Committee on National Security SystemsCNSS Instruction No. 5000April 2007GUIDELINESFORVOICE OVER INTERNETPROTOCOL (VoIP)COMPUTER TELEPHONY

Committee on National Security SystemsCNSS Instruction No. 5000CHAIRFOREWORD1.The Committee on National Security Systems Instruction (CNSSI) No.5000, “Guidelines for Voice over Internet Protocol (VoIP) Computer Telephony,”contains guidance for providing on-hook security for telephone systems located in areaswhere sensitive government information is discussed. Implementation of this instructiondoes not preclude the application of more stringent requirements and may not satisfy therequirements of other security programs such as TEMPEST, COMSEC (CommunicationsSecurity), or OPSEC (Operational Security).2.The National Telecommunications Security (NTS) Working Group (WG),formerly known as the Telecommunications Security Group (TSG), is the primarytechnical and policy resource in the U.S. Intelligence Community (IC) for all aspects ofthe Technical Surveillance Countermeasures (TSCM) Program involving telephonesystems located in areas where sensitive government information is discussed.3.TSG Standards will be replaced by and issued as CNSS Instructions(CNSSIs). Director Central Intelligence Directive (DCID) No. 6/9, Reference b.,delineated TSG Standards and Information Series compliance by SensitiveCompartmented Information Facilities (SCIFs) for the protection of sensitive informationand unclassified telecommunications information processing systems and equipment;SCIF compliance shall now be fulfilled in accordance with the appropriate CNSSIs.4.CNSS Instruction No. 5000 is effective upon receipt.5.Copies of this instruction may be obtained by contacting the Secretariat at410.854.6805 or Government contractors and vendors shall contact their appropriategovernment agency or Contracting Officer Representative regarding distribution of thisdocument./s/KEITH B. ALEXANDERLieutenant General, U.S. ArmyCNSS Secretariat (I922) / National Security Agency9800 Savage Road - Suite 6716 - Ft Meade MD 20755-6716Office: (410) 854-6805 / Unclassified FAX: (410) [email protected]

CNSS Instruction No. 5000NATIONAL GUIDELINESFORVOICE OVER INTERNET PROTOCOL (VOIP)COMPUTER ERAL OVERVIEWREQUIREMENTSOVERVIEW OF VOIP TELEPHONE SYSTEM ECTION I – PURPOSE1. This instruction prescribes the requirements for the secure implementation anduse of a VoIP Telephony system in any U.S. Government or government contractorsensitive area where national security systems (NSS) are employed and/or withinenvironments where national security information (NSI) is stored, processed, ortransmitted. The requirements established in this standard are necessary in order toachieve on-hook audio security for VoIP telephones and/or systems located in sensitivediscussion areas.SECTION II – SCOPE2.The provisions of this instruction apply to all unclassified VoIP TelephonySystems that are currently installed, or will be installed, in U.S. Government or U.S.Government sponsored contractor spaces where NSS are employed and/or withinenvironments where classified NSI is stored, processed, transmitted, or when used as apoint of isolation in accordance with (IAW) Reference h.SECTION III – REFERENCES3.References are listed in ANNEX A.SECTION IV – DEFINTIONS4. Definitions in CNSSI No. 4009, Reference f., apply to this policy; additionalpolicy-specific terms are defined in ANNEX B.-2-

CNSS Instruction No. 5000SECTION V – GENERAL OVERVIEW5.In a VoIP configuration, the telephone instruments are connected via adistributed network to the “telephone switch.” The instrument’s connection, therefore, isno longer restricted to the “telephone switch” alone, but can be addressed by otherdevices on the network. Additionally, the VoIP telephone instrument is remarkablydifferent from the conventional telephone attached to a traditional ComputerizedTelephone System (CTS). A VoIP instrument is essentially a computer with microphoneand network connectivity, while many have a built-in web server to permit easieradministration of its features. It follows that the administration of the “telephone switch”is no longer limited to a dedicated hardwire connection, but to a distributed network.This substantially reduces the security of the “telephone switch” that previously had solecontrol over the telephone configuration. Also, note that most traditional CTSs useproprietary protocols whereas most VoIP configurations use open-standard protocols.The use of an open-standard protocol increases the number of individuals who areknowledgeable about system commands, escalating the possibility that someone couldcompromise the system.SECTION VI – REQUIREMENTS6.The requirements of this document cover the above VoIP Telephony Systemsbut do not specifically address network Certification and Accreditation (C&A)requirements mandated by many organizations. Since VoIP networks may also need toconform to the specific C&A requirements of the individual departments or agencies,contact the appropriate C&A authority for guidance. The security requirements for eachof the following configurations are specified in a separate annex, which forms a part ofthis guideline. General requirements are also discussed in SECTION VII – “Overview ofVoIP Telephone System Security.” This instruction will be revised to update theapplicable sections or annexes as technology changes occur that impact the existingdocumentation.a. Pure VoIP (Annex D). A Pure VoIP, illustrated below, is Internet Protocolbased (IP) for all end-to-end communications and signaling. Reference j. listedinstruments provide security in a Pure VoIP System.SECURE ARE AIPIN T E R N E TWANLANIPTSG 6 PHONE-3-

