[VOIPSEC] Feds Warn Deploy VoIP With Care - Analysis of NIST Recommendations -Presented at CTA - February14 - Denver

Tom Cross tom at techtionary.com
Sat Feb 12 11:48:14 CST 2005 

Feds Warn Deploy VoIP With Care

Presented by Thomas B. Cross - TECHtionary.com

Presented at The Colorado Telecommunications Association Business Meeting -
February 14, 2005

For more information and Registration - go here http://www.colotelecom.com
<http://www.colotelecom.com/> 

 

A 99-page report released by the National Institute of Standards and
Technology Report 800-58 cautions that IT managers need to pay close
attention to the network security issues raised by VoIP installations.  To
give you the most complete information, we have included the title of each
NIST recommendation and a summary of the TECHtionary.com analysis.

 

NIST RECOMMENDATION 1 - Develop appropriate network architecture.

     TECHtionary analysis as also mentioned in the report is to use separate
networks for voice.  Most carriers offer special VPN-Virtual Private Network
services which can be configured to separate almost any kind of data type of
TCP-Transmission Control Protocol port assignment.

 

NIST RECOMMENDATION 2 - Ensure that the organization has examined and can
acceptably manage and mitigate the risks to their information, systems
operations and continuity of essential operations when deploying VoIP
systems. 

     TECHtionary analysis is to eliminate any potential "human error" from
use of VoIP by providing detailed IT business processes to VoIP users. 

 

NIST RECOMMENDATION 3 - Special consideration should be given to E-911
emergency services communications because E-911 automatic location service
is not available with VoIP in some cases.

      TECHtionary analysis is to review and test VoIP systems with Emergency
services agencies.  In addition, recommend to all users in case of an
emergency use a cellular (not WiFi) telephone, not a VoIP phone. 

 

NIST RECOMMENDATION 4 - Agencies should be aware that physical controls are
especially important in a VoIP environment and deploy them accordingly. 

     TECHtionary analysis is to implement and reinforce all types of
physical security devices.    Aside from using electronic protections, lock
the doors.  Lastly, review employment business and HR employment processes
as 80% of IT crime is perpetrated by disgruntled and dishonest employees.

 

NIST RECOMMENDATION 5 - Evaluate costs for additional power backup systems
that may be required to ensure continued operation during power outages.

     TECHtionary analysis is that most VoIP phones and soft phones require
power.  Customers should add power injectors, backup power and generators to
all critical functions including diverse wiring to emergency centers.

 

.NIST RECOMMENDATION 6 -  VoIP firewall-ready and other appropriate
protection mechanisms should be employed.  Agencies must enable, use and
routinely test the security features that are included in VoIP systems.

     TECHtionary analysis is to consider hiring hackers to really test your
VoIP.  Next, upgrade and test firewalls.  Understand VoIP systems are IP
devices and will likely impact your user count for your firewall system.
Plan and budget accordingly.

 

NIST RECOMMENDATION 7 - If practical, "softphone" systems, which implement
VoIP using an ordinary PC with a handset and special software, should not be
used where privacy or security are a concern.

     TECHtionary analysis is that soft phones should be programmed to ensure
immediate password protection when user is away from PC.   Softphones are
not necessarily any more unsecure than other devices including stand-alone
telephone sets.  In addition, routinely test for hacker access via browser
to voice/email/etc.  

 

NIST RECOMMENDATION 8 - If mobile units are to be integrated with the VoIP
system, use products implementing WPA-WiFi Protected Access rather than
WEP-WiFi Equivalent Privacy.

     TECHtionary analysis to incorporate TKIP-Temporal Key Integrity
Protocol as WiFi-Wireless Fidelity telephone sets will likely be part of the
VoIP installation.  TKIP is a required part of WEP2 or WPA-WiFi Protected
Access and uses a 128-bit "temporal key" shared among clients and access
points. WPA requires TKIP and combines the temporal key with the client's
MAC-Media Access Control address (ethernet NIC-Network Interface Card fixed
48-bit  address) and then adds a relatively large 16-octet (128-bit)
initialization vector to produce the key that will encrypt the data. TKIP
ensures that each station uses different key streams to encrypt the data.

 

NIST RECOMMENDATION 9 -  Carefully review statutory requirements regarding
privacy and record retention with competent legal advisors.

     TECHtionary analysis is to hire legal counsel when you buy a VoIP
system and include performance and security provisions in the purchase
agreement.  Sorry, we don't have any polite images of legal advisors. 

#10 TECHtionary.com also strongly recommends customers perform a
comprehensive network assessment prior to purchase or implementation of any
VoIP to determine network capabilities ("will it really work under stress")
as well as all of the above issues. 

We hope this you some insights as plan, design and implement VoIP.

More information about the Voipsec mailing list