US report adds weight to security doubts about internet telephony

A report by the US National Institute of Standards and Technology (NIST) has warned that the quality of service demanded by voice...

A report by the US National Institute of Standards and Technology (NIST) has warned that the quality of service demanded by voice over IP systems does not fit well with traditional network security.

The NIST said that due to the time-critical nature of VoIP, and its low tolerance for disruption and packet loss, many security measures implemented in traditional data networks could not be used.

As reported in Computer Weekly last week, VoIP suppliers have formed the Voice over IP Security Alliance (Voispa) to address security concerns surrounding the technology. Voipsa plans to sponsor VoIP security research projects, and develop tools and methodologies for public use.

The NIST report warned that the strict performance requirements of VoIP had significant implications for security. Firewalls and Network Address Translation, two technologies commonly used on networks, present a formidable challenge to VoIP implementers, the report warned.

"Both firewalls and Network Address Translation can degrade quality of service in a VoIP system by introducing latency and jitter," it said.

The report said allowing signal traffic through a firewall from an incoming call would require several ports to remain open. These could be targeted by an attacker. Careful administration and rule definitions should be used if holes are to be made in the firewall, to allow incoming calls.

The report also said Network Address Translation can act as a bottleneck because all traffic is routed through a single node. But, if users are prepared to pay, technology exists to overcome these quality of service issues.

Other problems highlighted by the report include VoIP-specific denial of service attacks attacks (such as floods of specially crafted messages using IP telephony signaling protocol SIP), that could stop many VoIP devices.

The report said SIP phone endpoints may freeze and crash when attempting to process a high rate of packet traffic.

SIP proxy servers may experience failure and intermittently log discrepancies with a VoIP-specific signalling attack of less than 1mbps. In general, the packet rate of the attack may have more impact than the bandwidth - a high packet rate may result in a denial of service even if the bandwidth consumed is low.

The report pointed out that delay in a VoIP system can be added by codecs compressing or encoding messages and by additional processing such as encryption.

Processing time increases with the degree of compression, because larger blocks of speech data are needed to produce higher degrees of compression.

Read more on Voice networking and VoIP