CNSS Instruction No. 5000b. Isolated VoIP (Annex E). An Isolated VoIP, illustrated below, uses a mix oftraditional Time Division Multiplexing (TDM) and VoIP technologies similar toHybrid VoIP, but is exclusively for secure area use. The IP Private BranchExchange (PBX), telephones, and associated wiring must be located in thesecure area. Only the TDM trunk lines may be located outside the secure area.c. Hybrid VoIP (Annex F). A Hybrid VoIP, illustrated below, uses a mix oftraditional TDM and VoIP technologies to complete the end-to-end call.However, unlike Isolated VoIP, the IP PBX is not required to be located in thesecure area. Rather, it must be located in a Physically Protected Space (PPS). Allsignal lines must be protected to the same level as the PPS.Physically ProtectedSpaceTDMSECURE AREACentral Office (CO)(OR)IPVoIP PhoneTDMOther PBXsIP PBXTDM Break-4-

CNSS Instruction No. 5000d. VoIP Trunk (Annex G). The trunk line is VoIP and the end telephonicdevice(s) and PBX is TDM as illustrated below. Either the Instrument or theTDM PBX provides security.Physically Protected SpaceSECURE AREAINTERNETIPTDMTSG2 TDM PBXTDM/AnalogSECTION VII – OVERVIEW OF VOIP TELEPHONE SYSTEM SECURITY7.Unclassified VoIP systems in secure areas shall not pass and/or transmitsensitive audio discussions when they are idle and not in use. Additionally, these systemsshall be configured to prevent external control or activation. The concepts of "on-hook"and "off-hook” audio protection, outlined in References h., must be incorporated intoVoIP systems.8.Unclassified VoIP telephone systems and services shall be configured toprevent technical exploitation or penetration. In addition, these systems shall incorporatephysical and software access controls to prevent disclosure or manipulation of systemprogramming and stored data. The following specific requirements are applied tounclassified VoIP systems:a. Provide on-hook audio protection by the use of instrument(s), cited inReference j., or equivalent system configuration, cited in Reference h.b. Provide off-hook audio protection by use of a hold feature, modified handset(i.e., Push-To-Talk (PTT)), or equivalent.c. Provide isolation by use of a properly accredited VoIP computerizednetwork with software and hardware configuration control and control of auditreports (e.g., station message detail reporting, call detail reporting.). Systemprogramming will not include the ability to place, or keep, a handset off-hook.Configuration of the system must ensure that all on-hook and off-hookvulnerabilities are identified and mitigated.-5-

CNSS Instruction No. 5000d. Equipment used for administration of VoIP telephone systems is installedinside an area where access is limited to authorized personnel. When local orremote administration terminals are not or cannot be contained within thecontrolled area, and safeguarded against unauthorized manipulation, then theuse of approved telephone instruments, cited in Reference j., shall be requiredregardless of the VoIP Network configuration.9.All unclassified VoIP systems and associated infrastructure must be electricallyand physically isolated from any classified information/telecommunications systemsIAW References a. through d.10. Unclassified information systems must be safeguarded to prevent manipulationof features and software that could result in the loss/compromise of sensitive audioinformation or protected data. An unclassified VoIP network may be subjected to C&A.SECTION VIII – RESPONSIBILITIES11. Heads of Federal Departments and Agencies shall:a. Develop, fund, implement, and manage programs necessary to ensure thatthe goals of this policy are achieved and that plans, programs, and CNSSissuances that implement this policy are fully supported.b. Incorporate the content of this policy into annual user education, training,and awareness programs.Encl:ANNEX AANNEX BANNEX CANNEX DANNEX EANNEX FANNEX GReferencesDefinitionsList of AcronymsPure VoIP Security RequirementsIsolated VoIP Security RequirementsHybrid VoIP Security RequirementsVoIP Trunk Security Requirements-6-

