|
Endpoints pose big risks.
With VoIP, the clichÉ that your network is hard and crunchy on the outside, but soft and gooey on the inside, must be thrown out the window. In the new converged network, that goo is leaking through your cracked shell.
Endpoints are where the users and devices interface with the system, and include telephones, cameras, thermostats, controllers and any other device connected to an IP-converged network. A large enterprise may have thousands of endpoints deployed--and each is a potential doorway to the network. Proper, secure authentication is essential to make sure those doorways are closed and locked to potential intruders.
For bulletproof converged networking, security must extend to each of these endpoint devices.
While vendors have tried to solve this problem--by associating a MAC address to the call manager, or requiring users to enter a PIN--many of these security precautions won't work on devices with limited computing power or memory. Currently, only a few IP telephones require authentication before use.
Remote users cause security static.
How will you secure devices in home offices and other locations outside your company's core network? Is it acceptable for remote users to connect family members to their VoIP switch? Can visitors in a public lobby or conference room use the switched port to access the network? Your company may deem these acceptable risks, but you should consider turning off the ITP-enabled port for your mobile users or disallowing traffic from that port at the next router. At the very least, during configuration, these ports should be turned on by exception only--not as the default.
Authentication and authorization fall short.
Call managers, the processing brains of an IPT network, are used to send and receive signaling that will set up a cal...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
l and, once complete, tear it down. To access the call manager, you must authenticate on the system--usually with a user name and password. But, as always, simple or static passwords that access high-value servers are easy prey for attackers. Should the call manager be compromised, the integrity of the IPT network--and, potentially, its trust with other devices on the LAN--implodes.
It should be required that administrators working on the call managers log in through an authentication, authorization and accounting system as they do with every other device on your existing data network.
Hardening requirements aren't readily understood.
Most administrators understand how and why to harden servers, but few are aware of the idiosyncrasies they must account for when hardening call managers and the other network devices introduced by IPT and, more specifically, VoIP implementations. Without total control of these key elements, you can't keep systems hardened effectively.
Obviously, the network is only as secure as its weakest link, making it critical that businesses roll out the most recent patches and virus protections. Some VoIP carriers require administrators get new patches and antivirus updates from them instead of from the various platform vendors. But, latency with the carrier-released patches can keep the vulnerability window open longer for in-the-wild exploits and attackers.
Imagine a scenario in which a Trojan allows a remote user to take control of your Windows system. Microsoft will likely issue a security update quickly, but if your VoIP carrier waits as long as two days before sending you the patch, your business won't be protected until the new image is issued. Odds are your executives won't be happy when the Windows-based call manager becomes infected and you need to take it offline for remediation and re-imaging.
|
 |
|
