Security paradox for enterprises

The very openness and ubiquity that makes IP networking such a powerful business enabler can also expose it to a significant threat. The ports and portals that welcome remote sites, mobile users, customers, and business partners into the trusted internal network are also welcoming to those who may compromise the network’s security.

Security breaches – and the business disruptions they causes – represent a key concern for your customers. In the past, they relied on intranets primarily for email and file exchange, and they used the Internet as their web storefront. With Unified Communications, since IP networks are being entrusted to carry the essential functions of conducting business – customer contact centres, voice, Unified Messaging, conferencing, and more – there’s a heightened requirement for protection.

Removing the obstacle

Now that IP networks offer the robustness and quality of service that voice service requires, enterprises have been quick to capitalise on the benefits of Unified Communications. Converging voice and data over IP maximises network efficiency, streamlines the architecture, reduces capital and operating costs, and opens up new service opportunities.

The IP-based multimedia architecture makes it easy to extend service to remote sites and home offices over cost-effective IP links, and makes it easy to deploy, reconfigure (add/move/change) and repair service. Unified Communications enables rich, new multimedia services, such as web-enabled multimedia contact centres, Unified Messaging, presence and remote PC-based call management.

However, there are factors that need to be considered in deploying a VoIP solution. As the lines blur between internal and external resources, the network reaches more audiences and touch points, carries more mission-critical services, and adds more distributed servers and intelligent clients. It also becomes increasingly vulnerable to security threats.

The typical enterprise internal network extends to supply chain partners, telecommuters, remote access users, web users, application service providers, disaster recovery providers and more. That means that the network may also be more accessible to hackers, cyberthieves, disgruntled employees, and others who would misappropriate network resources. Worse yet, although estimates vary on what percentage of security breaches are internal, most sources consider that figure to be more than 50 percent.

Organisations have been understandably concerned about securing this new multimedia environment, in which proprietary company information flows across shared facilities, public places, open airwaves and unknown users. It’s clear that security must be a key focus in any VoIP deployment.

Security for IP multimedia networks should be achievable, affordable and manageable. Confidentiality, integrity, and authentication of critical multimedia resources must be ensured while maintaining service continuity, feature richness, performance and availability. Security features should be transparent to the user, standard-based, simple to administer, uniform across products and cost-effective.

Finally, security should be implemented consistently across the solution.

As a trusted reseller, it’s your responsibility to deliver on that promise with a secure Unified Communications solution that:

• Protects the integrity of network infrastructure and communications by preventing unauthorised access;

•Increases network reliability by preventing disruptions from attacks on user services, network hardware or network management systems; and

• Prevents theft of intellectual property and abuse of resources from eavesdropping and toll fraud

A layered security strategy

A layered defense approach to network security applies multiple security approaches at multiple network levels – much like protecting your property with sentries and gates at several places.

The approach applies multiple enforcement tactics – such as authentication, encryption, packet filtering and signature-based inspection – at multiple network zones – such as access endpoint, network perimeter, network core and transport links.

A layered approach minimises the possibility that a single point of failure could compromise overall security. If a primary layer of security is breached, the secondary or tertiary layer of defense is there to thwart the attack.

This gives a cross section of the security layers, with several enforcement approaches in action. This layered approach applies directly to a VoIP solution as follows:

The core network layer protection includes the devices that monitor for unwanted behaviour or traffic patterns, and respond – this would include Intrusion Detection and Prevention Systems. The network protection approach could also apply policies that authorise devices onto the network (such as the 802.1x protocol) as well as ensuring that DoS-like traffic could be detected and shut down, and prevent devices from IP address spoofing.

Protection around the communications layer would include the ability to encrypt your voice traffic with SRTP (Secure Real-Time Transport Protocol), and signalling traffic with UNIStim or TLS (Transport Layer Security) encryption.

OAM security could be enforced through the strict use of SSH/SSL (Secure Shell/Secure Socket Layer) for OAM (Operations, Administration and Maintenance) access and IPsec connectivity between your VoIP components.
Perimeter security, as applied to VoIP solutions would infer that the voice network be segregated wherever possible, so that unwanted traffic between the voice and data network is constrained.

Soft clients present a greater challenge however some vendors’ IP hard phones can be easily isolated from the data network through the use of VLAN technology.

Only OAM traffic, which can be secured over SSH/SSL, can be allowed from the general telephony LAN where the IP Phones reside. The VoIP perimeter can be further protected through the use of firewalls and access control lists, and VLAN tagging if data access is provided through the IP Phone clients.

The final layer of defense, the endpoint security, can be enforced by requiring hardening of customer components that need access to the VoIP segments, by hardening policies on your customer’s system components and by closing down unneeded access and by restricting use of insecure protocols and shells at the endpoints. The endpoint security must include mechanisms to control access to the devices. Password control policies must be enforced so that passwords are changed regularly to strong passwords.

Five steps to comprehensive unified communications security

By applying the following five step plan, you can:

1. Protect your customers’ internal network infrastructure with network segregation, firewalls, intrusion-detection systems (IDS) and virtual LANs (VLANs).

Network segregation prevents unnecessary or unwanted traffic from traversing into areas that might cause problems. Firewalls examine network traffic passing through them and block packets that don’t meet predefined criteria. Network-based Intrusion Detection and Prevention Systems (IDS/IPS) can be deployed at strategic locations within the enterprise network to monitor network traffic and watch for signs of attack or misuse. In the case of IPS, the systems can also work to automatically block threats and attacks. Network access control provides a method for authenticating and controlling access to network resources—especially critical for areas where you don’t have physical control over network ports.

2. Protect client devices and servers with mechanisms that thwart viruses, intruders and denial-of-service (DoS) attacks, while remaining resilient under attack and enforce policies to ensure that the devices are protected.

Operating system hardening improves resistance to attacks, such as allowing only certain ports to be active. Host-based ‘malware’ protection protects IP softphones against malicious software designed to damage or disrupt computing systems, such as viruses, worms and Trojan horses. Host-based intrusion-detection systems (IDS) audit and analyse system events to watch for signs of attack or misuse.

3. Protect the integrity of multimedia services by safeguarding both the signaling traffic and media traffic.

Encryption of signaling traffic prevents illicit monitoring or tampering of the signaling that directs network operation. Encryption of media traffic (the actual content of communications between users) prevents eavesdropping into private matters, whether the communication is voice, video or instant messaging.

4. Extend security to remote and mobile workers by ensuring that only authorised users can access the network, and encrypting their communications for privacy.

Virtual private networks (VPN) enable secure connectivity with branch offices, business partners and remote users far beyond the reach of private networks. VPN technology can also be used to secure remote management interfaces, reducing the risk that someone could tamper with branch office equipment that is managed from a central office.

5. Protect the integrity of management systems through encryption, administrator access control and activity logging.

Authentication ensures that only authorised users can access management facilities. This is normally accomplished through the use of strong passwords that are centrally administered. Access permissions define administrators’ roles and restrict the functions they can use. In this way, the security administrator can grant access privileges to only those users who are entrusted to the tasks they must perform. System event logging records all system events, such as operational activity, errors and security activities. Secure billing records protect confidentiality and identify theft of service.

Closing the loop

No doubt your customers are relishing the productivity, performance and personalization advantages of unified communications. The greater the reach and availability of the network, however, the greater its vulnerability to threats from within and outside the organisation.

When consulting to your customers, take them through the pitfalls of security threats, and use the five steps and their respective defense mechanisms to establish a highly secure enterprise network environment—one that reliably protects against known and emerging threats, without compromising quality of service or the user experience.