The drivers behind the converged network are well understood: lower support and maintenance costs, business enablement through telephony-application integration and aging telephone systems requiring replacement, just to name a few. Most companies are focusing their convergence efforts on VoIP. Accordingly, VoIP solutions are maturing at an amazing rate, as are its enabling network technologies - for the most part. As far as security is concerned, the road ahead could be rocky.
The converged network imposes traditionally data-oriented threats, like viruses and worms, upon voice services. It is key to understand the potential threats and risk-mitigation strategies that will enable businesses to reap the technological and business benefits expected from convergence.
EVALUATING THE THREATS
When analyzing any new technology for security implications, a company must examine the three tenets of security: confidentiality, integrity and availability. Confidentiality requires that secrets remain secrets, and conversations held with a reasonable expectation of privacy will continue to remain private. Integrity demands that messages are received intact, without modification and with assurance that the other person is who they say they are. Availability stipulates that the dial tone always will be there when needed.
Threats to integrity may provide least cause for concern. The current extent of these threats includes the ability to misrepresent one's true phone number (caller ID) through packet manipulation. While certainly an annoyance, the risk is fairly easy to manage. All in all, the risks to VoIP integrity don't outweigh those from legacy phone technology, and therefore don't represent a comparatively higher risk.
Threats to confidentiality, as suggested, manifest themselves as invasions of privacy. So the question must be asked: Exactly how much privacy is expected by people when using a company-owned phone system? Is it more or less than when using a cell phone? To answer this, most company policies clearly state when it comes to the use of business communication tools such as e-mail and phones, there is no expectation of privacy.
These considerations are at least partially responsible for delayed implementation of cryptography to protect IP telephony transmissions. Even so, the leading IP telephony vendors are implementing such protections in the latest or upcoming versions of their products. For instance, Cisco Call Manager 4.0 supports encryption with the Cisco 7970 IP Phone, with support for the 7960 and 7940 phones coming in the next version. This will raise the bar for tools, such as VOMIT (voice over misconfigured Internet telephones), that can make an unauthorized record of an IP telephony-based conversation by conducting the data network equivalent of a wiretap.
The highest level of angst pertaining to VoIP is driven from availability, as people have come to depend on the phone as much as, if not more than, any other business tool. Threats to availability can come in all shapes and sizes. They can target the phone system itself, either at the servers or at the phone devices. Since the call servers are invariably deployed on mainstream operating systems (such as Windows 2000 Server), a virus infection has the capability to bring such systems offline, affecting the entire VoIP system.
Threats can come from other parts of the converged network as well. A virus spreading through the mail system can generate sufficient traffic to bring down parts of the network infrastructure, thereby impacting the "dial tone availability." What was once separate infrastructure, and therefore relatively immune to influence from the data network, now has been commingled to the point that, if proper precautions aren't taken, one easily can affect the other.
REDUCING THE RISK
While there are certainly enough sources of threat to cause insomnia in the most diligent of technologists, there are also some easy steps to reduce the risk. With IT security, risk reduction is the name of the game; risk elimination is only possible with a forklift.
The best bet is a three-fold strategy of network protection, system hardening and automated monitoring and prevention.
Network Protection. Network-based protection certainly includes the normal perimeter defense security experts have been touting for years, such as firewalls, router access lists, network segmentation, etc. Beyond the perimeter, perhaps the single most important step is to segment all VoIP-related systems (servers and phones alike) into their own IP network and then use access control lists, or even a firewall, to restrict access into this network to only those systems and users with a clearly defined need. By limiting the systems and TCP services allowed into and out of this protected network, an organization more effectively can control any virus or worm infections.
This also introduces the security concept of the "Defense in Depth." Unfortunately, the most commonly used security strategy is to only deploy security devices at the network perimeter. Like a candy bar, this gives any would-be security threat a "hard, crunchy outside with a soft, chewy middle." The "Defense in Depth" strategy requires that, as one moves from the perimeter to more important systems, such as phone systems and business critical database servers, one should encounter more stringent security. Security should be more like an onion than a candy bar - the closer you get to what's really important, the harder it becomes.
System Hardening. To harden a system, one simply needs to operate under the premise that operating systems and applications come with numerous questionable parameters and unnecessary services. For instance, Anonymous NetBIOS connections are rarely needed on any network server and should be disabled through the Local Security Policy. In the general case, the IP telephony vendor can provide a "hardening script" that you can use to clean up the system.
In doing so, an organization further reduces the "footprint" left by the phone system servers, limiting the possible avenues through which these systems may be susceptible to attack. Finally, hardening also includes the practice of regular patch management, absolutely critical to maintaining the availability (and security) of a VoIP installation.
Automated Monitoring and Prevention. Many vendors are now touting Intrusion Prevention Systems (IPS), which can be considered as the next evolutionary step for automated monitoring and prevention technology. Such systems are twofold: Network IDS (NIDS) and Host IDS (HIDS). Both types of systems monitor current activity for signs of malicious actions. The difference is in where such systems are deployed: NIDS monitors network packets, protecting entire networks at a time at the cost of granularity. On the other hand, HIDS monitors activity on an individual server with increased vigilance (at a cost linear with server count). The general rule of thumb is to place NIDS on important network segments, especially immediately behind firewalls, and to place HIDS on critical servers. Overlap between NIDS and HIDS is not only expected, it's desired.
HIDS is especially important to VoIP installations and should be considered as part of the cost of entry. Indeed, vendors such as Cisco are even making this part of the default installation. For instance, the Cisco Security Agent (CSA) comes with every Call Manager license.
This copy of CSA knows what to expect from the server, including expected network communications (both incoming as well as serverinitiated), expected programs that should be running and other baseline information. Anything out of the ordinary is immediately shut down by CSA, making it the last bastion of defense against automated viruses and worms.
Although there are real risks associated with the converged voice and data networks, tried-and-true practices will reduce those risks to a manageable level, resulting in lower costs, tighter integration and a host of other benefits that organizations have come to expect from convergence efforts.
Randy Bartels is consulting manager for Calence Inc., a builder and manager of networks and a Cisco Gold Partner. Bartels heads up Calence's Security Assessment Practice. He has more than 12 years' experience within the IT field. He holds a bachelor's degree in computer science from Grand Canyon University in Phoenix.
| Links |
Calence Inc. www.calence.com |
