Unified communications, on the surface, can be a boon to companies of any size, including those in the midmarket. By bringing together data, voice and video all on one network -- without
The strength of unified communications is that it puts all of a company's electronic traffic on the same network, where it can be maintained by the same staff, rather than additional specialized telecommunications staff. But, at the same time, its weakness is that it puts all of a company's electronic traffic on the same network, where it's subject to the same security weaknesses inherent in the rest of its network.
Since unified communications, by definition, means now running your telephone, voice, video, instant messaging (IM) and all other traffic over TCP/IP, the same hackers probing your network can now burrow their way into all your other company business.
But that doesn't mean unified communications should be avoided. In fact, in some ways, unified communications can be beefed up to be more secure than the old traditional phone network your company has always relied on.
Unified communications security can be accomplished by traditional network security best practices, secure network architectural design and network and hardware tools. In fact, some of the hardware you already have -- like routers and network switches -- may just have to be tuned and adjusted for things like Voice over Internet Protocol (VoIP) and other unified communications protocols.
The centerpiece of unified communications is VoIP, which replaces your traditional phone lines and network by running your telephone system over your existing TCP/IP network. When designing your unified communications system or shopping around for its network hardware, you should think first and foremost about VoIP. It'll probably be the biggest part of the traffic running over your network after your data.
Since a unified communications system basically resides on the same network as your computer traffic, traditional network security practices go a long way to protect it. All servers hosting unified communications software and traffic should be hardened, meaning only necessary services are turned on and unneeded services are turned off; security patches should be up to date; access controls should be in place; and access should be restricted to authorized users. Servers, of course, should also be protected by antivirus software, be behind firewalls and be monitored by intrusion detection systems.
These basic network security practices aside, unified communications and VoIP should be architected securely on your network. Unified communications traffic should be on dedicated servers, if possible, separate from the rest of your network, particular that hosting data. In general, voice and data traffic should be segregated on different network or virtual LAN segments.
This way, if hackers break into your call-control servers -- the servers hosting VoIP systems -- they can't access the rest of your company's network or data. Desktops and workstations, especially, shouldn't be on the same network segments as VoIP for the same reason -- a compromised VoIP connection through a desktop could be just what a hacker was looking for to get into the network.
In addition to the usual network hardware required for the rest of your TCP/IP traffic, VoIP infrastructure has its own unique component. These include media gateways (MGs) and media gateway controllers (MGC), which act as gateways and controllers for groups of MGs. These devices do analog to digital conversion, changing voice signals into the bits and bytes readable by network routers and computers. These devices, as well, must be hardened and secured like the rest of your network and server infrastructure.
Now your threats
When architecting unified communications securely on your network, you'll have to consider the threats to your network. Some are the same as those to the rest of your network. Hackers, for example, will try to exploit VoIP and unified communications as a way into the rest of your network. They look at it as just another backdoor into your systems, for malicious use or theft of data. They may also use it to try and flood your network as part of a denial-of-service attack.
The strength of unified communications is that it puts all of a company's electronic traffic on the same network. Its weakness is that it puts all of a company's electronic traffic on the same network.
But unlike other network attacks, VoIP, in particular, may be a target for attackers who just want to leech off your phone service to make free phone calls or eavesdrop on confidential conversations. In the "old" days, hackers engaged in "war dialing," using automated dialers to look for the PBX or live lines to exploit in a company's phone network. Today, all they have to do is use the same port scans they conduct for hacker reconnaissance of the rest of the network to find open ports for telephone lines, which now are part of that same network.
Hackers may also try to take advantage of specific vulnerabilities in the two major protocols used in VoIP: Session Initiation Protocol (SIP) and Skinny Call Control Protocol (SCCP), the proprietary protocol used for Cisco Systems Inc.'s unified communications devices. Issues with both SIP and SCCP have included various buffer overflows and, in some cases, SQL injection attacks.
Other requirements for unified communications are encryption, access control and endpoint security. The same encryption used commonly for protecting HTTP traffic, Secure Sockets Layer (SSL), is effective for other TCP/IP traffic, like that used for unified communications. Access control is required to make sure only authorized users can use the company's unified communications system. Endpoint security ensures that communications devices like telephones, now considered endpoints like your desktops and workstations, aren't backdoors into your network.
Here are some products for midmarket companies that meet these specifications. Some players in the market are Cisco, Sipera Systems Inc. and FaceTime Communications Inc.:
The Cisco ASA 5500 Series is a security appliance for midmarket companies. It's designed to work both as a firewall and to provide additional real-time protection for voice and video coming into the network. It provides encryption of voice traffic, including through SSL and IPSec virtual private networks. It also provides access control designed specifically for SIP and SCCP, which are harder to control than other network protocols since they don't use static ports.
Richardson, Texas-based Sipera Systems also offers the IPCS series of security appliances for unified communications. In June, it announced an upgrade to its products for better integration with SIP trunk provider services. Sipera products also include a certificate provisioning proxy for access control and integration with Lightweight Directory Access Protocol directories for deployment of remote phones.
Belmont, Calif.-based FaceTime, a traditional player in the IM security market, offers its Unified Security Gateway (USG). USG acts as a traditional Web application firewall that protects against threats from Web 2.0 applications, like Facebook and other social networking sites. But, in addition, it's a lightweight appliance for filtering public IM, Skype, peer-to-peer communications, Microsoft's Office Communication Server and IBM Lotus Sametime -- all of which may be rolled up into your unified communications package with VoIP.
Before buying any of these tools, carefully evaluate your business needs to see if unified communications is right for your company. Then evaluate whether these tools are compatible with your network, architecture and infrastructure. Securing unified communications is within reach of even midmarket companies -- it just has to be part of an overall network plan.
Joel Dubin, CISSP, is a security consultant at Trustwave, a data security and compliance management firm. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, Second Edition. He hosts a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.
This was first published in September 2008