VOIP can Lower telecom costs and help with network
consolidation -- and cause security problems if not handled right.
f you are thinking of adding voice-over-IP capabilities to your
existing infrastructure without upgrading network security, think
again. You couLd be inviting disaster. Agency officials can't expect
security systems designed to protect data traffic to adequately secure
their VOIP communications, experts say.
"The idiosyncrasies of voice data may strain your security system to
the breaking point," said Richard Kuhn, a computer security specialist
at the National Institute of Standards and Technology. "You definitely
need specialized security products and different architectures when
moving to VOIP."
NIST recently issued a report titled "Security Considerations for
Voice Over IP Systems," which focuses on security problems and
recommendations for secure communications.
Basically, with VOIR voice data generated during a phone call moves in
packets via internal IP networks or the Internet, just as Web pages
and e-mail messages do.
A handful of agencies, such as the Education and Defense departments,
are in various stages of deploying VOIR seeking the lower costs and
efficiency Internet telephony can offer compared with traditional
VOIP can offer greater efficiency in a consolidated voice and data
network by enabling users to receive calls on desktop computers.
Users can also forward voice mail and e-mail from VOIP
phones. Employees traveling to branch offices can have their full
phone resources and office numbers transferred to their temporary
locations. Additionally, VOIP can be used to keep communications
running during a disaster or emergency, giving employees access to
their phone resources from IP phones at other locations.
But as agencies explore the benefits of VOIP, they must strengthen
firewalls, gateways, encryption and authentication methods, and other
security components to better protect such traffic, experts say.
VOIP hubs can be hacked more easily than traditional PBX phone
switches. Even if hackers can't eavesdrop on conversations, they will
have access to routing data, such as the number of calls to and from
each user, according to a report by the Cyber Security Industry
Alliance. Moreover, automated tools can send spit, the VOIP version
of spam, to all voice mailboxes within a certain range of the
provider, address space or area code.
Traditional firewalls might not be as effective in blocking attacks on
combined voice and data networks. Firewalls examine packets and block
suspected ones at the digital communications port. However, phone
calls require opening many communications ports on the firewall -- some
sessions may need 10 or more ports. Firewalls that aren't configured
for VOIP security might leave a large number of ports continually
open, increasing the network's vulnerability.
To compound the problem, voice communications are more time --
sensitive than data or even video. Firewalls that look too deeply into
voice packets or block too many of them can degrade the quality of
phone service. Few users would notice if data packets are slow getting
through the firewall, resulting in a slight delay in loading Web pages
or even a short pause in a video.
But "3 [percent] to 5 percent loss of data packets in a VOIP, and your
system is unusable," Kuhn said. A few seconds of latency and jitter,
and users will hang up and reach for their cell phones, he said.
Kuhn said that although VOIP technology is still emerging, a
sufficient number of proprietary products are available to secure a
VOIP network. For example, a stateful inspection firewall, which
validates traffic by inspecting the contents of packets up through the
application layer, can dynamically open and close the correct
ports. Still, setting up a secure VOIP network is not merely a matter
of purchasing the right products. Kuhn said it requires an overall
strategy in which you add to the network incrementally and test each
phase as you go.
That's the plan at Education. The department's initial
forays are all within its internal network.
"The current system is a hybrid," said Peter Tseronis, Education's
director of converged communications and networking. "If I'm calling
someone at Education, I dial a certain prefix on my phone, and it goes
over the IP network. If I'm dialing out, it goes over the traditional
Aside from deploying VOIP services to more users, a future step at
Education might be to provide voice and video via the Internet to some
users. That will allow those users to hold videoconferences and take
advantage of VOIP while at home or on the road.
Many experts expect that most government agencies will follow
Education's strategy of getting its internal VOIP network in place
before running VOIP services on the public Internet. Roger Farnsworth,
marketing manager for secure IP communications at Cisco Systems, said
that besides enhancing security, restricting VOIP services to an
internal network or virtual private network eliminates compatibility
The industry currently supports two VOIP standards: H.323 and Session
Initiation Protocol (SIP). H.323 allows dissimilar devices to
communicate with one another by using a standard protocol. SIP is a
standard for initiating an interactive user session that involves
multimedia functions such as video, voice and chat. SIP is gradually
replacing H.323, but most experts suggest buying components that can
But doing so doesn't mean that agency officials will be able to easily
and safely use VOIP outside their networks. "There are differences
among vendors' implementations of those standards so that you can't
count on two different systems interoperating the way you'd like,"
Farnsworth said. For example, it is difficult to use encryption with
VOIP when traffic is moving across two vendors' systems, he said.
Although Farnsworth acknowledged that government agencies need to use
caution in setting up their systems, they can take some comfort in the
knowledge that eavesdropping on unencrypted voice communications is
more difficult than capturing and reading e-mail messages via the
"It's not a trivial matter to intercept a VOIP packet stream and
reassemble it and come up with usable playback," Farnsworth said.
Nevertheless, NIST experts advise users to consider using encryption
at the router or other gateway instead of at the VOIP phones. Most
VOIP phones are not powerful enough to perform encryption quickly.
