Risks With Unified Communication

7/30/2019 Risks With Unified Communication

1/30

UCSecurityBestPractices

September 25, 2008


2/30

2

Abstract

UnifiedCommunications(UC)offersthepromiseoffacilitatinganenterprisesdriveforbusinessagility

throughthe

deployment

of

acost

effective

communications

and

collaboration

platform

spanning

its

remotelylocatedandmobileemployees,itssupplychain,itspartnerecosystemanditscustomers.

Usinganontechnicalapproach,wetaketheBusinessDecisionMaker(BDM)throughbestpracticesfor

securingmultimediaUC.

ThekeytosecuringtheUCsolutionrequiresconsideringvoice,data,andvideocommunicationsasa

system,andimplementingamultilayered,uniformlyapplieddefenseconstructforthesystem

infrastructure,callmanagement,applications,andendpoints.Thesolutionshouldbelayered,with

multiplecontrolsandprotectionsatmultiplenetworklevels.Thisdefenseindepthapproachminimizes

thepossibilitythatasinglepointoffailurecouldcompromiseoverallsecurity.Ifaprimarysecuritylayer

isbreached

other

defensive

barriers

are

available

to

deter

the

attack.

Such

an

approach

has

been

consideredbestpracticefordatasecuritysincethefirstdaysoftheInternet.

Thebottomlineisthatconfidentiality,integrity,andavailabilityofcriticalmultimediaresourcesmustbe

ensuredwhilemaintainingtheUCsolutionsperformance.Securityfeaturesshouldbetransparentto

theuser,standardsbased,simpletoadministerandcosteffective.Thereisnoonesizefitsall.

CompaniesshouldexamineUCsecurityfromabusinessperspectivebydefininggoals,policies,and

patternsofusageatthegetgoacrossallapplicationsdata,VoIP,InstantMessaging(IM)andpresence,

Webandaudio/videoconferencing.Securitypoliciesforallmediastreamsneedtobealignedand

properlybalancedagainstbusinessrisks.Wewillfollowthisthemethroughoutthediscussion.


3/30

3

UCSecurityBestPractices

1.Introduction

Businessagilityhasbecomethemantrafor21stCenturysuccessinanincreasingglobaleconomy,andUC

isaleadingtechnologysupportingitsattainmentbyenablingorganizationstoembedcommunications

andcollaborationintobusinessprocesses.Individualproductivitygains,whileshowingimproved

performancewithoutimpactonprocessoutcomes,arestillunlikelytoimprovecompetitivepositioning

orthedeliveryofproductsandservices.Contextualcollaboration,ontheotherhand,acrosscustomers,

employees,suppliers,thechannelandamongstrategicpartnerswillaccelerateinnovation,timeto

market,informationdrivendecisionmaking,andcreatethecostefficienciesthatdefinesoughtafter

bestinclassbusinessagility.

Companiesofallsizesareadoptingunifiedcommunicationsandthecollaborationcapabilitiesitfosters

toboostproductivityandinnovation,increasemobilityandenhanceflexibility.

Uponinterviewing315networkandtelecommunicationsdecisionmakersatEuropeanenterprises,

Forrester1findsthatenterpriseimplementationofVoIPinEuropeisfirmlyenteringthemassadoption

phase.Mostenterprises(76%)aregoingdowntheIPPBXrouteeitherinstallingtheequipmenton

theirownpremisesorcontractingamanagedservicefromahostingcenter.UCisfirmlyontheagenda

35%offirmssayUCisapriority,and18%haveimplementedsomeelementofUC.

Inthatsamecontext,,aDimensionData2sponsoredsurveyof390ITmanagersand524endusers

across13countriesintheUnitedStates,AsiaPacificandEurope,MiddleEastandAfricafoundthatmost

organizationshavealreadyinvestedininfrastructuretechnologies,with37%ofcompaniescurrently

usingIPtelephony,followedby36%usingavideoconferencinginfrastructure.AlthoughmobileVoIPis

notwidely

used,

an

investment

is

on

corporate

agendas,

in

the

next

two

years.

The

findings

show

that

organizationsviewclicktodialondesktops(52%),andpresence(42%)asmaturingtechnologiesthat

willberoutinelyusedinthecorporateenvironmentwithintwoyears.Moreover,TheUnitedStates

leadsthewayinIPtelephonyadoption(60%)withMiddleEastandAfricahavingthelowestpenetration

at13%.

AMIPartners3reportsthatsmallandmediumbusinesses(SMBs)aregravitatingtowardsUCwithout

evenrealizingit.Basedonitssurveyof1500companies,AMIfindsthatSMBshaveastrategicinterestin

businesscontinuity,enhancedconnectivity,collaboration,mobility,andstandardizedITinfrastructure

whichareallfoundationalelementsofacomprehensiveUCportfolio.

1TheStateOfEnterpriseVoIPAndUnifiedCommunicationsAdoptionInEurope:2007,December6,2007,

http://www.forrester.com/Research/Document/Excerpt/0,7211,43073,00.html.2UnifiedCommunicationsAdoptionOutpacesExpectations,August20,2007,

http://www.dimensiondata.com/NR/rdonlyres/CD1D2A1041FF412C932C

CAE4D964A7A9/7615/UNIFIEDCOMMUNICATIONSADOPTIONOUTPACESEXPECTATIONS1.pdf .3DrivingUnifiedCommunications&CollaborationintheSMBMarkettheBusinessFocusedWeb2.0,October

2007,http://www.amipartners.com/ami/sections/Studies/UC_telecom_report_TOC.pdf.