CNSS Instruction No. 5000ANNEX AREFERENCESa. Code of Federal Regulations, Title 32 - National Defense, Volume 6, “Part2004 – Directive on Safeguarding Classified National Security Information,” RevisedJuly 2003.b. Director of Central Intelligence Directive (DCID) No. 6/9, “Physical SecurityStandards for Sensitive Compartmented Information Facilities,” November 2002.c. Director of Central Intelligence Directive (DCID) No. 6/2, “TechnicalSurveillance Countermeasures,” March 1999.d. Security Policy Board Issuance 6-97, “National Policy on TechnicalSurveillance Countermeasures,” September 1997.e. National Institute for Standards and Technology (NIST), Federal InformationProcessing Standards (FIPS) Publication 140-2, “Security Requirements forCryptographic Modules,” 25 May 2001.f. CNSS Instruction No. 4009, “National Information Assurance (IA)Glossary,” Revised June 2006.g. Telephone Security Group (TSG) Standard 1, “Introduction to TelephoneSecurity,” March 1990.h. Telephone Security Group (TSG) Standard 2, “TSG Guidelines forComputerized Telephone Systems,” Revised September 1993.i. Telephone Security Group (TSG) Standard 5, “On-Hook Telephone AudioSecurity Performance Specifications,” March 1990.j. Telephone Security Group (TSG) Standard 6, “Telephone Security GroupApproved Equipment,” Revised September 2000.-7-

CNSS Instruction No. 5000ANNEX BDEFINITIONSTerms used in this policy are defined in Reference f., with the exception of thefollowing, although some additional terms are defined in References g. and h.a. Disabled: A function or component that is disabled by requirement shall not bere-enabled through any action by a user or the network.b. Internet Protocol: IP is part of the TCP/IP family of protocols describing softwarethat tracks the Internet address of nodes, routes outgoing messages, and recognizesincoming messages.c. Internet Protocol Private Branch Exchange: A private branch exchange thatutilizes IP protocols in a packet switched environment. This includes all thecomputer and IP network resources required for the VoIP implementation.d. Hybrid VoIP: A VoIP configuration using a mix of traditional Time DivisionMultiplexing (TDM) and VoIP technologies to complete an end-to-end call.e. Isolated VoIP: A VoIP configuration that is exclusively for secure area use.f. Other Network Protocols: Any other networking or management scheme inwhich data is transmitted or received (e.g., Frame Relay, Asynchronous TransferMode).g. Physically Protected Space: A space within a physically protected perimeter.This area must be locked and access limited to cleared US personnel requiringaccess to the system.h. Pure VoIP: A VoIP configuration that is IP-based for all end-to-endcommunications and signaling.i. Simple Network Management Protocol (SNMP): A protocol enabling systemadministrators to monitor and manage a network of connected computers.j. Transmission Control Protocol/Internet Protocol (TCP/IP): The suite ofcommunications protocols used on the Internet. While TCP and IP are the mostcommonly used, TCP/IP also includes several other protocols.k. Time Division Multiplexing (TDM): TDM is, in this instance, indicating a circuitswitched link (POTS, T1, ISDN, proprietary digital, etc.). Circuit switched-8-

CNSS Instruction No. 5000protocols are generally less vulnerable, something the NTSWG has relied upon aspart of the security posture of a telephone system.l. Voice Over Internet Protocol: A term used to describe the transmission ofpacketized voice using IP and consists of both signaling and media protocols.m. Voice over IP Firewalls: A primary function at the Application Layer andprotects against vulnerabilities specifically associated with VoIP as well as othertelephony concerns. VoIP firewalls can dynamically open and close portsassociated with call setup and teardown.n. VoIP Trunk: A VoIP configuration in which the trunk line is VoIP and the endtelephonic device(s) and PBX is TDM.-9-

CNSS Instruction No. 5000ANNEX CList of WIPIP SSHSSLTCPTCP/IPTDMTSCMTSGVLANVoIPWANWGAccess Control ListCertification & AccreditationCommittee on National Security SystemsCommittee on National Security Systems InstructionCommunications SecurityComputerized Telephone SystemsDirective of Central Intelligence DirectiveDefense Information Systems AgencyFederal Information Processing StandardsInformation AssuranceIntelligence CommunityIn Accordance WithInternet ProtocolInternet Protocol Private Branch ExchangeLocal Area NetworkMedia Access ControlNational Institute for Standards and TechnologyNational Security AgencyNational Security InformationNational Security SystemsNational Telecommunications SecurityNational Telecommunications Security Working GroupOperational SecurityOperating SystemPrivate Branch ExchangePhysically Protected SpacesPush to talkSimple Network Management ProtocolSecure ShellSecure Socket LayerTransmission Control ProtocolTransmission Control Protocol/Internet ProtocolTime Division Multiplexing - Circuit switchedTechnical Surveillance CountermeasuresTelephone Security GroupVirtual Local Area NetworkVoice over Internet ProtocolWide Area NetworkWorking Group- 10 -