However, some newer phones offer Advanced Encryption Standard at a
Keeping services available
For many organizations, availability is at least as important as
security. "When users pick up a VOIP phone, they have the same
expectations as when they pick up a plain old telephone," said Paul
Kurtz, executive director of the Cyber security Industry
Alliance. "They want an immediate dial-tone and no delay in placing a
For the government, expectations not only come from employees using
VOIP phones but also from residents who don't know or care what
technology the phones use, they just want to get through quickly.
"The phone is what enables a lot of national security and emergency
services," Kurtz said. Accordingly, he and others suggest a layered
approach, with sufficient redundancy built in to provide the
availability appropriate to the service.
Even for agencies not involved in emergency preparedness, customer
service requirements demand availability levels above 90 percent.
Lodovico Loquercio, principal network solutions architect at Nortel
Federal Solutions, said a voice-grade local-area command and control
network must be designed to ensure that there is no single point of
"Before going live, prove that if any element fails, your session will
remain up and the redundant equipment will take over in 2 seconds or
less," he said.
That goal does not come cheaply. "In many cases, in order to get
[99.999 percent] uptime and security, it may require a complete rip-
out or at least a major refresh of technology," Loquercio said.
He estimates that for DOD to replicate its current level of voice
communication service, which includes functions unique to the military
and endto-end security, it would have to spend tens of billions of
Not all agencies need that level of service, but ensuring satisfactory
uptime will help sell the project to managers. Jim Dolezal, lead
telecommunications consultant at Suss Consulting, expects that
concerns about downtime will delay many projects for at least two
"I think senior managers in agencies are concerned when their
[local-area network] goes out and the restore is far longer than they
are initially told to expect," Dolezal said. "They don't want to have
that happen to their voice communications."
In addition, he sees a cultural problem in agencies that maintain
separate staffs for phone and data networks. "They are moving closer,
but they are not yet one and the same, and that's what will be
necessary for VOIP to work," he said.
Major VOIP vendors can provide secure, highly available
enterprise-level systems, but the technology is still emerging.
"Right now, it's hard to get a complete picture of what a fully mature
VOIP system that works across many government agencies and in use by
private citizens will contain," Kuhn said.
So far, all solutions use proprietary elements, which limits
interoperability. But Kuhn said open-system products might be\come
available in the next two to four years. "At that point, we may be
looking at a system that looks much more like the standard phone
communications we're all used to," he said.
Problems with voice over IP
Voice over IP can offer organizations lower telecommunications costs
and greater network efficiency through convergence of voice, data and
video. But there are some security issues that users need to address.
Here are a few findings.
* Caller ID services, including those used by first-responder
organizations, are often bypassed by VOIP.
* VOIP network hubs can be hacked much more easily than PBX phone
switches. Hackers can't eavesdrop on conversations, but they will have
access to routing data.
* Automated tools can send spam over Internet telephony (spit), the
VOIP version of spam, to all voice mailboxes in a given range of the
provider, address space or area codes.
* Conversations over IP can be recorded, duplicated and quickLy
distributed to anyone beyond the original audience.
* Wireless devices will further complicate VOIP security.
Source: Cyber Security Industry Alliance
10 steps to build a secure voice-over-IP network
The National Institute of Standards and Technology recently issued a
report titled "Security Considerations for Voice Over IP Systems."
Below are 10 recommendations from that report.
* Understand your agency's level of knowledge and training in VOIP
technology before beginning a project. Also evaluate the maturity and
quality of your security practices, controls, policies and
* Consider creating separate voice and data networks to protect each
one when using products designed for specific types of packets.
* Provide a mechanism to allow VOIP traffic to pass through firewalls
effectively. Use packet filters that can track the state of
connections and block packets from calls that did not originate
* Consider using encryption at routers or other gateways to improve
performance, instead of at the VOIP phones.
* Make sure there is adequate physical security. Unless the VOIP
network is encrypted, anyone with physical access to a local-area
network could potentially connect monitoring tools and tap phone
* Give special consideration to finding ways to provide E911 emergency
* Include costs for additional power backup systems when figuring the
cost of a VOIP project.
* Avoid the use of "softphone" systems, which implement VOIP using an
ordinary PC with a headset and special software. The worms, viruses
and other malicious software that are common on PCs can migrate to the
* If mobile devices are integrated with the VOIP system, choose
products that rely on Wi-Fi Protected Access rather than Wired
Equivalent Privacy, which can be cracked with publicly available
* Review statutory requirements regarding privacy and record retention
with legal advisers. Laws and rulings governing interception or
monitoring of VOIP lines and retention of call records can differ from
those for conventional phone systems.
Source: National Institute of Standards and Technology
"When users pick up a VOIP phone, they have the same expectations as
when they pick up a plain old telephone."
PAUL KURTZ, CYBER SECURITY INDUSTRY ALLIANCE
Find a Link to the National Institute of Standards and
Technology report on VOIP security on FCW.com Downlead's Data Call at
Stevens is a freelance journalist who has written about information
technology since 1982.
Copyright 101 Communications Jun 27, 2005
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, 101 Commuications.
For more information go to: