A converged network can create security problems unheard of in the traditional, voice-only telecom world.
Traditionally, calls are sent and received over closed, circuit-switched networks. Security and performance concerns are minimal in that world. Calls rarely get dropped. Eavesdropping on a call only happens if someone has physical access to the dedicated circuit set up between the two endpoints.
But the introduction of Voice over Internet Protocol (VoIP) into a network can have dramatic consequences. Instantly, the once simple and secure voice call is broken up into thousands of far-from-secure IP packets that are sent over public and private networks and re-assembled at the other end. Along the way, the call (and, by extension, the whole network) can be hacked at various points inside and outside the company network.
Common threats and vulnerabilities of a converged network
In a converged network the threats against data remain unchanged, yet their reach is wider. For example, a denial-of-service (DOS) attack against a router can also damage phone communications.
As many VoIP protocols are open source -- notably, the Session Initiation Protocol and H.323, the two most widely used –- it's easy for hackers to get copies of them and launch attacks. While open source applications and protocols are (arguably) more secure than proprietary ones, they are not invincible.
Operating system (OS) threats come into play because a lot of call-processing software runs on Windows or on open source operating systems. Hackers attack Microsoft products every hour of the day and are increasingly turning their attention to the open source world. Viruses, worms, Trojan horses and spyware, originally intended to steal and corrupt IP data, can ruin the quality of voice and video communications, too.In a converged network the threats against data remain unchanged,
yet their reach is wider.
One of the weakest points in a converged network is the remote access connection from a home-office or road warrior's computer. The connection can become the pinprick-sized hole in the firewall that allows hackers to unleash viruses, spyware and other destructive attacks. The security consequences include data theft, privacy violations and breaches in regulatory compliance.
Protecting your converged network
Faced with the above threats and vulnerabilities, the best course of action is to develop a strong security policy that includes multiple layers of protection and covers key issues. This policy should protect the perimeter layer, the network layer, the host layer and the application/data layer. Multiple layers of protection are the best safeguard against the ingenuity and determination of hackers, and against viruses and malware.
Key issues for each layer:
- Passwords. You need a very strict policy for their usage and how often they are changed. It's good to have long passwords and to change them frequently.
- Secure access to network equipment. Access to networking equipment has to be tightly controlled. If a router or firewall is penetrated, the network will be at risk. To maximize security, you should use both the secure shell (SSH) and transport security (TLS) protocols, both of which use encryption. SSH allows data to be exchanged over a secure channel between two computers. TLS provides secure Internet communications.
- Virus protection. Viruses are an every-hour-of-the-day threat, so you need to guard against them vigorously and update virus patterns constantly.
- Operating system updates. OS intrusions happen all the time, so it's wise to keep abreast of all updates. Your security policy should ensure that all machines are updated speedily.
- Disaster recovery. It's vital to have a disaster recovery plan -- a single major network intrusion could seriously damage your business, or even bring it down.
If you follow these steps, your small or medium-sized business can enjoy all the benefits of converged network without putting your network and entire business at risk.
Herman Mehling is a freelance writer based in San Anselmo, Calif. Contact him at firstname.lastname@example.org.