Seeing through the VoIP security hype free RSS feed from Security Park
(30/10/2007)

There’s a lot of debate around the security of converged communications at the moment; discussions of new and existing threats bringing down the “business critical” voice network when it hits the converged network on which everything rides. As an organisation that has been using a Cisco converged network for VoIP and, indeed, the even more critical streams we use for radio broadcasting, the security aspect of this is something we think of as paramount. However: the extent to which voice security needs to be treated differently to traditional network security is limited, despite hype and even occasional paranoia to the contrary.

For most modern organisations, their business rides on their network; effectively it is their network. Without the network platform in place, no critical business functions can take place – whether you’re a research organisation, a retailer, a financial institution, in manufacturing or even a broadcaster. Whether it’s your customer service, research capability, supply chain management, trading capability or broadcast and voice that falls down, you’re effectively crippled.

To protect against this possibility I’d emphasise the need to build defence-in-depth into your infrastructure. No single security product, despite any vendors’ claims, will provide you with total peace of mind. Gauge your risk profile, and put systems in at every layer of the network that is necessary: from Host Intrusion Prevention Systems on your servers and desktops to Intrusion Detections Systems, firewalls and other systems within the network itself. Increasingly vendors like Cisco are embedding security into the fabric of the network – look for these to help build your own self-defending network. In many cases, security is a game with no winners: you’re just aiming not to lose, and a layered approach can help a great deal here.

When looking at voice specifically, there are a few things that will help. Standard best practice dictates implementing separate voice VLANs on your network – with careful planning and IP address management this will allow for specific security policies to be applied to the voice network as a separate entity within the whole. Ensure you have a partner that can support your work in this if you are breaking new ground: Cisco was a great help to us and reputable, certified resellers of your choice of vendor’s network and voice products will have the necessary expertise to support you through an implementation. The net result of this will be simplified network management and the capability to allow different policies to be applied to voice traffic. In the event of a serious exploit, these VLANs could be isolated or switched off, if necessary, in order to prevent more significant damage; although obviously this would be a last resort!

Further to this, historical evidence can inform further protective measures: knowing that most (around 90%) of the threats we experience use Internet Control Message Protocol (ICMP) and Simple Network Management Protocol (SNMP) scanning to infect other hosts, monitoring for and isolating this kind of traffic on the voice network will protect against many common Denial of Service (DoS) attacks that result from worms and viruses.

There are other threats to voice security on the distant horizon: Spam over Internet Telephony (SPIT) is one that we’ve heard about, but not seen any actual evidence of. It’s interesting as it is difficult to imagine a commercial motivation for SPIT – phishing by email is likely to be far more effective – but in our experience if something is theoretically possible, someone will look for a way to do it. We’re confident that we’re a few years from having to worry about this, though.

A more active concern is directory hacking: if a Unified Communications Manager server was hacked, that would present a significant issue. But between a sturdy defence-in-depth security policy, and the fact that most organisations, including ourselves, actually close off their IP Telephony network to the internet at large (interfacing via Public Switched Telephone Network (PSTN) gateways at consolidated sites to go beyond the WAN), this shouldn’t be a major concern for most organisations.

Unified IP-based Communications promises huge benefits for organisations in all sectors: reduced costs, increased operational and management efficiency, and productivity benefits for users with increased mobility and flexibility. The security part of the piece doesn’t really introduce a lot of new complexity in an environment that is used to dealing with protecting a data network from external threats, but following a few key best-practice guidelines, finding a reliable partner and adopting a defence-in-depth approach to network security will help insulate you from these risks.

Opinion piece submitted by Aidan Hancock, Infrastructure Manager, GCap Media

Related topics:  Application and software security   Mobile and Wireless Security   Security management and policies   Security threats and vulnerabilities 

print versionPrint version | email this to a friendEmail to a friend | related articlesRelated articles

 

Other Security news and resources


Security News Suppliers Directory Jobs forum Classifieds Knowledge base White papers Research library Security books Special reports Security interviews Security companies Security events Security links Security market

Product channels

Access Control Biometrics CCTV Intruder Alarms IT Security Manned Guarding Perimeter Protection Physical Security Remote Monitoring Security Services Fire, Health & Safety Other Security Products

IT Security white papers and research library

Access Control  Authentication  Data Management  Data Security  Digital Signatures  Email Security  Identity Management  Internet Security  Intrusion Prevention  Network Security  Remote access security  Security Management  Security Policies  Security Software  Security Threats  Virus Detection Software  Virus Protection  VPN  Vulnerability Assessment  Wireless Security 

Security books, guides, standards and toolkits

RFID and Smart Cards books, guides and reference documents  Biometric books, guides and reference documents  CCTV books, guides and reference documents  Intruder alarms and intrusion detection systems books, guides and reference documents  Monitoring and surveillance books, guides and reference documents  IT Governance, ISO 27001 ISO 17799 and BS 7799 toolkits  Fire, Health & Safety books, guides and reference documents

Security Resources
Directory GET LISTED! Jobs forum Classifieds Knowledge base White papers Research library Security books Special reports Security companies Security events Security links Security market Company news

Security Products
Access Control Biometrics CCTV Intruder Alarms IT Security Manned Guarding Perimeter Protection Physical Security Remote Monitoring Security Services Fire, Health & Safety Security products

Security Markets
Bank and financial services security Corporate and enterprise security Education and school security Entertainment and events security Homeland and Government security Hospital and healthcare security Infrastructure and utilities security Manufacturing and industrial security Public sector security Residential and home security Retail security Small business security Sports and recreational security Transport and logistics security


Ensure that you conduct an effective information security risk assessment that is in line with ISO 27001 by purchasing vsRisk™ Risk Assessment Tool

Need a
reference book?
Find it on Amazon:
Security books and magazines in association with Amazon.co.uk







advertise
sumbit an article
copyright
terms & conditions
privacy policy


CMS and Web design by www.Areza.com

Article search

Directory search


add your company
Google

Accelerate your ISO27001 project and develop an ISO27001-compliant Information Security Management System (ISMS) with the help of this toolkit
Home | About us | Contact us | Submit an article | Advertise | Newsletter | RSS Newsfeed | SEARCH