How to keep your VoIP net safe

One of the major challenges in implementing a converged network is having a coherent security policy for the management and control of a system that is carrying voice, video and data.

One of the major challenges in implementing a converged network is having a coherent security policy for the management and control of a system that is carrying voice, video and data.

Standards such as BS7799, the British Standard for information security management, and its international counterpart, ISO 27001, provide a useful checklist. BS7799 is a mature standard, having first been published in 1995, and it has recently had its third major revision. However, it is virtually useless without practical, prior knowledge of implementing network security.

Companies providing security management software include Cisco, 3Com, Avaya, Mitel, Siemens, Nortel and Microsoft, among others.

The challenge in securing a network that will allow businesses to collaborate is what led a group of IT security heads to form the Jericho Forum user group. This international circle of IT users and suppliers is focused on the development of open standards to enable secure and boundaryless information flows across organisations.

At Dresdner Kleinwort Bank in London - one of the Jericho Forum's members - the demand for converged networks is driven by cost reduction. Andrew Yeomans, the bank's vice-president for global information security, said, "Voice over IP services such as Skype offer obvious cost savings relative to mobile phone bills, particularly with respect to international roaming costs."

Once people start making free calls, the tariff structure for mobile phones will change. Yeomans predicted that over the next couple of years many telcos will move to a flat-rate charging structure. "There are some security issues and because we are a financial services provider, we have compliance regulations. One particular requirement is that all voice communication transactions by traders have to be recorded," he said.

"With normal VoIP communications, once you have set up the call, the communication is on a peer-to-peer link and there is no central service handling it. That means that you have to fiddle around with it to get the voice logging to take place.

"On the business continuity side, if everything is going onto the same network, we need some sort of back-up because, at the moment, if the data network goes down, you can still rely on the voice network, or vice versa."

Yeomans said mobile networks provide a certain element of business continuity. "We build in dual-redundancy in our networks." In the case of a disaster where a move to another site is required, it is quite difficult to cable up a new analogue voice network, but with a data network it is quite feasible to redirect all the calls over IP, Yeomans said.

However, wireless networking implies many security issues. Clearly the signals can be eavesdropped and jammed, Yeomans said. At Dresdner Kleinwort, there is some wireless networking but it is not used as part of its main converged network.

The bank moved to a single London office housing about 3,000 ­people, so has not had to face the same types of security problems as some of the larger financial services providers that run out of a number of offices.

As a result, Dresdner Kleinwort can switch the voice and multimedia services over fibre lines.

One problem of moving over entirely to a converged network is ­interoperability - whereas there are secure protocols available for convergent network technology, they are not open, and there are open protocols that are not secure.

For its internal network, Dresdner Kleinwort has gone for a Cisco proprietary set-up because it meets the needs of the business. The network can also expand to allow more business communications to come in from outside, providing VoIP over the internet rather than over the telephone network.

It is a challenge to design for security and interoperability. Yeomans said, "If you try to use a converged network over an existing one, you may come up against quality of service problems.

"You do not want your voice link to drop out if you are doing a large file transfer, for example. You have to find ways to segregate the traffic and to control the quality of the traffic at the network level."

But locking down the converged network to maintain high security is not always practical. Chris Whitwood, network manager at University College Falmouth, said, "We have been running a converged network for a number of years, and this has introduced some security nightmares."

The college began implementing voice across the network more than three years ago and started testing a year before that, so it was well versed in the kind of problems it could face.

"The first thing we did was to completely isolate the voice virtual Lan from the data virtual Lan, and to ensure that all our telephony devices were on the internal network only and could not be reached from the outside," said Whitwood.

The same applied to its call manager system. However, he realised the college would need to make the call manager visible from the outside, albeit in a protected manner.

"Users were requesting the ability to change their speed dials, call forwarding, and so on, when they were working from home. That meant setting up the virtual private network connections so that users could connect into the call managers through Cisco's Unified Personal Communicator software running on PCs," Whitwood said.

The college chose a proprietary converged network with Cisco, complete with security technology. "Being a Cisco proprietary solutions house gives us security and confidence, particularly when using a VPN concentrator," he said. "There are alternatives, but we took the view that if we do have security issues, there is only one supplier to go back to. Although cost is an issue, our primary concern is service."

Although Whitwood configured the network to support the college's own converged applications, it is clear that IT managers must also support applications that may not necessarily be part of corporate IT, such as Skype.

One of the problems with Skype, according to Dave Neild, network development service leader at the University of Leeds, is super node activity. If there is sufficient bandwidth available on a network, Skype may promote an unwitting user client to a super node, and that allows other traffic to go via the super node.

"Because we have quite a large number of overseas students, we do know that Skype is a popular application, so we would not wish to stop its use, but we may want to stop super node activity," said Neild.

Leeds is one of the largest universities in the UK. Of its 32,000 students, 7,000 live in 18 network-connected halls of residence on and off campus. The halls link via 100mbps leased lines to Leeds' main campus network, which is based on Cisco Gigabit systems. The university previously relied exclusively on firewalls and anti-virus programs that were distributed to students.

But students did not install the anti-virus software, enabling worms and viruses to sneak into the network. System technicians would manually cleanse the systems and update their anti-virus software, a laborious and expensive process.

Bandwidth consumption was also a problem. Some students were downloading films and music illegally via file-sharing applications, prompting film companies to forward legal notices to the university that its students were breaking the law.

To tackle these issues, it selected TippingPoint to protect routers, switches, VoIP systems and other infrastructure components from targeted attacks.

Neild said, "TippingPoint systems control traffic by blocking or throttling unwanted file sharing." He pointed out that the product also stopped the attacks and all but eliminated the file downloads without affecting network performance.

"We can even monitor students who try to use VPNs for their downloads," he said. "By blocking peer-to-peer file sharing, the university stopped notices it receives from copyright holders. Administrators no longer have to bother with shutting down students' network ports to prevent improper downloads or contain viruses and worms to the residence halls.

"Moreover, by blocking illegal student downloads, the TippingPoint solution reduced bandwidth usage, in effect doubling the amount of bandwidth available to students for legitimate academic pursuits," said Neild.

What is clear is that converged network security needs to tackle both voice and data and whether data is copyrighted. Scott Nursten, founder of S2S, a security specialist and Cisco silver partner, believes that with more voice and video on the network, there will be more opportunities for industrial espionage and for leakage of confidential information.

"We are on the brink of seeing the next wave of attacks because people are not even looking at the risk of convergence," he said.

Many suppliers are bundling everything into one device on the edge of the network, which serves as a wide area network router, firewall, VPN termination point and voice router. However, as Nursten pointed out, it is quite easy to deploy these systems in the wrong way but still have them work.




Read more on Voice networking and VoIP