In many companies, the worlds of data networking and telecommunications have converged, and voice and video traffic travels with other enterprise data on the same network. Known synonymously as Voice over IP (VoIP), IP telephony (IPT) and unified communications (UC), hackers are increasingly seeing these systems as new avenues of attack. Even more alarming is that the majority of enterprises don’t think to protect their UC deployments because they’re unaware of the inherent risks associated with telepresence, videoconferencing and other UC technologies. In turn, these deployments dramatically enlarge the attack surface of their network.
It’s critical to understand that most of the threats to the VoIP network are not against the UC devices (i.e., call management servers, voicemail servers or interactive voice response [IVR] systems) themselves. Instead, attackers use the VoIP network as an entryway into the data network so they can gain privileged access to the real moneymaking data -- such as account numbers, credit card information and other private data. UC attackers know from experience these networks are less secure than traditional perimeter ingress, such as the public Internet, that are protected with controls such as stateful firewalls and intrusion prevention systems (IPS).
Deploying unified communications requires new thinking and a new approach to security. By considering unified communications security upfront, security professionals can help their company make smoother, less costly transitions to unified communications. In recent research, Forrester recommends the following six-step process to help IT organizations avoid VoIP security risks and ultimately secure their UC systems:
Step 1: Develop a UC security implementation guide
This guide should include specific actions regarding how to securely deploy the components in your system, as well as guidelines for configuring the current network and its existing security controls. It should clarify:
- How you will isolate data network traffic from VoIP traffic;
- How you will use firewalls and IPSes to uplift security;
- A plan to protect the UC network against eavesdropping attacks;
- How IT plans to split up various duties between security and infrastructure teams.
Step 2: Develop a UC security policy
Companies must set enforceable policies about both the operation and the maintenance of UC systems from a security perspective. Generally, you can evolve these policies from your UC security implementation guide. As UC security is in its infancy, it will be years before there is general availability of third-party best practices or policy documentation.
Step 3: Create a UC security architecture
The majority of today’s network designs don’t adequately define security controls around the UC system. Therefore, it’s important to work with IT infrastructure counterparts to expand and design your network architecture from the inside out. Create a new architecture that defines preventive measures against known attacks. For example, placing an IPS in front of mission-critical UC subsystems such as call management, IVR and voicemail servers has the potential to stop the most common UC attacks. Or, aim to prevent infrastructure attacks by properly configuring servers for UC protection, making sure your server is configured to not lease addresses to unknown MAC addresses and to analyze information from non-authoritative servers. In addition, you can best mitigate eavesdropping attacks by enabling encryption of the media transport using SRTP and by adding transport layer security (TLS) for signaling protocols such as SIP. Remember, all voice and video traffic on converged networks is easy to intercept and eavesdrop if the traffic is not encrypted on the internal network.
Step 4: Leverage existing security controls
Many companies have existing security controls they can use to uplift the security of the UC network. However, because UC security is a new discipline for many organizations, few are aware of the controls they already have that can be used to protect vital UC components.
Step 5: Do a post implementation VoIP penetration test
Consider engaging a professional services firm to perform a penetration test against your fully implemented UC system. This will help to determine if the security and policy decisions made during the deployment are effective. These types of tests look at the UC network from an attacker’s perspective, using the latest tools to attempt to bypass controls and gain privileged access to the network.
Step 6: Add controls to mitigate risks discovered by penetration testing
Once the UC penetration test is complete, you will have objective, actionable data with which to judge whether your deployed UC solution is adequately secure. If the results conclude there are unacceptable risks in the existing deployment, you can choose to add additional controls based on current risk appetites.
This was first published in September 2011