Deploy VOIP with care, US gov"t warns

Von Matt Hamblen

The U.S. National Institute of Standards and Technology is urging U.S. federal agencies and corporate users to be careful about deploying voice-over-IP technology because of network security concerns.

The cautionary note in a 99-page report issued by NIST this month prompted one networking analyst to compare the report"s authors to Luddites. But an executive from Cisco Systems Inc. said NIST"s security recommendations are in line with the advice Cisco gives its VOIP customers.

NIST made nine recommendations for implementing VOIP in a secure manner. For example, the report calls for IT managers to build logically separate voice and data networks. Another recommendation is that "if practical," PC-based VOIP softphones shouldn"t be used in deployments in which either security or data privacy is a priority.

"Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secure networks and remain secure," the report said. "However, the process is not that simple."

The NIST report was being circulated last week among U.S.-based network security personnel at GlaxoSmithKline PLC. The pharmaceutical maker is running a VOIP trial with about 450 end users at a facility in North Carolina, said Charles Goodall, its manager of global voice technology and architecture.

"We"ll take the report and do additional research," he said, adding that the company"s IT staff plans to evaluate future VOIP deployments in offices globally.

GlaxoSmithKline is running separate virtual LANs for voice and data traffic as part of the VOIP trial, Goodall said. The company is also testing softphone technology to see if it"s usable, never mind secure.

"VOIP security is a big part of our strategy, but it"s not really at the top of the list of what we"re exploring," Goodall said. "We won"t say we must have it secure to deploy it. Even digital voice is somewhat insecure, too."

A good starting point

Roger Farnsworth, a marketing manager at Cisco, said the NIST report is a good place to start for IT managers considering VOIP projects. He added that a point made by NIST about the difficulty of using the Network Address Translation standard with VOIP is "not a trivial problem." That issue is being addressed by Cisco, other vendors and standards bodies, Farnsworth said.

David Endler, an executive at software developer TippingPoint Technologies Inc. in Austin, said security vendors and researchers are organizing an alliance to call attention to VOIP security needs.

But many large companies and federal agencies, some with tens of thousands of users, have already deployed VOIP systems securely, said Zeus Kerravala, an analyst at The Yankee Group in Boston.

"Obviously, it"s important to think about security with VOIP," Kerravala said. "But to say some of what (NIST has) said, especially about softphones, shows a little bit of backwards thinking. I think, somewhat, it"s written by Luddites."

NIST computer security expert Richard Kuhn, one of the report"s three co-authors, said the document wasn"t designed to warn IT managers away from using VOIP technology.

"VOIP is moving ahead very, very fast," Kuhn said. "We don"t want to scare people away from this. But we want to point out that this is complex technology and there are a lot of security considerations that they may not have thought of."