficult to hijack, spoof or eavesdrop on a TLS-protected conversation.

Secure Real-Time Transport Protocol (SRTP) is a means of encrypting a VOIP conversation's content. Unfortunately, there is no agreement on how SRTP should be implemented, so you can count on this protocol only when you're using products from the same company or specifically designed to work together. An effort to create a standard is under way, but it's not far along.

What's out there

I looked at a few examples of the products you might want to consider for a secure VOIP solution. However, these are not the only products available.

Firewalls

A good VOIP firewall is critical if you plan to connect your VOIP network to the outside world via the Internet or a corporate enterprise network. You can find firewalls such as the Ingate Firewall 1600 and the SecureLogix ETM series of appliances that understand VOIP. Although they are both VOIP firewalls, they are quite different.

The Ingate Firewall 1600 is a SIP device designed to work only with VOIP. It will also work as a firewall for your data network, although you can continue to use your existing firewall for non-SIP traffic. This device is easy to implement and manage. It can handle Network Address Translation (NAT) easily and effectively.

Often when you place SIP devices behind a NAT firewall, maintaining the connection when calling in from outside can be difficult. But the Ingate Firewall 1600 makes the necessary translations to the SIP traffic to reflect a call's true destination. In addition, the firewall understands TLS, which simplifies the process of securing a SIP call from end to end.

The SecureLogix ETM 5.0 Voice Firewall also handles SIP, as well as H.323 and analog lines, and protects against more than outside attacks and intrusions. ETM also protects against attacks from the analog network, toll fraud, 900-number usage and attempts to circumvent the PBX by using fax lines. This appears to be a full-featured voice security product. Unfortunately, the company declined to make it available to Federal Computer Week for a hands-on review.

It's useful to note that many IP PBX products include built-in firewalls and media gateways, so it pays to check before you buy something you might not need.

Media gateways

Media gateways can be used for a variety of tasks on a VOIP installation, but one is primary: providing call routing between the internal voice network and the outside world. Because they connect your VOIP network to the PSTN, security features are a must. Their task isn't the same as a firewall's, but media gateways prevent call hijacking, toll fraud and spoofing. Gateways may provide other services that unload tasks from the central PBX and instead perform them closer to users at the edge of the network.

The Versatel Networks IQ1500 and IQ1500L are examples of high-end, full-featured media gateways for VOIP networks. In addition to supporting tasks such as customized ringing, offloading of conferencing and call routing, the IQ1500 series also hides the network's topology, which means all those NAT-assigned addresses are invisible. This approach blocks many malicious activities.

Call authentication, which the IQ1500 series of gateways can also handle, adds to that list.

I was able to look at the IQ1500 earlier this year. I found it an extremely versatile platform, and it is being improved through a series of applications the company is making available. Despite the complexity of the services it can provide, the IQ1500 is easy to manage and works well in most VOIP networks. This device was originally intended for the carrier marketplace, but it fits nicely into any large enterprise.

PBXs

The PBX is the central server for your enterprise VOIP network. Although, some VOIP products — such as phones from Aastra/ Nimcat Networks, Vonage and Skype — don't use a PBX for all practical purposes, VOIP in the government is handled through an enterprise PBX or through IP Centrex, in which the phone company provides VOIP services.

For enterprises using a PBX, it will be the center of your security focus. For enterprises using IP Centrex, you'll need to make sure the carrier meets your security requirements. The good news is that the major makers of enterprise-class PBX products have instituted security features already. But these features are not always turned on by default. So, if you're bringing in a new PBX, you'll need to make sure that your security requirements are enabled.

The number of PBXs available for medium to large users is huge. The number available for small enterprises is even larger, making a comprehensive look at these products impossible. However, I looked at PBXs from two highly regarded government providers. Avaya is a survivor of the AT&T breakup. Siemens has been a major player in the government market for years and worked with NIST to develop its VOIP security study and the accompanying recommendations.

Avaya's Communications Manager 3.0.1 PBX software was installed on the company's S8700 platform with its G650 Media Gateway in my test case. This PBX can support both SIP and H.323. The SIP capability uses TLS, and H.323 uses SRTP. Avaya's version of SRTP is proprietary — as is every version of SRTP — but a company spokesperson said that Avaya is working to help develop a standard version of this encryption method.

I was able to confirm that eavesdropping on a VOIP call, which was typically not difficult as long as we had access to the physical network, became impossible using Avaya's VOIP security solution and its 4610SW and 4620SW IP phones. I was also able to confirm that the signaling protocols were encrypted. Avaya already encrypts everything between the phone and the PBX and has done so for the last several versions of its products.

In addition, Avaya has added a new security feature to its VOIP line: software for its 4625SW phone that lets the phone automatically establish a secure virtual private network to connect to its home network. To make this work, you plug the phone into any network with Internet access. The phone is being used for emergency services operations following Hurricane Katrina, but its commercial release date hasn't been set. The software will be available on similar Avaya phones.

I looked at the Siemens HiPath 3000 and 4000 earlier this year. Those products also meet all of NIST's recommendations and support encryption. Although Siemens couldn't provide details, its IP phones are in use at a number of secure installations. The company uses TLS for its SIP-based products and, like Avaya, uses a proprietary version of SRTP for content encryption.

But are they secure?

You can satisfy NIST's recommendations if you select the right products, follow the right strategies and implement the right policies. In other words, you must not only purchase a secure VOIP solution for your agency or enterprise, you must also use it. In addition, you must require your staff to follow telephony security policies, such as never allowing VOIP soft phones to call in from remote locations unless you know that the phone is running on a computer that meets security standards.

But you also have to remember that just because VOIP can be made secure and the content and signaling are encrypted, you're not necessarily meeting the higher level of requirements for classified or privacy- protected data. This is not Type 1 encryption.

What's more, the choices you make now won't hold forever. Robert Moskowitz, senior technical director of ICSA Labs, a division of Cybertrust, said it's important that you make use of all the security measures that are available and, at the same time, be ready for things to change.

"You have to be agile in your planning," Moskowitz said, "These security solutions will have a two- to three-year life — no more." He said that the rapid pace of development in VOIP will keep everything in flux for a while, so you should not lock your enterprise or agency into a solution. "You can't commit yourself to longer."

However, by following good security practices, you can go a long way toward making sure that your IP telephony is protected from the ravages of the Internet and the PSTN. And that's saying a lot.

Rash is a Washington, D.C.-based freelance journalist who has been covering technology since the late 1970s. He can be reached at wayne@rash.org.