4/30

4

Clearly,withinthecontextofUCdrivencommunicationsenabledbusinessprocesses,convergedvoice

anddataIPnetworksarebeingentrustedtocarrytheessentialfunctionsofconductingbusinesstoand

fromtheremoteworker,thesupplychainandthepartnerecosystem.Andindoingsothesenetworks

mustbe

secured

in

amanner

that:

Complieswithallapplicablelawsandregulations; Preventsleaksofcustomerrecords; Protectsintellectualpropertyandproprietaryinformation;and Preservescorporatebrandsandreputations.

YetaccordingtoanInStatsurveyofITprofessionalsat299USbusinessesabouttheirsecurityplansfor

VoIPtechnology,NomechanismsforsecuringVoIPhadmorethan50%penetrationacrossallsizesof

business,saysVictoriaFodale4,InStatanalyst.

Ourpurposehereistosetout,innontechnicalterms,bestpracticesforsecuringUC.

ThekeytosecuringUCrequiresconsideringvoice,data,andvideocommunicationsasasystemand

implementingamultilayered,uniformlyapplieddefenseconstructforthesysteminfrastructure,call

management,applications,andendpoints.Thesolutionshouldbelayered,withmultiplecontrolsand

protectionsatmultiplenetworklevels.Thisminimizesthepossibilitythatasinglepointoffailurecould

compromiseoverallsecurity.Ifaprimarysecuritylayerisbreachedotherdefensivebarriersare

availabletodetertheattack.

NowaUCnetworkiscomplex,consistingasitdoesofawiderangeofcomponentsandapplicationssuch

astelephonehandsets,conferencingunits,mobileunits,callmanagers,gateways,presenceservers,

routers,servers,firewalls,specializedprotocolsandapplicationslinkages.ThegoodnewsisthatVoIP,

IM,

and

video

are

all

applications

running

on

an

IP

network,

and

all

of

the

security

technologies

and

policiesthatcompanieshavedeployedfortheirdatanetworkscanbetunedtoemulatethesecurity

levelcurrentlyenjoyedbyPublicSwitchedTelephoneNetwork(PSTN)usersofPlainOldTelephone

Service(POTS).Inmanycases,evenifaconcertedefforttodeploydatanetworksecurityhasnotbeen

implemented,thetechnologylikelyalreadyexistsinyournetworkifyouhavemodernswitches,routers

andsecurityappliances.Infact,takinganetworkcentricapproachwillleadtoimprovedmanageability

anddeploymentthroughreducedcomplexityandmoreefficienttroubleshooting,whichallleadto

lowertotalcostofownership.

Thebottomlineisthattheconfidentiality,integrity,andavailabilityofcriticalmultimediaresources

mustbeensuredwhilemaintainingtheUCsolutionsperformance.Securityfeaturesshouldbe

transparenttotheuser,standardsbased,simpletoadministerandcosteffective.Thereisnoonesize

fitsall.

Companies

should

examine

UC

security

from

abusiness

perspective

by

defining

goals,

policies,

andpatternsofusageatthegetgoacrossallapplicationsdata,VoIP,IMandpresence,Weband

audio/videoconferencing.Securitypoliciesforallmediastreamsneedtobealignedandproperly

balancedagainstbusinessrisks.Wewillfollowthisthemethroughoutthediscussion.

4USBusinessesLagInSecuringVoIP,InStatPressReleaseMarch24,2008,

http://www.instat.com/press.asp?ID=2271&sku=IN0804266CT.


5/30

5

2. UCSecurityBestPracticeRecommendationsBelowwewilltaketheBDMthroughanontechnicaldiscussionofbestpracticesforsecuringUCwith

emphasis

on

VoIP.

Key

security

related

terms

will

be

aggregated

for

later

reference

in

a

glossary

at

the

endofthewhitepaper.

2.1GettingStartedPlantheWorkandWorkthePlanAUCsecuritystrategyshouldbedevelopedintheformalizedcontextofenterpriseriskmanagement.

Enterpriseriskmanagementis:

Aprocess,ongoingandflowingthroughanenterprise; Affectedbypeopleateverylevelofanorganization; Appliedinastrategysetting; Appliedacrosstheenterprise,ateverylevelandunit,andincludestakinganenterprisewide

portfolioviewofrisk;

Designedtoidentifypotentialeventsthat,iftheyoccur,willadverselyaffecttheenterpriseandtheassociatedriskmanagedwithintheenterprisesriskappetite;

Abletoprovidereasonableassurancetoenterprisemanagementandboardofdirectors;and Gearedtoachievementofobjectivesinoneormoreseparatebutoverlappingcategories.

Thisisacollaborativecrossorganizationalteameffortrequiringparticipationfrommanyplayers

representingthenetworking,security,telecom,legalandbusinesssidesofyourorganization.Itsalso

appropriateatthestartofanyUCprojecttoinvolveyourserviceprovidersecurityrepresentativesand

possiblyasecurityconsultant.Inparticular,askyourcarrierhowtheycanhelpyoumitigateDistributed

DenialofService(DDoS)andbotnetattacks.

Theteams

first

project

step

is

to

establish

strategic

objectives

that

are

aligned

with

and

support

the

enterprisesmission,supportcompliancewithapplicablelawsandregulations,andreflect

managementsappetiteforrisk.Incarryingoutitsmissiontheteammustbechargedwitheffectiveuse

ofresources,developmentanddeploymentofreliablereporting,ongoingmonitoringandthosesecurity

systemoptimizationprocessesthatwillallowtheenterprisetomigrateovertimetorichersecurity

implementations.

