In January, 2005, the National Institute of Standards and Technology (NIST) released a publication entitled Security Considerations for Voice over IP Systems (Special Publication 800-58). What makes this paper both interesting and worth reading is that it provides a darned good overview of key security issues facing organizations that use Voice over IP technology, and its inclusion of specific recommendations to help IT managers minimize security exposures that VoIP can pose. This paper has been circulating in draft form since mid-2004, and its authors include both government and industry experts in the VoIP field.
Among the many worthwhile security recommendations that the paper makes are the following:
- Create logical separation between voice and data networks as much as is practical, rather than building single networks that completely lump both classes of service together. Likewise, VoIP firewalls make as much sense as do regular IP firewalls, so their deployment and regular testing and maintenance are also highly recommended.
- Use of VoIP softphones (computer hookups with headsets, rather than standalone IP handsets) is discouraged in situations where either security or privacy is necessary or desirable. Here again, unnecessary convergence can increase vulnerabilities.
- The paper also provides specific coverage of and recommendations for topics that include H.323 encryption issues and performance, SIP security issues and offsetting enhancements, VoIP gateway issues and security precautions, and VoIPSec issues and answers.
Organizations with existing or planned investments in VoIP technology should be at least mildly concerned about security issues, and will be pleased at the depth and detail in this report, along with its prescriptions for addressing issues and enhancing security where possible.
It's really great to see taxpayer dollars put to such undeniably good and effective use!
Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publishing's Exam Cram 2 and Training Guide series of cert prep books. E-mail Ed at etittel@techtarget.com.
