NIST report urges caution with VoIP security

Computerworld - A new report from the National Institute of Standards and Technology urges federal agencies and other organizations to take care in switching to voice-over-IP technology because of security concerns.
The 99-page NIST report, "Security Considerations for Voice over IP Systems," includes nine recommendations for IT managers to help them implement VoIP in a secure manner. "Lower cost and greater flexibility are among the promises of VoIP for the enterprise, but VoIP should not be installed without careful consideration of the security problems introduced," the report says.
"Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VoIP components into their already-secure networks and remain secure. However, the process is not that simple," the report says.
The report, authored by NIST computer security experts Richard Kuhn and Thomas Walsh, as well as Steffen Fries of Siemens AG, appeared in draft form last June and was formally released in final form earlier this month. Today, NIST included excerpts from it in an e-mail newsletter.
Among its recommendations, the report calls for building logically separate voice and data networks where practical, instead of building a single converged network. It also calls for using VoIP firewalls and routinely testing them.
Another recommendation says that "if practical," VoIP softphones should not be used where either security or privacy is a priority. A softphone involves using an ordinary PC with a headset and special software instead of a typical telephone unit.
Many analysts and even VoIP hardware vendors have discussed VoIP security for years, but the predominant thinking seems to be that such systems can be installed in a secure way (see story).

Many analysts believe that a bigger concern for enterprises weighing VoIP use is whether enough business-centered applications can be used atop a VoIP system to make it worthwhile, not whether the systems can be made secure.
One analyst, Zeus Kerravala at The Yankee Group in Boston, noted today that the report doesn't seem to have had much impact on companies deploying the technology. Many large enterprises and many federal agencies, some with tens of thousands of users, are already deploying VoIP systems effectively and securely, he said.
"Obviously it's important to think about security with VoIP, but to say some of what they've said, especially about softphones, shows a little bit of backwards thinking," Kerravala said. "I think, somewhat, it's written by Luddites."
Kerravala said that softphones can be made secure, depending on the desktop software being used. "I think that if you are the head of the