Performanceofasecurityassessmentcomesnext.Assessmentsidentifysecuritygapssotheycanbe

managedeffectively.Fromthesecurityperspectiveeverybodyisunderthreat,butbyvaryingdegrees.

Inviteyourprojectteamtoabrainstormingsession.Beginbyposingquestionssuchas:

Whatkindofinformationareweholding?

What

would

happen

if

somebody

got

a

hold

of

that

information?

Whatkindoflegalandregulatoryenvironmentsarewedealingwith? Whosepresencestatusandlocationmustbeprotected? WhatwouldhappeniftherewasaUCsystemoutage? Howvisibleatargetdoweconsiderourselvestobe?

Onceyouvedrawnupacomprehensivelistofthreats,moveontoassess:theinterdependencies

betweenthethreats,thefeasibilityofeachofthethreats,thequantitativeimpactofeachthreat,and


6/30

6

finallyaprioritizationofmitigationactionsforeachofthepotentialthreats.Youmustfeelconfident

thatyoucanacceptablymanageandmitigatetheriskstoyourcorporateinformation,system

operations,andcontinuityofessentialoperationswhendeployingUCtechnology.

AttacksonUCsystemscanbebroadlycategorizedintothefollowingfivetypes: (1)Confidentiality(or

privacy),whichincludescalleavesdropping,callrecordingandvoicemailtampering;(2)Integrity(or

authenticity),whichincludesregistrationhijacking,callerIDspoofing,andsoundinsertion;(3)

Availability,whichincludesdenialofserviceattacks,bufferoverflowattacks,andmalware;(4)Theft,

whichincludestollfraud(servicetheft)anddatatheftthroughmasqueradingdataasvoiceanddata

networkcrossoverattacks;and(5)VoiceSpam,knownasSPIT,whichincludesunsolicitedcalling,unified

mailboxstuffing,andVishing(voicephishing).

CategorizationofVoIPThreats

ThreatType Examples Impact

Confidentiality Eavesdropping

CallRecording Voicemailtampering

Leakageofsensitiveorconfidentialinformation Compromisedcorporateassets Identitytheft Blackmail

Integrity(or

Authenticity)

Registrationhijacking CallerIDspoofing SoundInsertion

DisruptionandChaos Identitytheft

Availability DenialofService Bufferoverflowattacks Worms&Viruses

ServiceOutageswithimpactonrevenueandbrandimage Extortion Lostproductivity

Theft ServicetheftoTollfraud

DataTheftoMasqueradingdataasvoiceoDatanetworkxoverattacks

Excessivesubscriberphonebills Lostcarrierrevenues Lossoftradesecrets,confidentialdata,etc.

Industrial

espionage

SPIT UnsolicitedCalling Mailboxstuffing Vishing

Reducedproductivityandcoopofsystemresources Identitytheft Financialloss

Confidentialityreferstotheenterprisesneedtokeepthenonpubliccustomer/client/partnerdatathat

itpossessesbothsecureandprivate.Regulatorycomplianceraisesthestakessignificantlyinthequest

foreffectiveUCsecurity.Examplesofconfidentialitythreatsare:calleavesdropping,callrecordingand

voicemailtampering.

MeasuressuchasHealthInsurancePortabilityandAccountabilityAct(HIPAA),SarbanesOxley(SOX),

European

Basel

II

and

the

GrammLeachBliley

Act

(GLB)

pose

a

range

of

potential

legal

and

financial

liabilities5.Inaddition,anyfindingsofnoncomplianceorfailuretocomplywiththerequireddisclosure

ofsecuritybreachescanyieldadversepublicityandthelossofbusinessandbrandvalue.To

5Otherlegislationandregulationsinclude:E911lawsin17states,securitybreachlawsinmorethan34states,

FederalInformationSecurityManagementAct(FISMA),FederalFinancialInstitutionsExaminationCouncil(FFIEC),

SupervisoryControlandDataAcquisition(SCADA),PaymentCardIndustryDataSecurityStandard(PCIDSS)andthe

CommitteeofSupportingOrganizations(COSO)EnterpriseRiskManagementFramework.


7/30

7

demonstratefullcompliancewiththesecuritymandatesyourbusinessmustnotonlypreventmalicious

attacksfromoutsidetheorganization,butalsotakenecessaryandprudentmeasurestoprotectagainst

internalrisks.

Integrityofinformationmeansthatinformationremainsunalteredbyunauthorizedusers.Thatis,

informationcannotbechangedintransitoratrestwithoutbeingdetected,andthatmaliciousor

unwanteddatacanbeblocked,filtered,orotherwisekeptawayfrombothserversandusers.Integrity

threatsincludeanyeventinwhichsystemfunctionsordatamaybecorrupted,eitheraccidentallyorasa

resultofmaliciousactions.Misusemayinvolvelegitimateusers(i.e.insidersperformingunauthorized

operations)orintruders.Authenticationprovidesamechanismtoverifythatauserorclientis

legitimateandhasclearanceforagivenlevelofaccess.Thisisnormallyaccomplishedthroughtheuseof

strongpasswordsthatarecentrallyadministered.Also,attheuserlevel,companyemployeesshouldbe

trainedandassessedagainsthighrisksecuritybehavior.Maliciousintegrity(orauthenticity)threats

taketheformofregistrationhijacking,callerIDspoofing,andsoundinsertion.