CNSS Instruction No. 5000ANNEX DPure VoIP Security Requirements1. This annex specifies security requirements for deploying a Pure VoIP voice/datasolution. Since the user cannot control the Pure VoIP network, only telephoneinstruments listed in Reference j. may be used.2. This document does not address the C&A requirements that many organizationsrequire. Consult with your network accreditation authority for guidance.3. Voice Instrument Security. Telephone instruments are not to be removed from thesecure area except for repair, maintenance, or disposal. The following provisions must beimplemented to promote on-hook and off-hook [audio] security in VoIP telephoneinstruments.a. Microphone Disconnect. Microphones used to process audio for a VoIP(telephony) application must have a positive disconnect whereby the connectionrequires the user to manually enable and disable the microphone. This typicallyrequires the removal of the speakerphone microphone.b. Identifiable Telephones. Telephones must be easily identifiable as NTSWGapproved.c. Audio Reverse Flow. Speakers used to output audio from a VoIP (telephony)feature must be equipped with amplifier circuits (op-amps or one-way amplifiers) thatprevent the reverse flow of audio from the speaker transmit talk path. Side tonecircuits are permitted provided they merely feed transmit audio to the local speakerreceive circuit.d. Handset/Headset Disconnect. Handsets/headsets used to process audio for VoIP(telephony) applications must have a means to positively disconnect the microphoneand earpiece element from the circuit when not in use. The disconnect must behardware controlled and must not rely on software controls alone. Compliance mayrequire the use of PTT handsets.- 11 -

CNSS Instruction No. 5000e. Hold/Mute Feature. The VoIP (telephony) application must feature a “hold”function whereby local audio is shunted from the circuit when active. Similarly,when the mute feature is enabled, audio is shunted from the circuit. The “hold” or“mute” feature must be enabled/disabled from the local end only and must not be reconfigurable from the distant/calling end of the circuit (i.e., such as a firmwarefeature). When the hold or mute features are enabled, the audio shunt must bedesigned to remove the audio path from the transmit circuit so that no digitized audiois present.2 If these requirements cannot be met, then PTT handsets are required.f. Telephone Audio Security. For systems in a classified area, the system shallensure telephony audio security iaw Reference i., On-hook Telephone AudioSecurity Performance Specifications, telephones shall not be capable of transmittingnearby room audio (e.g., discussions) that could be processed and transmitted beyondthe physically protected space while in the on-hook condition. Reference j. listedinstruments are required in areas where classified information may be discussed.g. Unnecessary Telephone Functionality. VoIP telephone instrument functionalityshall be limited to typical telephony functions. Unnecessary functionality shall bedisabled. Users of VoIP telephones shall not be able to view administrative settingsor settings such as IP or Media Access Control (MAC) addresses.(Note: Such information could enable a user to gain information about the network orpotentially spoof a device and gain unauthorized access.)h. Unnecessary Telephone Services. Services other than those necessary to processVoIP telephone conversations and related VoIP functions (e.g., call setup) shall bedisabled. Web services or the ability to browse the web with a VoIP telephone shallbe disabled.i. Speech Processing Software and Telephone Data Ports. Speech to text conversioncapability shall not be enabled.2Some VoIP vendors have designed hold and mute features that “flip a bit” to indicate the activation of the feature, butpermit the actual transport of audio along the network connection.- 12 -

CNSS Instruction No. 5000ANNEX EIsolated VoIP Security Requirements1. This annex specifies security requirements for deploying an Isolated VoIPconfiguration where the VoIP system is located in a secure area for which it providesexclusive service and the only equipment or wiring outside the secure area are the TDMtrunk lines. These requirements apply to a VoIP PBX that exclusively uses TDM trunklines, whether copper or fiber. Any current or planned IP connectivity outside of theswitch must follow the requirements listed in Annex D. No wireless capability ispermitted. VoIP networks must be physically separated from other IP networks.2. This document does not address the C&A requirements that many organizationsrequire. Consult with your network accreditation authority for guidance.(Note: This install is similar to a traditional installation, cited in Reference h., in