Many in the small- and medium sized business (SMB/SME) community are merging their voice and data networks to cut telephony costs and boost productivity through the introduction of new applications. But how secure are converged networks, and how can you go about making their security strong, but simple to implement?
In most traditional enterprise organisations, data networks and telephone or voice networks are separate entities, managed by different groups and not interconnected.
However, the adoption of voice over internet protocol (VoIP) and IP-enabled telephony has changed the landscape. In place of separate networks a new, converged network model has emerged, where voice and data share a single network infrastructure and a common network-layer protocol. This new converged network, adopted by an increasing number of your peers, can lower management costs and provide additional functionality. But it also demands a new security model.
That sounds complex, but adoption can be simplified by good planning. You need to plan for the design and development of converged networks in not only their architecture, but also their culture. That means reviewing and revising the organisation's existing security policies to ensure that convergence is addressed. For example, what does using VoIP mean for your firewalls?
Many companies have not properly addressed the growth of converged networks and the use of VoIP. What you need to do is go beyond security 'silos', where the IT security group focuses on data security and the telecoms group concentrates on telephone security. Converged security requires a converged security policy and a converged security group to protect against the new and existing threats posed by converged networks. For example, voice traffic on converged networks is packet switched and vulnerable to software packages used by attackers to intercept and decode voice conversations.
There are three key features to a secure converged network: the ability to control access; the ability of the network to offer protection to the devices and applications in use; and the incorporation of a dynamic response architecture.
When it comes to controlling access, the critical features for a converged network are the authentication or detection of all people and devices attached to the network, the authorisation of the attached devices, and the policy association once authentication and authorisation occur.
While protocols such as 802.1x are appropriate for access control for PCs with human users, the converged network will let machines such as cameras, IP phones and new collaboration or multimedia devices, access the same network. In many cases, these devices are unable to use the traditional authentication model of presenting a credential and identity to the system. Accommodating these technologies requires a new set of authentication techniques.
The second critical element of a secure converged network is the ability to be proactive in offering protection to the devices and applications in use. As VoIP is a well-defined application using clearly understood protocols and traffic levels, the communications system must define protective mechanisms to prevent exploitation of the VoIP devices and applications by not allowing the use of protocols that have no relevance to the VoIP systems.
Identify the threat
The last element of a secure converged network should be the incorporation of a dynamic response architecture. When something unpredicted occurs in the network that can affect the reliability or integrity of the converged systems, the network can identify the threat, locate its point of origin and dynamically isolate, remove or control the threat in real time. This prevents an adverse impact on the system.
Tim Nelson, market manager, BT's ICT & Broadband Portfolio, believes a converged network should be no more vulnerable than a data network. "You face the same basic threats you already address for a data network if your business is to be secure. You should be assessing vulnerability, creating security policy, implementing things such as anti-virus, firewalls, and URL filtering, but managing it and monitoring it 24 hours a day."
Craig Pollard, head of security products and services at Siemens Communications' specialist security division, Insight Consulting, suggests that converged networks require a good network design guarded by appropriate levels of encryption and intrusion prevention, allied to extensive network usage policies to protect their network against misuse.
"When running voice and data across a network, it is important to remember that voice applications may be running on standard based platforms, such as Windows. It is crucial organisations wanting to migrate to converged networks have a robust patching policy to cover anti-virus tools, other applications and operating systems."
Converged network security checklist for a SMB / SME
- Plan ahead
- Rethink your corporate security policies
- Consider creating a converged network security group
- Use encryption, and intrusion detection
- Ensure your suppliers' platforms have a strong security story
This was first published in February 2006