Availabilityreferstotheprinciplethatdataandservicesareavailableforusewhenneeded.Availability

isacriticalpartofoverallsecurityplanning.Attacksexploitingvulnerabilitiesinthecallmanagement

softwareorprotocolsmayleadtodeteriorationorevendenialofservice,orfunctionalityofthecall

server.Inaddition,specialconsiderationshouldbegiventoE911emergencyservicescommunications,

becauseE911automaticlocationserviceisnotavailablewithVoIPinsomecases(forexample

MicrosoftOfficeCommunicationsServer2007).

2.2TakeaMulti-layeredApproachtoProtectingYourNetworkInfrastructure

Securingthenetworkperimeter,thoughabsolutelynecessary,isnolongersufficient.Thegrowing

internalthreat,

increasingly

mobile

workforce,

more

critical

servers

being

placed

on

the

network,

and

moreattackscominginoncommonportshaveexploitedflawsinthetraditionalfirewallcentricsecurity

solution.Amorematureandenlightenedmarketisevolvingtowardsthenotionoflayeredsecurity

solutions.ThecorenetworklayerprotectionincludesanapplicationawarefirewallandIntrusion

Detection/PreventionSystems.ProtectionaroundthecommunicationslayerinvolvesVoIPencryption.

Perimetersecurity,asappliedtoUCsolutionswouldinferthatthevoicenetworkbesegregated

whereverpossible,sothatunwantedtrafficbetweenthevoiceanddatanetworkisconstrained.

Endpointsecuritymustincludemechanismstocontrolaccesstothedevices.Passwordcontrolpolicies

mustbeenforcedsothatpasswordsarechangedregularlyandstrongpasswordsalwaysused.

2.2.1

Segregate

Voice

and

Data

Traffic

on

Separate

VLANs

Abasictechniqueforvoicesecurityistoassignvoiceanddataonlogicallyseparatenetworks(Virtual

LANsorVLANS)duetotheirdifferentQualityofService6(QoS)andsecurityrequirements.Inaddition,

6SeeCriticalSuccessFactorsinDesignandPerformanceManagementofUCNetworks,March2008,

http://www.ucstrategies.com/UC_Networks.aspx.AnindepthdiscussionisprovidedofVoIPsrequirementsfor

bothQoS,whichconcernsmeasurementofthetreatmentofthepacketstraversinganetworkincludingutilization,

responsetime,latency(delays),delayvariation,packetloss,jitterandavailabilityandapplicationperformance


8/30

8

trafficsentoverthevoiceVLANisnotvisibletoinsidersoroutsidersconnectedtodataVLANs,anddata

trafficcannotcrossovertothevoiceVLAN. LANEthernetswitchesshouldbeequippedwith802.1p

prioritizationsotheycanidentifyandprioritizetrafficbasedonVLANtagsandsupportmultiplequeues.

VLANtagging

ensures

that

data

traffic

from

PC

softphones

takes

aseparate

VLAN

from

voice

traffic.

VoicetrafficisverydelaysensitiveandmustbeprioritizedoverdataontheseVLANssothatitgets

throughevenduringanetworkattack.

EstablishingseparatedepartmentalvoiceVLANswilldetertollfraudbypreventingemployeesfrom

tryingtouseanotherdepartmentsVLANfortollcallstoavoidincreasingtheirownphonebills.Itsalso

goodpracticetosegregatethemanagementtrafficonitsownVLAN,togetherwithhostauthentication,

tominimizethelikelihoodofunwantedaccesstothecallcontrolservers.

WhencreatingtheVLAN,besuretoplaceitsequipmentbehindseparatefirewalls.Thispracticewill

restricttrafficcrossingVLANboundariesandpreventvirusesandotherkindsofmalwarefromspreading

fromclients

to

servers.

When

looking

for

firewall

technology,

be

sure

to

examine

products

that

support

bothleadingstandards:SessionInitiationProtocol(SIP)andtheInternationalTelecommunication

Union'sH.323protocol.

InconjunctionwithVLANs,companiescansetupvoiceAccessControlLists(ACLs)fordepartments,

workgroups,andindividuals.Accesscontrollistsareanimportantpartofthetoolsetanetwork

administratorhasathis/herdisposaltomonitorandcontrolaccessintoaVoIPnetwork.ACLsonthe

networkinglayercanbeusedtopreventinbounddatapacketsusedinDoSattacksfromenteringthe

voiceVLAN.ACLsarealsoinstrumentalindefendingagainsteavesdroppingandcallinterceptionby

preventingvoicetrafficfromcrossingovertoanuntrustedportionofthenetwork.

2.2.2Authentication

and

Security

Features

such

as

IEEE

802.1x

and

Access

Control

Lists

are

notenough

ItisimportanttounderstandthatuseofauthenticationandsecurityfeaturessuchasIEEE802.1xand

accesscontrollists,whileanintegralpartofanorganization'sthreatdefensepolicies,cannotprevent

thedatalinklayerattackssuchas"Maninthemiddle"attacksusingGratuitousAddressResolution

Protocol(GARP)andDynamicHostConfigurationProtocol(DHCP)serverspoofing.Theseattacksexploit

normalprotocolprocessingsuchasaswitch'sabilitytolearnMediaAccessControl(MAC)addresses,

endstationMACaddressresolutionviaARP,orDHCPserverIPaddressassignments.

DHCPserverspoofingispreventedbydefiningtrustedportswhichcansendDHCPrequestsand

acknowledgements,and

untrusted

ports

which

can

forward

only

DHCP

requests.

