 |
IN THIS ISSUE |
 |
|  |
|
|
FEATURE: Sidestepping the 'gotchas' of securing voice & data apps
With the latest headlines talking about Google's entrance into the IM/computer chat environment, eBay buying Skype for its VoIP customer base, and corporate telephone networks migrating to VoIP at a rapid pace, security experts are in a heated debate: Is VoIP secure enough for the corporate enterprise?
There are several ways to prevent your voice transmissions over LAN and WAN from being intercepted. But how do you sidestep the inevitable 'gotchas'?
The biggest 'gotchas' of securing voice applications come from not utilizing the proper encryption techniques, not separating the voice environment through VLANS, and trying to implement or change too many features of our environment at once - resulting in too much complexity. Before you can successfully migrate to VoIP or IP Telephony, you must identify and mitigate these issues.
Encryption techniques - are they enough?
Gartner predicts that 90 percent of all new corporate telephone networks will be IP-enabled by 2008. Enabling strong security will certainly be an issue.
Traditional security measures such as authentication, authorization and IPsec aren’t intended to secure and/or manage SIP-based communications in real time. SIP is a text-based protocol, which is very much like HTTP or SMTP that can initiate sessions in IP networks.
The great thing about SIP is that it enables integration of basic IP telephony services with Web, email, and chat services. In short, SIP promises to deliver audio/videoconferencing, interactive gaming, voice-enriched e-commerce, Web page click-to-dial and instant messaging with buddy lists via IP networks.
With demand for these types of innovative services on the rise, new technologies like SIP firewalls, an appliance that protects companies from a variety of communication exploits, are coming into the market to address IP’s distinct security requirements.
Is it enough?
Multiple Layers of Security Supply the Missing Link
Many experts believe that, in addition to implementing an SIP firewall, packetized voice should be encrypted with an IPsec-compliant VPN (Virtual Private Network) as the packets move from one location to another, as well as, using separate VLANs to manage QoS. Bottom line: securing voice applications in the enterprise requires layers of security.
Older VPN software didn’t allow Quality of Service (QoS) markings to be exposed. Pushing voice through an encrypted VPN can, in some cases, degrade quality of service to the point of being unacceptable. You can avoid this problem by using new routers with hardware encryption. With the IPSec running properly, it is actually harder not to encrypt voice packets, as long as you have unlimited bandwidth. When you encrypt the hardware, there is virtually no performance penalty for encrypting voice. But remember, packets do use bandwidth and cause latency issues.
Another strategy to secure voice is to harden the voice environment through separating the VLANs (Virtual LANs). Deploying VoIP devices on separate VLANs utilizes QoS resources and allows dividing data traffic from voice and signaling traffic. Because you can set up VLANS for different types of voice and data traffic and devices, some believe that VLANs provide increased security, precious time for your troubleshooters to address voice quality issues, and flexibility to set QoS markings in the packet, not the VLAN.
Let’s face it, it is necessary to have security measures in place whether you implement VoIP or not. The attacks we’ve experienced on our data network environment can be expected to occur in our converged environment. It is only a matter of time. So, is the talk about DoS (Denial of Service) attacks on VoIP really just vendors dishing out FUD (fear, uncertainty and doubt)? You decide. [Please take our poll on this topic, in this month's newsletter!]
The Latest Advisories
CERT (The Computer Emergency Response Team) has issued advisories on security flaws in two VoIP protocols: H.323 and SIP.
Session Initiation Protocol [SIP]
See CERT Vulnerability Note at http://www.kb.cert.org/vuls/id/528719 Primarily used in VoIP, SIP facilitates communication for instant messaging, and various other applications.
H.323
See CERT Vulnerability Note at http://www.kb.cert.org/vuls/id/749342 An international standard protocol, H.323 is used to facilitate communication among telephony and multimedia systems.
Those vulnerabilities can lead to denial-of-service attacks and the ability to execute arbitrary code on the affected devices. However, proper security design for voice and data will mitigate the possibility of attacks. Because IP phone systems do not sit on the public internet on the DMZ, potential threats can be recognized by a host-based security agent. Securing the voice environment needs to mirror the multi-layered data security environment, complete with firewalls, intrusion detection systems, security agents, and separate VLANs.
Taking action
SOS can provide you with ongoing voice and data network maintenance and management, including security checks. Call us today on 916-632-8800 to request an estimate. Unlike business VoIP vendors or small networking companies, SOS is the only advanced communications solution provider with products and services based on a proven methodology and over a decade of customer success.
To keep your network performing at its best, we develop a Managed Services Plan or Support & Managed Services and pair you with a designated member of our full time staff of converged communications experts. From regularly scheduled maintenance to recommendations for cost reductions, we'll look ahead for ways to maximize your uptime and productivity, to include Backup/Restore testing, file maintenance, anti-virus updates, network performance analysis, and security checks. Each support plan is customized to maximize your return on investment.
Subscribe to Convergence to get more articles like this!
We have more insightful articles and case studies lined up for future issues. To ensure you receive them, please subscribe now to Convergence by visiting www.team-sos.com and entering your email address in the box on the home page.
Convergence comes every few weeks from SOS, the leading provider of integrated advanced communications solutions for mid-sized and small businesses. Content includes mini-case studies in business VoIP, articles on hot topics in voice and data convergence, best practices checklists, and more.
Subscribe now by visiting www.team-sos.com – thank you!
[PRINTER FRIENDLY VERSION]
|
|
|
Published by
Gia McNutt
Copyright © 2005 Special Order Systems Inc. (SOS). All rights reserved.
SOS is the leading provider of integrated advanced communications solutions for midsize and small businesses. We supply voice, data, and telephony management services that enable organizations to simplify communications, enhance productivity, and leverage real-time business intelligence. Visit us at www.team-sos.com or call 916.632.8800.
|
TELL A FRIEND
|
|
| |
