Security paradox for enterprises

Perimeter security, as applied to VoIP solutions would infer that the voice network be segregated wherever possible, so that unwanted traffic between the voice and data network is constrained.

Soft clients present a greater challenge however some vendors’ IP hard phones can be easily isolated from the data network through the use of VLAN technology.

Only OAM traffic, which can be secured over SSH/SSL, can be allowed from the general telephony LAN where the IP Phones reside. The VoIP perimeter can be further protected through the use of firewalls and access control lists, and VLAN tagging if data access is provided through the IP Phone clients.

The final layer of defense, the endpoint security, can be enforced by requiring hardening of customer components that need access to the VoIP segments, by hardening policies on your customer’s system components and by closing down unneeded access and by restricting use of insecure protocols and shells at the endpoints. The endpoint security must include mechanisms to control access to the devices. Password control policies must be enforced so that passwords are changed regularly to strong passwords.

Five steps to comprehensive unified communications security

By applying the following five step plan, you can:

1. Protect your customers’ internal network infrastructure with network segregation, firewalls, intrusion-detection systems (IDS) and virtual LANs (VLANs).

Network segregation prevents unnecessary or unwanted traffic from traversing into areas that might cause problems. Firewalls examine network traffic passing through them and block packets that don’t meet predefined criteria. Network-based Intrusion Detection and Prevention Systems (IDS/IPS) can be deployed at strategic locations within the enterprise network to monitor network traffic and watch for signs of attack or misuse. In the case of IPS, the systems can also work to automatically block threats and attacks. Network access control provides a method for authenticating and controlling access to network resources—especially critical for areas where you don’t have physical control over network ports.

2. Protect client devices and servers with mechanisms that thwart viruses, intruders and denial-of-service (DoS) attacks, while remaining resilient under attack and enforce policies to ensure that the devices are protected.

Operating system hardening improves resistance to attacks, such as allowing only certain ports to be active. Host-based ‘malware’ protection protects IP softphones against malicious software designed to damage or disrupt computing systems, such as viruses, worms and Trojan horses. Host-based intrusion-detection systems (IDS) audit and analyse system events to watch for signs of attack or misuse.

3. Protect the integrity of multimedia services by safeguarding both the signaling traffic and media traffic.

Encryption of signaling traffic prevents illicit monitoring or tampering of the signaling that directs network operation. Encryption of media traffic (the actual content of communications between users) prevents eavesdropping into private matters, whether the communication is voice, video or instant messaging.

4. Extend security to remote and mobile workers by ensuring that only authorised users can access the network, and encrypting their communications for privacy.

Virtual private networks (VPN) enable secure connectivity with branch offices, business partners and remote users far beyond the reach of private networks. VPN technology can also be used to secure remote management interfaces, reducing the risk that someone could tamper with branch office equipment that is managed from a central office.

5. Protect the integrity of management systems through encryption, administrator access control and activity logging.

Authentication ensures that only authorised users can access management facilities. This is normally accomplished through the use of strong passwords that are centrally administered. Access permissions define administrators’ roles and restrict the functions they can use. In this way, the security administrator can grant access privileges to only those users who are entrusted to the tasks they must perform. System event logging records all system events, such as operational activity, errors and security activities. Secure billing records protect confidentiality and identify theft of service.

Closing the loop

No doubt your customers are relishing the productivity, performance and personalization advantages of unified communications. The greater the reach and availability of the network, however, the greater its vulnerability to threats from within and outside the organisation.

When consulting to your customers, take them through the pitfalls of security threats, and use the five steps and their respective defense mechanisms to establish a highly secure enterprise network environment—one that reliably protects against known and emerging threats, without compromising quality of service or the user experience.