One of the inevitable trends of the Information Age is the progressive convergence of network services. It’s dangerous but unstoppable. Over the last two decades many people have asked me if networks will proliferate or combine. The answer is simple. As they say in Highlander, “there can only be one”. That’s because of the leverage of network effects, which deliver increasing power to any network that enables collaborative operations.
So I’ve been keeping a watchful eye on the slow but relenting progress of IP convergence. It hasn’t had the sensational press coverage I anticipated but it presents major challenges. And by all accounts we’re not prepared. You’d think that after the experience of the security risks we’ve experienced from the introduction of wireless networks that the vendor community would be making a major effort to develop secure protocols and architectures. Not so.
The risks are creeping up on organisations. VOIP experimentation is only the start. It strikes me that this technology drives a coach and horses through firewall policies, introduces software developed with insufficient attention to vulnerability management (when did you last patch your phone?), exposes corporate networks to a new raft of potential access points, and creates a single point exposure of epic proportions. But I don’t see a lot of vendor or corporate action to develop new security architectures to meet the challenge.
Am I being paranoid? Or just plain realistic? Time will tell. In the meantime, guidance on what to do is thin but slowly emerging. The latest paper on the subject, which has just come to my attention through the excellent FIRST Newsroom, is a SANS paper. An excellent overview of many of the issues, but we need a lot more guidance on this subject.