One of the major challenges in implementing a converged
network is having a coherent security policy for the management and
control of a system that is carrying voice, video and
data.
Standards such as BS7799, the British Standard for information
security management, and its international counterpart, ISO 27001,
provide a useful checklist. BS7799 is a mature standard, having
first been published in 1995, and it has recently had its third
major revision. However, it is virtually useless without practical,
prior knowledge of implementing network security.
Companies providing security management software include Cisco,
3Com, Avaya, Mitel, Siemens, Nortel and Microsoft, among
others.
The challenge in securing a network that will allow businesses
to collaborate is what led a group of IT security heads to form the
Jericho Forum user group. This international circle of IT users and
suppliers is focused on the development of open standards to enable
secure and boundaryless information flows across organisations.
At Dresdner Kleinwort Bank in London - one of the Jericho
Forum's members - the demand for converged networks is driven by
cost reduction. Andrew Yeomans, the bank's vice-president for
global information security, said, "Voice over IP services such as
Skype offer obvious cost savings relative to mobile phone bills,
particularly with respect to international roaming costs."
Once people start making free calls, the tariff structure for
mobile phones will change. Yeomans predicted that over the next
couple of years many telcos will move to a flat-rate charging
structure. "There are some security issues and because we are a
financial services provider, we have compliance regulations. One
particular requirement is that all voice communication transactions
by traders have to be recorded," he said.
"With normal VoIP communications, once you have set up the call,
the communication is on a peer-to-peer link and there is no central
service handling it. That means that you have to fiddle around with
it to get the voice logging to take place.
"On the business continuity side, if everything is going onto
the same network, we need some sort of back-up because, at the
moment, if the data network goes down, you can still rely on the
voice network, or vice versa."
Yeomans said mobile networks provide a certain element of
business continuity. "We build in dual-redundancy in our networks."
In the case of a disaster where a move to another site is required,
it is quite difficult to cable up a new analogue voice network, but
with a data network it is quite feasible to redirect all the calls
over IP, Yeomans said.
However, wireless networking implies many security issues.
Clearly the signals can be eavesdropped and jammed, Yeomans said.
At Dresdner Kleinwort, there is some wireless networking but it is
not used as part of its main converged network.
The bank moved to a single London office housing about 3,000
people, so has not had to face the same types of security problems
as some of the larger financial services providers that run out of
a number of offices.
As a result, Dresdner Kleinwort can switch the voice and
multimedia services over fibre lines.
One problem of moving over entirely to a converged network is
interoperability - whereas there are secure protocols available
for convergent network technology, they are not open, and there are
open protocols that are not secure.
For its internal network, Dresdner Kleinwort has gone for a
Cisco proprietary set-up because it meets the needs of the
business. The network can also expand to allow more business
communications to come in from outside, providing VoIP over the
internet rather than over the telephone network.
It is a challenge to design for security and interoperability.
Yeomans said, "If you try to use a converged network over an
existing one, you may come up against quality of service
problems.
"You do not want your voice link to drop out if you are doing a
large file transfer, for example. You have to find ways to
segregate the traffic and to control the quality of the traffic at
the network level."
But locking down the converged network to maintain high security
is not always practical. Chris Whitwood, network manager at
University College Falmouth, said, "We have been running a
converged network for a number of years, and this has introduced
some security nightmares."
The college began implementing voice across the network more
than three years ago and started testing a year before that, so it
was well versed in the kind of problems it could face.
"The first thing we did was to completely isolate the voice
virtual Lan from the data virtual Lan, and to ensure that all our
telephony devices were on the internal network only and could not
be reached from the outside," said Whitwood.
The same applied to its call manager system. However, he
realised the college would need to make the call manager visible
from the outside, albeit in a protected manner.
"Users were requesting the ability to change their speed dials,
call forwarding, and so on, when they were working from home. That
meant setting up the virtual private network connections so that
users could connect into the call managers through Cisco's Unified
Personal Communicator software running on PCs," Whitwood said.
The college chose a proprietary converged network with Cisco,
complete with security technology. "Being a Cisco proprietary
solutions house gives us security and confidence, particularly when
using a VPN concentrator," he said. "There are alternatives, but we
took the view that if we do have security issues, there is only one
supplier to go back to. Although cost is an issue, our primary
concern is service."
Although Whitwood configured the network to support the
college's own converged applications, it is clear that IT managers
must also support applications that may not necessarily be part of
corporate IT, such as Skype.
One of the problems with Skype, according to Dave Neild, network
development service leader at the University of Leeds, is super
node activity. If there is sufficient bandwidth available on a
network, Skype may promote an unwitting user client to a super
node, and that allows other traffic to go via the super node.
"Because we have quite a large number of overseas students, we
do know that Skype is a popular application, so we would not wish
to stop its use, but we may want to stop super node activity," said
Neild.
Leeds is one of the largest universities in the UK. Of its
32,000 students, 7,000 live in 18 network-connected halls of
residence on and off campus. The halls link via 100mbps leased
lines to Leeds' main campus network, which is based on Cisco
Gigabit systems. The university previously relied exclusively on
firewalls and anti-virus programs that were distributed to
students.
But students did not install the anti-virus software, enabling
worms and viruses to sneak into the network. System technicians
would manually cleanse the systems and update their anti-virus
software, a laborious and expensive process.
Bandwidth consumption was also a problem. Some students were
downloading films and music illegally via file-sharing
applications, prompting film companies to forward legal notices to
the university that its students were breaking the law.
To tackle these issues, it selected TippingPoint to protect
routers, switches, VoIP systems and other infrastructure components
from targeted attacks.
Neild said, "TippingPoint systems control traffic by blocking or
throttling unwanted file sharing." He pointed out that the product
also stopped the attacks and all but eliminated the file downloads
without affecting network performance.
"We can even monitor students who try to use VPNs for their
downloads," he said. "By blocking peer-to-peer file sharing, the
university stopped notices it receives from copyright holders.
Administrators no longer have to bother with shutting down
students' network ports to prevent improper downloads or contain
viruses and worms to the residence halls.
"Moreover, by blocking illegal student downloads, the
TippingPoint solution reduced bandwidth usage, in effect doubling
the amount of bandwidth available to students for legitimate
academic pursuits," said Neild.
What is clear is that converged network security needs to tackle
both voice and data and whether data is copyrighted. Scott Nursten,
founder of S2S, a security specialist and Cisco silver partner,
believes that with more voice and video on the network, there will
be more opportunities for industrial espionage and for leakage of
confidential information.
"We are on the brink of seeing the next wave of attacks because
people are not even looking at the risk of convergence," he
said.
Many suppliers are bundling everything into one device on the
edge of the network, which serves as a wide area network router,
firewall, VPN termination point and voice router. However, as
Nursten pointed out, it is quite easy to deploy these systems in
the wrong way but still have them work.
➔ www.opengroup.org/jericho
➔ www.17799.com
➔ www.bsi-global.com/ICT/Security