[VOIPSEC] Feds Warn Deploy VoIP With Care - Analysis of NIST Recommendations -Presented at CTA - February14 - Denver

Candace Holman Candace_Holman at harvard.edu
Mon Feb 14 16:52:23 CST 2005 

Tom,

I'm concerned that your summary doesn't reflect many of the critical points 
in the paper, and even contradicts some of the recommendations.  One of the 
authors is a member of the VoIPSA board.  The document is a good reference 
and warrants a more in-depth look.

http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

Candace


At 12:48 PM 2/12/2005, you wrote:
>Feds Warn Deploy VoIP With Care
>
>Presented by Thomas B. Cross - TECHtionary.com
>
>Presented at The Colorado Telecommunications Association Business Meeting -
>February 14, 2005
>
>For more information and Registration - go here http://www.colotelecom.com
><http://www.colotelecom.com/>
>
>
>
>A 99-page report released by the National Institute of Standards and
>Technology Report 800-58 cautions that IT managers need to pay close
>attention to the network security issues raised by VoIP installations.  To
>give you the most complete information, we have included the title of each
>NIST recommendation and a summary of the TECHtionary.com analysis.
>
>
>
>NIST RECOMMENDATION 1 - Develop appropriate network architecture.
>
>      TECHtionary analysis as also mentioned in the report is to use separate
>networks for voice.  Most carriers offer special VPN-Virtual Private Network
>services which can be configured to separate almost any kind of data type of
>TCP-Transmission Control Protocol port assignment.
>
>
>
>NIST RECOMMENDATION 2 - Ensure that the organization has examined and can
>acceptably manage and mitigate the risks to their information, systems
>operations and continuity of essential operations when deploying VoIP
>systems.
>
>      TECHtionary analysis is to eliminate any potential "human error" from
>use of VoIP by providing detailed IT business processes to VoIP users.
>
>
>
>NIST RECOMMENDATION 3 - Special consideration should be given to E-911
>emergency services communications because E-911 automatic location service
>is not available with VoIP in some cases.
>
>       TECHtionary analysis is to review and test VoIP systems with Emergency
>services agencies.  In addition, recommend to all users in case of an
>emergency use a cellular (not WiFi) telephone, not a VoIP phone.
>
>
>
>NIST RECOMMENDATION 4 - Agencies should be aware that physical controls are
>especially important in a VoIP environment and deploy them accordingly.
>
>      TECHtionary analysis is to implement and reinforce all types of
>physical security devices.    Aside from using electronic protections, lock
>the doors.  Lastly, review employment business and HR employment processes
>as 80% of IT crime is perpetrated by disgruntled and dishonest employees.
>
>
>
>NIST RECOMMENDATION 5 - Evaluate costs for additional power backup systems
>that may be required to ensure continued operation during power outages.
>
>      TECHtionary analysis is that most VoIP phones and soft phones require
>power.  Customers should add power injectors, backup power and generators to
>all critical functions including diverse wiring to emergency centers.
>
>
>
>NIST RECOMMENDATION 6 -  VoIP firewall-ready and other appropriate
>protection mechanisms should be employed.  Agencies must enable, use and
>routinely test the security features that are included in VoIP systems.
>
>      TECHtionary analysis is to consider hiring hackers to really test your
>VoIP.  Next, upgrade and test firewalls.  Understand VoIP systems are IP
>devices and will likely impact your user count for your firewall system.
>Plan and budget accordingly.
>
>
>
>NIST RECOMMENDATION 7 - If practical, "softphone" systems, which implement
>VoIP using an ordinary PC with a handset and special software, should not be
>used where privacy or security are a concern.
>
>      TECHtionary analysis is that soft phones should be programmed to ensure
>immediate password protection when user is away from PC.   Softphones are
>not necessarily any more unsecure than other devices including stand-alone
>telephone sets.  In addition, routinely test for hacker access via browser
>to voice/email/etc.
>
>
>
>NIST RECOMMENDATION 8 - If mobile units are to be integrated with the VoIP
>system, use products implementing WPA-WiFi Protected Access rather than
>WEP-WiFi Equivalent Privacy.
>
>      TECHtionary analysis to incorporate TKIP-Temporal Key Integrity
>Protocol as WiFi-Wireless Fidelity telephone sets will likely be part of the
>VoIP installation.  TKIP is a required part of WEP2 or WPA-WiFi Protected
>Access and uses a 128-bit "temporal key" shared among clients and access
>points. WPA requires TKIP and combines the temporal key with the client's
>MAC-Media Access Control address (ethernet NIC-Network Interface Card fixed
>48-bit  address) and then adds a relatively large 16-octet (128-bit)
>initialization vector to produce the key that will encrypt the data. TKIP
>ensures that each station uses different key streams to encrypt the data.
>
>
>
>NIST RECOMMENDATION 9 -  Carefully review statutory requirements regarding
>privacy and record retention with competent legal advisors.
>
>      TECHtionary analysis is to hire legal counsel when you buy a VoIP
>system and include performance and security provisions in the purchase
>agreement.  Sorry, we don't have any polite images of legal advisors.
>
>#10 TECHtionary.com also strongly recommends customers perform a
>comprehensive network assessment prior to purchase or implementation of any
>VoIP to determine network capabilities ("will it really work under stress")
>as well as all of the above issues.
>
>We hope this you some insights as plan, design and implement VoIP.

More information about the Voipsec mailing list