The

Cisco

Catalyst

switch,forexample,assumesthattrustedportsarethosethatconnecttoeithertheDHCPserveritself,

orswitchedports,suchasuplinks,thatinturnconnecttheswitchtotherestofthenetwork.This

managementwithitsfocusontheuniqueVoIPQualityofExperience(QoE)requirementsassociatedwithdiffering

businessscenarios.


9/30

9

thwartsmalicioususersactingasanetworkDHCPserverandsendingoutincorrectaddressesunderthe

pretenseofbeingthedefaultgateway,andinterceptingdatatraffic.Inaddition,byinterceptingallDHCP

messageswithintheVLAN,theswitchcanactmuchlikeasmallsecurityfirewallbetweenusersandthe

DHCPserver,

building

abinding

table

containing

client

IP

address,

client

MAC

address,

port,

and

VLAN

number.

BeforeanendpointcantalktoanotherendpointitmustmakeanARPrequesttomaptheIPaddressto

theMACaddress.Themosteffectivewayforanattackertoeavesdropaconnectionistospoofthe

defaultgatewaybysendingagratuitousARPreplycontainingtheIPaddressofthedefaultgatewayto

otherdevicesontheLAN.ThegratuitousARPpacketcausesthedevicestooverwritetheoldentrywith

thenewone,effectivelymakingtheattackerthenewdefaultgatewayforthosedevices.Theattacker

canuseIPforwardingtorelaythetrafficbetweenthedevicesandthedefaultgatewaywithouttheother

devicesbeingawareofwhatishappening.

GARPattacks

can

be

prevented

through

Dynamic

ARP

Inspection

(DAI),

which

helps

to

ensure

that

the

accessswitchrelaysonly"valid"ARPrequestsandresponses.DAIinspectsallARPsandcomparesthem

totheDHCPBindingtable. IfARPdoesnotmatchthebindingtabletheportsareshutdown.

Theincreasingtrendtowardstheuseofsoftphoneclientsposesaproblemforarchitecturesthatrely

purelyonVLANseparationandaccesscontrollists.Inthesedeploymentsthevoicecapabledevicesare

notonlyonthePhoneVLANbutalsoonthedataVLANsincethesoftclientsareapplicationsthat

operateonausersdesktop.Withtheincreasedadoptionofunifiedcommunicationsapplicationssuch

aspresenceandinstantmessagingthistrendislikelytogrow.Theimpactofthesoftclientisthatit

becomesdifficulttodistinguishbetweenagenuinedesktopthathasalegitimatevoicesoftclientanda

roguedevice.AccesscontrollistsarestatelessandcanonlyfilterIPaddressesandports.WithIPvoice

protocols,suchasSIP,negotiatetheporttobeusedinavoicecallfromawiderangeofports(16384to

32767foraudio).Accesscontrollistsmustopenupthisentirerangeasitisimpossiblefortheaccess

controllisttopredictwhichportswillbeused,resultinginarangeofexposedportsthatattackerscan

useforreconnaissance.Tomitigatethisthreat,anewgenerationofproxydevices,oftenintegratedwith

unifiedcommunicationsawarefirewalls,isprovidingservicesforsecureVLANtraversalforsoftclients.

Oftenenforcingdeviceauthenticationtoprotectthecallcontrolinfrastructurefromrogueendpoints

andthenmanipulatingthesignalingtoforcethemediathroughatrusteddeviceinthenetwork,these

proxyservicescanenableenterprisestobuildsecurelyupontheirexistingVLANandACLbased

architectures.TheCiscoAdaptiveSecurityAppliance5500Series(ASA)forexamplehasbeenenhanced

tosupportthisfunctionality

2.2.3Protect

the

Application

Platform

with

Secure

Management

Best

Practices

Protecttheintegrityofmanagementsystems. SegregatemanagementtrafficonitsownVLAN.

Useamultileveladministrationpermissionsconstruct. Organizationsmustdefineadministratorsroles

andrestrictthefunctionstheycanuse.Readonlyprivilegesareassignedtomostadministrators,

reservingreadwriteprivilegesforafewtrustedindividuals.


10/30

10

Validateadministratorsandtheirpermissionspriortoallowingthemmanagementaccesstovoice

applications.Requireadministratorstologinataphysicalinterfacedifferentfromthecallprocessing

interface,andonethatisnotaccessibletomostpeople.Administratorsareallowedaccesstothe

managementinterface

only

after

being

authenticated

and

authorized

for

the

task.

Centrally

administeredstrongpasswordsareaneededhere.

Encryptmanagementtraffictopreventinterceptionoreavesdropping.UseIPSecurity(IPsec)orSecure

Shell(SSH)forallremotemanagementandauditingaccess.Ifpractical,avoidusingremotemanagement

atallandperformIPPBXaccessfromaphysicallysecuresystem.

Maintaindetailedaudittrailsbyloggingsecurityalerts,errors,trafficmonitoring,etc.Withsystem

eventlogging,administratorsareawareofandabletoquicklyrespondtoissuesthatcouldcompromise

networkintegrityorusersecurity.

Hardenoperating

systems.

