NIST Urges Caution in Switch to VOIP

GAITHERSBURG, Md., Feb. 2 -- Federal agencies and other organizations that are considering switching their telephone systems to Voice Over Internet Protocol (VOIP) should proceed with caution and carefully consider the security risks, says a recent report by the National Institute of Standards and Technology (NIST).

VOIP makes it possible to place telephone calls using a broadband Internet connection rather than traditional, circuit-based telephone lines. While it shows promise for lower cost and greater flexibility, VOIP has a very different architecture than circuit-switched telephony, and these differences result in significant security issues, the NIST says.

"Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure. However, the process is not that simple," according to the report. "Implementing common security measures into VOIP, such as firewalls and encryption, can cause poor voice quality and blocked calls if not done carefully and with the proper equipment. Designing, deploying and securely operating a VOIP network is a complex effort that requires careful preparation."

To make the transition to secure VOIP, the NIST recommends developing appropriate network architecture, including separate voice and data networks where feasible and practical; ensuring it can manage and mitigate risks to its information, system operations and continuity of essential operations when deploying VOIP systems; using and routinely testing the security features included in VOIP systems; and updating VOIP software regularly and frequently. It also advises against using "soft phone" systems that implement VOIP using a PC with a headset and special software, because worms, viruses and other malicious software are common on PCs connected to the Internet.

For more information, visit: csrc.nist.gov/publications/nistpubs/index.html