A report by the US National Institute of Standards and
Technology (NIST) has warned that the quality of service demanded
by voice over IP systems does not fit well with traditional network
security.
The NIST said that due to the time-critical nature of VoIP, and its
low tolerance for disruption and packet loss, many security
measures implemented in traditional data networks could not be
used.
As reported in Computer Weekly last week, VoIP suppliers have
formed the Voice over IP Security Alliance (Voispa) to address
security concerns surrounding the technology. Voipsa plans to
sponsor VoIP security research projects, and develop tools and
methodologies for public use.
The NIST report warned that the strict performance requirements of
VoIP had significant implications for security. Firewalls and
Network Address Translation, two technologies commonly used on
networks, present a formidable challenge to VoIP implementers, the
report warned.
"Both firewalls and Network Address Translation can degrade quality
of service in a VoIP system by introducing latency and jitter," it
said.
The report said allowing signal traffic through a firewall from an
incoming call would require several ports to remain open. These
could be targeted by an attacker. Careful administration and rule
definitions should be used if holes are to be made in the firewall,
to allow incoming calls.
The report also said Network Address Translation can act as a
bottleneck because all traffic is routed through a single node.
But, if users are prepared to pay, technology exists to overcome
these quality of service issues.
Other problems highlighted by the report include VoIP-specific
denial of service attacks attacks (such as floods of specially
crafted messages using IP telephony signaling protocol SIP), that
could stop many VoIP devices.
The report said SIP phone endpoints may freeze and crash when
attempting to process a high rate of packet traffic.
SIP proxy servers may experience failure and intermittently log
discrepancies with a VoIP-specific signalling attack of less than
1mbps. In general, the packet rate of the attack may have more
impact than the bandwidth - a high packet rate may result in a
denial of service even if the bandwidth consumed is low.
The report pointed out that delay in a VoIP system can be added by
codecs compressing or encoding messages and by additional
processing such as encryption.
Processing time increases with the degree of compression, because
larger blocks of speech data are needed to produce higher degrees
of compression.