Security Considerations for Voice Over IP Systems
Total Page:16
File Type:pdf, Size:1020Kb
Special Publication 800-58 Security Considerations for Voice Over IP Systems Recommendations of the National Institute of Standards and Technology D. Richard Kuhn, Thomas J. Walsh, Steffen Fries NIST SP 800-58 Voice Over IP Security _____________________________________________________________________________ II NIST SP 800-58 Voice Over IP Security _________________________________________________________________________ NIST Special Publication 800-58 Security Considerations for Voice Over IP Systems Recommendations of the National Institute of Standards and Technology C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 January 2005 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary for Technology National Institute of Standards and Technology Shashi Phoha, Director III NIST SP 800-58 Voice Over IP Security _____________________________________________________________________________ Note to Readers The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This document is a publication of the National Institute of Standards and Technology (NIST) and is not subject to U.S. copyright. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. T.J. Walsh and D.R. Kuhn are employees of NIST; S. Fries is an employee of Siemens AG. For questions or comments on this document, contact sp800-58@nist.gov. Acknowledgments This document has benefited from review and comment by many experts. We particularly want to thank Mike Stauffer, of Booz Allen Hamilton, for his careful review and many contributions to improving the quality of this publication. Appendix A is derived from an internal NIST report by Tony Meehan and Tyler Moore of the University of Tulsa. Many people provided us with helpul comments and suggestions for improvements to the first draft of this document. We are grateful to Tim Grance, John Larson and colleagues at Sprint, Stephen Whitlock, David Waring, Steven Ungar, Larry L. Brock, Ron Rice, John Dabnor, Susan Landau, Cynthia Des Lauriers, Victor Marshall, Nora Wheeler, Anthony Smith, Curt Barker, Gerald Maguire, Frank Derks, Ben Halpert, Elaine Starkey, William Ryberg, Loraine Beyer, Terry Sherald, Gill Williams, Roberta Durant, Adrian Gardner, Rich Graveman, David Harrity, Lakshminath Dondeti, Mary Barnes, Cedric Aoun, Mike Lee, Paul Simmons, Marcus Leech, Paul Knight, Ken van Wyk, Manuel Vexler, and John Kelsey. IV NIST SP 800-58 Voice Over IP Security _________________________________________________________________________ Table of Contents Executive Summary and Recommendations .......................................................................................... 3 1 Introduction ...................................................................................................................................... 10 1.1 Authority .................................................................................................................................... 10 1.2 Document Scope and Purpose .................................................................................................. 10 1.3 Audience and Assumptions....................................................................................................... 11 1.4 Document Organization ............................................................................................................ 11 2 Overview of VOIP............................................................................................................................ 13 2.1 VOIP Equipment ....................................................................................................................... 13 2.2 Overview of VOIP Data Handling ........................................................................................... 14 2.3 Cost............................................................................................................................................. 16 2.4 Speed and Quality...................................................................................................................... 16 2.5 Privacy and Legal Issues with VOIP........................................................................................ 17 2.6 VOIP Security Issues................................................................................................................. 17 3 Quality of Service Issues.................................................................................................................. 19 3.1 Latency....................................................................................................................................... 19 3.2 Jitter ............................................................................................................................................ 20 3.3 Packet Loss ................................................................................................................................ 21 3.4 Bandwidth & Effective Bandwidth .......................................................................................... 22 3.5 The Need for Speed ................................................................................................................... 24 3.6 Power Failure and Backup Systems ......................................................................................... 24 3.7 Quality of Service Implications for Security............................................................................ 25 4 H.323................................................................................................................................................... 26 4.1 H.323 Architecture .................................................................................................................... 26 4.2 H.235 Security Profiles.............................................................................................................. 28 4.2.1 H.235v2.................................................................................................................................. 29 4.2.2 H.235v3.................................................................................................................................. 32 4.2.3 H.323 Annex J ....................................................................................................................... 36 4.2.4 H.323 Security Issues ............................................................................................................ 36 4.3 Encryption Issues and Performance.......................................................................................... 37 5 SIP....................................................................................................................................................... 39 5.1 SIP Architecture......................................................................................................................... 39 5.2 Existing Security Features within the SIP Protocol ................................................................. 40 5.2.1 Authentication of Signaling Data using HTTP Digest Authentication............................... 41 5.2.2 S/MIME Usage within SIP.................................................................................................... 41 5.2.3 Confidentiality of Media Data .............................................................................................. 41 5.2.4 TLS usage within SIP ............................................................................................................42 5.2.5 IPsec usage within SIP..........................................................................................................42 5.2.6 Security Enhancements for SIP ............................................................................................ 42 5.2.7 SIP Security Issues ................................................................................................................ 44 6 Gateway Decomposition.................................................................................................................. 47 6.1 MGCP ........................................................................................................................................ 47 6.1.1 Overview................................................................................................................................ 47 V NIST SP 800-58 Voice Over IP Security _________________________________________________________________________