Once

UC

security

is

established

you

must

be

ever

vigilant

to

deploy

only

thosefeaturesinyourUCproductsthatareconsistentwithyourUCsecuritypolicy.Workstations,

servers,anddesktopIPphonestypicallyarrivefromthevendorinstalledwithamultitudeof

developmenttoolsandutilities,which,althoughbeneficialtothenewuser,alsoprovidepotentialback

dooraccesstoanorganization'ssystems.Therefore,removeofallnonessentialtools,utilities,andother

systemsadministrationoptions,anyofwhichcouldbeusedtoeaseahacker'spathtoyoursystems.This

actionenforcesthepolicythatonlyauthorizedpeoplecanaccessandchangeinformationpertainingto

theUCsystem.Thenensurethat:(1)allappropriatesecurityfeaturesareactivatedandconfigured

correctly,and(2)thatpatchmanagementsystemsroutinelypassoutantiXsoftwareandoperating

systemupdates.

2.2.4Virtual

Private

Networks

(VPNs)

Provide

aSecure

Pathway

for

Communication

with

RemoteWorkers

VPNshaveabuiltinencryptionfeaturethatenablessecureconnectivitywithbranchofficesand

businesspartnersthatareunreachablebyprivatenetworks.EvenroadwarriorscanlogintotheVPN

fromtheirPCs.VPNscreatelogicaltunnelsbetweentwoendpointsthatallowfordatatobesecurely

transmittedbetweenthenodes.AnencryptedVPNtunnelprovidesnetwork,data,andaddressing

privacybyscramblingdatasothatonlythedesignatedpartiesunderstandit.Thissecurestheidentities

ofboththeendpointsandprotectstheVoIPtrafficflowingacrossdifferentnetworkcomponentsonthe

corporateLANasifitwereonaprivatenetwork.VoiceandvideoenabledVPNtechnology,availablein

manyroutersandsecurityappliances,encryptsvoiceaswellasdatatrafficusingIPsecorAES.

Encryptionisperformedinhardwaresothatfirewallperformanceisnotaffected.

TheIPsecESP(EncapsulatingSecurityPayloadprotocol)tunnelisaspecifickindofVPNusedtotraverse

theInternetinaprivatemanner.IPsecisthestandardencryptionsuitefortheInternetProtocolandwill

befullysupportedinIPv6.InESPTunnelMode,IPsecprotectsboththedataandtheidentitiesofthe

endpoints.Whileprovidingstrongsecurity,IPsecdoesrequiresignificantefforttosupportdedicated

clientsoneachmachineauthorizedtoconnectremotelytothenetwork.Forthisreason,ithasbecome

increasinglycommonforIPsectobeusedtoprotectvoicetrafficbetweenenterprisesitesaspartofa

sitetositeVPN,whileSSLhasbecomemorecommonforremoteaccessVPNrequirements.Inaddition,


11/30

11

withIPsec,makingstructuralchanges,addingnewlocations,orconnectingwithadditionalnetworks

involvesafairamountofconfigurationworkaseachroutermustbeconfiguredtounderstandallthe

otherroutersinthenetwork.Thiscanbeasignificantmaintenanceheadacheiftherearemany

locationsinvolved.

As

aresult

of

this

administrative

burden,

some

vendors

have

adapted

IPsec

VPN

architecturestoenableremotesitestodynamicallyqueryandbuildnewsitetositeconnectionswithout

requiringeachsitetobepreconfiguredwithalistofalltheotherpotentialpeersinthenetwork.This

scalabilityandmanageabilityenhancementalsoallowsenterprisestobuildamoreflexibleencryption

architecture.Inaddition,movingfromhubandspoketopologiestomoredirect,spoketospokedesigns,

providesamoresuitableplatformforvoiceserviceswithminimizedlatencyandjitter.

SSL(SecureSocketLayer)tunnelVPNs,onceviewedasacomplementtotheIPsecVPN,haveevolvedas

adirectcompetitorasitprovidessimplifieddeploymentforremoteaccessVPN.Asoriginallyconceived,

thistypeofSSLVPNallowedausertouseatypicalWebbrowsertosecurelyaccessmultiplenetwork

servicesthroughatunnelthatisrunningunderSSL.TheSSLVPNis,today,themostappropriate

applicationlayer

VPN

technology.

SSL

VPNs

provide

clientless

access

on

aper

application

basis

that

enablesthegranularsecurityneededtosupportbusinessproductivitybyrestrictingapplicationaccess

toonlythosewithatrueneedforaccess.Moreover,startingwithabrowsersession,WAN

managers/administratorsmayofferaccesschoicesrangingfromcompletelyportableclientless

connectionsthroughthinclientmanagedsessionswithdownloadablesecurityfeaturesandapplication

specificservicestofullnetworkconnectivity(includingrouting)thatemulatestraditionaltunnelVPNs,

suchasIPsec.Thebrowsercanbeeliminatedthroughtheuseofamanuallyinstalledclient,while

maintainingconnectivitybenefits.AdditionalSSL,UserDatagramProtocol(UDP),andIPsectunnels,

actingasnetworklayerVPNs,canbeopeneddynamically,asneeded,toimproveQoSforperformance

sensitiveapplications,suchasVoIP.

VPNisnottheonlyoptionforprovidingconfidentialitytoIPvoicestreams.AccessEdgegatewayscan

encryptSessionInitiationProtocol(SIP)callsignalingtraffictoprotectagainsteavesdroppingand

supportserverauthenticationforremoteusersandfederated7sites.Thisistypicallyachievedthrough

TransportLayerSecurity(TLS)encryptionforsignalingmessagesandSecureRealTimeProtocol(SRTP)

forprotectingthevoicemedia.AccessEdgegatewaysandvoiceawarefirewallscanalsoperform

filteringtasks,suchasblockingtrafficfromuntrustedaddresses.

