NIST reports on VoIP security

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
07/12/05
Today's focus: NIST reports on VoIP security

Dear security.world@gmail.com,

In this issue:

* NIST paper on securing VoIP
* Links related to Security
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Ciena
Adaptive WAN: Enabling Web Services, Networked Remote Storage
and Grid Computing

Web services, interconnecting geographically separated storage
systems, LAN extension... Individually or collectively, these
three IT trends can place significant demands on your wide area
network from a performance and security perspective. Download
this white paper to learn how you can meet these demands on your
network today and the road ahead.
http://www.fattail.com/redir/redirect.asp?CID=107820
_______________________________________________________________
THE FIREWALL'S FATE IS UP FOR DEBATE

For more than a decade, firewalls have stood guard at the
perimeter of corporate networks to defend against the Internet's
perils. But a growing number of security managers, want to
retire this stalwart because they say it hinders e-commerce.
For more on whether or not the firewall is expendable, click
here:
http://www.fattail.com/redir/redirect.asp?CID=107912
_______________________________________________________________

Today's focus: NIST reports on VoIP security

By M. E. Kabay

VoIP technology digitizes sound and sends the data stream in
packets through the Internet. One would think at first that
normal network security technologies would suffice to protect
the packet stream against interference. Unfortunately, voice
transmission imposes timing constraints on the data stream; if
packets are not received quickly enough to ensure reconstitution
in the right order in real-time, people will perceive the sound
as distorted. International standards have set an upper bound of
150 ms on the delay (latency) in packet delivery; this
requirement imposes severe demands on the throughput of security
equipment and software - demands that exceed the norms common to
data processing applications for networks.

D. Richard Kuhn and Thomas J. Walsh of the National Institute of
Standards and Technology and Steffen Fries of Siemens published
the final version of NIST Special Publication 800-58 in January.
I usually like the NIST SPs, but this one is particularly
thorough and well written.

Entitled "Security Considerations for Voice Over IP Systems,"
the publication can be found here (in PDF):
<http://www.networkworld.com/nlsec3202>

After a brief introduction of the project scope, the authors
turn to an overview of VoIP technology and then discuss the
fundamentals of QoS, including latency, jitter (irregular
delivery of bursts of packets followed by gaps in the
transmission), packet loss, effective bandwidth (much reduced in
practice from the theoretical bandwidth), resilience (power
failure backups, secondary systems) and susceptibility to
denial-of-service attacks.

It reviews the International Telecommunication Union standard
H.323 that details audio and video communications across packet
networks. The authors provide definitions, diagrams and
summaries of the protocols involved in different types of calls.
They review security profiles and end with encryption issues
(performance is a constant problem to consider).

The publication also deals with Session Initiation Protocol
(SIP), the IETF standard used for VoIP. As with H.323, the
authors present the fundamental architecture and terminology of
SIP. They then review several aspects of security features
already integrated into SIP.

The publication summarizes the technological infrastructure of
VoIP, including specialized gateways, firewalls, network address
translation (NAT), call initiation, encryption and IPSec.

Chapter 9, "Solutions to the VOIPsec Issues," discusses the
following approaches:
* Encryption at the end points
* Secure Real Time Protocol (SRTP)
* Key management for SRTP
* Better scheduling schemes
* Compression of packet size
* Resolving NAT/IPSec incompatibilities

The final chapter is entitled "Planning for VOIP Deployment."
One of the most interesting sections is a brief warning about
the privacy implications of VoIP technology. The caller's voice
is being carried over data networks, and so there is some
confusion over precisely which legal privacy protections apply
to these transmissions.

The authors end on a cautionary note:

"The construction of a VOIP network is an intricate procedure
that should be studied in great detail before being attempted.
New risks can be introduced, and vulnerabilities of data packet
networks appear in new guises for VOIP... The integration of a
VOIP system into an already congested or overburdened network
could be catastrophic for an organization's technology
infrastructure. There is no easy 'one size fits all' solution to
the issues discussed in these chapters... VOIP can be done
securely, but the path is not smooth. It will likely be several
years before standards issues are settled and VOIP systems
become a mainstream commodity. Until then, organizations must
proceed cautiously, and not assume that VOIP components are just
more peripherals for the local network. Above all, it is
important to keep in mind the unique requirements of VOIP,
acquiring the right hardware and software to meet the challenges
of VOIP security."

RELATED EDITORIAL LINKS

Many minds, one goal: Curb bad traffic
Network World, 07/11/05
http://www.networkworld.com/news/2005/071105-sruti.html?rl

Worm creator found guilty
Network World, 07/11/05
http://www.networkworld.com/news/2005/071105-sasser.html?rl
_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the
Division of Business and Management at Norwich University in
Northfield, Vt. Mich can be reached by e-mail
<mailto:mkabay@norwich.edu> and his Web site
<http://www2.norwich.edu/mkabay/index.htm>.

A Master's degree in the management of information assurance in
18 months of study online from a real university - see
<http://www.msia.norwich.edu/>
_______________________________________________________________
This newsletter is sponsored by Oracle
Grid Glossary

Grid computing is a vehicle to extend the life of existing
assets, not to end the life of existing infrastructure assets.
The Oracle Grid runs applications faster than the fastest
mainframe. You can adopt Oracle Grid technologies with minimal
investment, zero disruption, and fast ROI. Learn more about the
specialized set of terms and acronyms that define Grid
technologies with this comprehensive glossary. Download the
Oracle Grid Glossary now!
http://www.fattail.com/redir/redirect.asp?CID=108324
_______________________________________________________________
ARCHIVE LINKS

Archive of the Security newsletter:
http://www.networkworld.com/newsletters/sec/index.html

Security Research Center:
http://www.networkworld.com/topics/security.html

Instant sign-up for Security News Alert:
http://www.networkworld.com/isusecna

Instant sign-up for Virus & Bug Patch Alert:
http://www.networkworld.com/isubug
_______________________________________________________________
Four steps to achieving real customer insight - Webcast

Do you want to improve the quality of your customer data? Learn
how you can create a unified, enterprise wide view of customers
so you can provide better service, improve customer relations,
and increase sales and more.
http://www.fattail.com/redir/redirect.asp?CID=107881
_______________________________________________________________
FEATURED READER RESOURCE
TEN WAYS TO STOP SPYWARE

You will get spam down to a manageable level this year, but then
spyware will kick in. Spyware cleaners will help, but won't
eradicate all the unwanted activity at the office, at home.
Here's a ten step guide you can follow to curb the spyware
problem:
<http://www.networkworld.com/nlsec3042nlsecuritynewsal3113>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005