Unified communication (UC) is slowly becoming part of the modern day organization's day to day operations. However, the security aspect is not usually taken into consideration when enterprises think of deploying unified communication infrastructure.
Let us first understand why we need to secure a unified communication network. Today, many organizations depend on a number of unified communication services like instant messaging, IP telephony and video conferencing. Security attacks on the UC network may actually result in monetary and reputation losses. Besides, it can directly impact the organization's business continuity.
Types of threats and attacks on UC networks
The typical unified communication network can face several threats like toll fraud attacks, reconnaissance attacks, eavesdropping and call hijacks. In case of toll fraud attacks, a blackhat hacker breaks into the UC network and spoofs a PC's media access control (MAC) address to register employees' soft phones to your IPPBX (soft phones use the PC's MAC address for registration). Through this arrangement, he manages to make international calls through your UC network.
A reconnaissance attack involves call hijacking or eavesdropping on an active call. The hacker can intentionally inject a code into an active voice call and make the listener listen to what he wants -- not what the authenticated party conveys. He can also record conversations and sell it to competitors. The hacker can even initiate denial of service attacks on your UC solution and render it completely inoperable.
What do you secure?
Development of a UC security policy is the stepping stone to achieve complete unified communication security. Although most organizations have a security policy, unified communication is rarely considered in these policies.
Every organization needs to decide usage patterns, rights and access for users of UC technologies according to their specific requirements. Besides, the company should thoroughly understand existing gaps in security infrastructure which need to be bridged.
The typical unified communication solution comprises of an IPPBX, voice mail, core network solution, conference calls, wireless mobile devices, video conferencing solutions and the contact centre. This is why UC security can be broadly categorized into two categories — UC infrastructure security and UC application security. UC infrastructure security comprises mainly of physical and network security. A secure network and telephony setup together secure the UC solution.
Physical security includes batched and restricted access for employees. It should also ensure that third parties or vendors are not allowed inside your data centre. Network security typically involves deployment of security for the switching layer, routing layer, peripherals and wireless networks. Firewalls and an intrusion prevention system can be used for peripheral security. Remote network security for the mobile solution can be achieved through a SSL or IPSec VPN.
The next significant step is to secure your UC application. It starts with securing the base OS. You should also check other components such as the host intrusion prevention system, internal firewalls and secured access. UC application security mainly involves ensuring the security of your voice mail application, contact centre application and meeting places.
While an organization plans to buy a UC application, it must ensure that the new platform supports encryption of signaling and media (the two essential parts of voice communications). The UC application should be able to support the IEEE encryption standard for signaling and the ITU-T standard for voice. Signaling is secured by transport layer security, while voice is secured through the secure real-time transport protocol.
Endpoint devices like cell phones and laptops are often vulnerable targets. Third-party certificate authority servers can be used to verify endpoints like IP phones. Wireless phones can use certificate based authentication like WPA or WPA2. An organization can also use network access control solutions to check the authenticity of mobile devices trying to connect with the network. It can also get details about device OS status and implementation of the latest patches.
While buying PDAs and smart phones, organizations should look out for inherent security features. For example, Blackberry devices encrypt all data transmission between enterprise servers and the device. Similarly, the company can also ask for features like encryption of all data on the phone.
Interoperability between different UC components is most necessary to ensure smooth security. More so, when the company uses different vendor solutions for telephony, network, switches and UC application.
The cost factor
Security is a balance between risks and costs. UC security can be divided into low, medium and high levels based on the specific vertical's nature and requirements.
Schools and colleges can opt for low security levels, whereas the typical enterprise can go for medium-level security. Banking and financial institutions can opt for higher security levels.
Enterprises must remember that there is no single solution or silver bullet to achieve unified communication security. Hence it should be revised on regular basis.
About the author: Akhil Behl is a network consulting engineer with Cisco Systems India Pvt Ltd.
(As told to Dhwani Pandya.)