Morelikelythannot,enterpriseswillbefederatingacrossdifferentvendorsUCenvironmentsinorder

toleverageUCenabledbusinessprocessproductivityenhancementsacrosstheirsupplychain,

hopefullywithwellthoughtoutsecuritysolutions.Ifnotdonewell,sensitiveinformationsentoverthe

publicInternetwillmakeeasytargetstotheevergrowinghackerthreat.ThesidebaroverviewsCiscos

AdaptiveSecurityAppliance(ASA)5500Seriesfeatureswhichsupportsecurefederatedpresence.

7TrustedremoteOCSsites(called"federated"sites)thatconnectovertheInternethaveaccessedgeserversin

theirperimeternetworkstoenablesecurecallcontrolandvoiceandvideotransmissionacrossanorganization's

firewall.


12/30

12

SidebarCiscoUCPerimeterSecurityServices

TheCiscoASA5500SeriesAdaptiveSecurityApplianceisahighperformance,multifunctionsecurity

appliance

family

delivering

converged

firewall

with

application

layer

and

protocol

aware

inspection

services,IPS,networkantiXandURLfiltering,SSL/IPsecVPNservices,encryptedtrafficinspection,

presencefederationandbothremoteworkerhardphoneandmobilephoneproxyservices.TheASAisa

keycomponentoftheCiscoSelfDefendingNetwork.Amongitsdifferentiatingfeaturesare:

ASAprovidessecurityandinspectioncapabilityforCiscoapplications(Presence,Unity,MeetingPlace),andthirdpartyapplicationslikeMicrosoftOCS.AnyCiscoUCcommunicationsencryptedwithSRTP/TLS

canbeinspectedbyCiscoASA5500AdaptiveSecurityAppliances:

o MaintainsintegrityandconfidentialityofcallwhileenforcingsecuritypolicythroughadvancedSIP/SCCPfirewallservices

o TLSsignalingisterminatedandinspected,thenreencryptedforconnectiontodestination(leveragingintegratedhardwareencryptionservicesforscalableperformance)

o DynamicportisopenedforSRTPencryptedmediastream,andautomaticallyclosedwhencallends

ASAenablesinterenterprisepresencecommunicationsbetweenCiscoandMicrosoftpresenceserversandendpoints

ASAphoneproxyisateleworkersolutionthatterminatesSRTP/TLSencryptedremoteendpointsofferingbenefitofsecureremoteaccesswithouttheneedforarouterattheremoteworkerssite.

Withintheenterprise,theASAphoneproxycanbeusedforvoice/dataVLANtraversalinthefollowing

manner:

o Allcommunicatororiginatingfromsoftclientsmustbeproxiedo SoftclientcommunicationisrestrictedtospecificVLANonASAo CiscoASAperformsinspectionontrafficandopensmediaportdynamicallyforsoftclients

Asamobilityproxy,theASAterminatesTLSsignalingfromCiscoUnifiedMobileCommunicatortoCiscoUnifiedMobilityserverandenforcessecuritypolicies.TheASAisamandatorycomponentofCiscos

mobilityarchitectureandreplacesCiscoMobilityProxy.


13/30

13

2.2.5FirewallsandIntrusionDetection/PreventionSystems

VoIPready

firewalls

are

essential

components

in

the

VoIP

network

and

should

be

used

along

with

stateoftheartintrusiondetectionandpreventionsystems.

Firewallsworkbyblockingtrafficdeemedtobeinvasive,intrusive,orjustplainmaliciousfromflowing

throughthem.Theyprovideacentrallocationfordeployingsecuritypolicies,andwhenproperly

deployedinsurethatnotrafficcanenterorexittheLANwithoutfirstbeingfilteredbythefirewall.An

advancedfirewallwithstatefulpacketfilteringkeepstrackofthestateofnetworkconnections(such

asTransportControlProtocol(TCP)streamsandUDPcommunicationtravellingacrossit.)Thefirewallis

programmedtodistinguishbetweenlegitimatepacketsfordifferenttypesofconnections.Onlypackets

matchingaknownconnectionstatewillbeallowedbythefirewall;otherswillberejected.Stateful

filteringcangrantordenynetworkaccessbasedontimeofday,application,IPaddress,portrangeand

otherattributes.

Observing

normal

traffic

patterns

and

then

applying

appropriate

rules

can

set

Media

andsignalratelimits.

Ifpossible,afirewallwithapplicationfilteringshouldbeutilized.Applicationfilteringisanextensionto

statefulpacketinspection.Whereasstatefulpacketinspectioncandeterminewhattypeofprotocolis

beingsentovereachport,applicationlevelfilterslookatwhataprotocolisbeingusedfor. Application

layerfirewallssupportmultipleapplicationproxiesonasinglefirewall.Theproxiessitbetweenthe

clientandserver,passingdatabetweenthetwoendpoints.Suspiciousdataisdroppedandtheclient

andservernevercommunicatedirectlywitheachother.Becauseapplicationlevelproxiesare

applicationaware,theproxiescanmoreeasilyhandlecomplexprotocolslikeH.323andSIP,whichare

usedforVoIPandvideoconferencing.Often,bydeployingprotocolconformanceinunified

communicationsawarefirewalls,enterprisescanmitigatemanyofthevulnerabilitiespostedagainstthe

leadingcall

control

platforms.

This

is

because

the

vulnerabilities

are

often

exploited

by

sending

malformedpacketsthatcanadverselyimpactthecallcontrolsystem.Byapplyingarigorousprotocol

conformancepolicy,thesemalformedpacketscanbefilteredwithinthenetworkratherthanattemptto

bedealtwithbythetargetmachine.

CorenetworklayerprotectionincludesIntrusionDetectionandPreventionSystems(IDS/IPS)

technologies,whichcomplimentfirewallsbyestablishingsensorsrunningonindependenthardware

platformsthroughoutthenetwork.Thesesensorsmonitortrafficforunwarrantedbehaviorortraffic

patterns,andrespondaccordinglybasedonpreestablishedrules.Malicioustrafficisidentifiedthrough

comparisonagainsttypicaltrafficbehaviorassociatedwithalistofknownattacks.Basedonnetwork

intelligence,youcanadjustandtuneforthenumberandtypesofchecksperformedonspecificnetwork

segmentsor

assets.

Network

Intrusion

Prevention

differs

from

firewalls

in

that

they

use

alist

of

known

signaturestoidentifyattemptstoexploitknownvulnerabilities.Incontrast,firewallsapplypolicywhich

controlaccessandselectivelyappliessecurityservices.

HostIDS/IPStechnologiesserveasimilarpurposeastheirnetworkcounterparts,butresideassoftware

onahostmachine(serverorclient)presentwithinthenetwork.Theevergrowingmobileworkforce,

continuingincreaseinthenumberofattackvectorstargetingtheactualhostmachine,andgrowthin

deploymentofSSLVPNsolutionsinmanyorganizationsaredrivingadoptionofhostbasedproducts.


14/30

14

Traditionalnetworkbasedproducts,forexample,cannotdecryptthetrafficonthelineandthe

potentialforcertainattacksispassedtothehostdirectly.Currently,customersareexpanding

deploymentscenariostoincludeallmissioncriticalapplicationanddataservers,wirelessaccesspoints,

VPNaccess

points,

and

remote

machines.

Additionally,

there

are

many

compliance

issues

that

can

only

bemeasuredbyanagentonthehostdeployingpredefinedandcustomizedbehaviorbasedprotections.

SinceaHostIPS(HIPS)securityagentinterceptsallrequeststothesystemitprotects,ithascertain

prerequisites:itmustbeveryreliable,mustnotnegativelyimpactperformance,mustnotblock

legitimatetrafficandshouldbecentrallymanagedforefficientreportingandauditingofactivities.Host

IDS/IPStechnologyalsoincludesfileintegrity,DDoSprotection,authenticationandOShardening.

AsanexampleoftheofferingsinthiscompetitiveareawetakeabrieflookattheCiscoSecurityAgent

(CSA)whichusesbehavioralanomalydetectiontoprovidepowerfulendpointprotectionagainstday

zerothreats.CSAusesnosignatures,reducingthepressuretoupdatesystems,whilekeepingthehost

coveredduringtheshrinkingvulnerabilitywindow. CSAskeyfeaturesare:

Zeroupdateprotectionbasedonoperatingsystemandapplicationbehavior Controlofcontentafterdecryptionorbeforeencryption(e.g.,SSL,IPsec) AccesscontrolforI/Odevicesbasedonprocess,networklocationandfilecontent Centralizedmanagementandmonitoringofevents SelfDefendingNetworkinteractionwithsuchsolutionsasASA,NetworkAccessControl,IPS,

QoS,Monitoring,Analysis,andResponseSystems,etc.

2.2.6UseVoIPnetworkencryption

Firewalls,gateways,andothersuchdevicescanhelpkeepintrudersfromcompromisinganetwork.But

unlesstheVoIPnetworkisencrypted,anyonewithphysicalaccesstotheofficeLANcouldpotentially

tapintotelephoneconversations8.Moreover,firewalls,gatewaysandsuchdontprotectvoicepackets

traversingtheInternet.Encryptionattheprotocollevelisnecessarytodefeateavesdroppingattacks.

TransportLayerSecurity(TLS)andIPsecaretwomainencryptionmethods.Bothprotocolsaimtokeep

unauthorizedpartiesfrominterferingwithorlisteningtocalls,andtheyarealmostimpossibleto

manipulateexternally.

Toinstallmultipleencryptionlayers,useSecureRealTimeProtocol(SRTP)atthecommunicationslayer

formediaencryptionandTLSforsignaling.Encryptingtheactualcontentofcommunicationsbetween

users(mediaencryption)preventseavesdroppingintoprivatematters,whetherthecommunicationis

voice,videoorIM.Signalingencryptionpreventsillicitmonitoringortamperingofthesignalingthat

directsnetworkoperations,suchascallsetupandrouting,serviceperformance,eventrecording,billing,

etc.Nonetheless,

if

you

use

encryption

its

imperative

to

have

in

place

asolution

that

terminates

and

inspectsUCcommunicationsencryptedwithSRTP/TLS,thenreencryptsthemediaandsignalingfor

connectiontoitsdestination.Withoutsuchinspection,malicioustrafficcouldentertheorganization.

8YoumightnotneedtrafficencryptedattheLAN,butyoucertainlywillwanttoencryptitattherouterasit

traversestheWAN.Seriouslyconsidersecuritysolutionsthatoffertheflexibilitytohaveeitherencryptionoffthe

handsetorencryptioninbulkovertheWANlinks.


15/30

15

Authenticationandencryptionwithoutinspectioncangiveafalsesenseofsecurity.Thisisparticularly

valuableinacontactcenterwhereyourequireencryptedcallingbetweentheservicerepresentative

andthecustomer,butyouwanttoallowsupervisoryinterceptforqualitycontrolpurposes

GatewaysandswitchesshoulduseIPsecorSSHinsteadofothercleartextprotocolsastheremote

accessprotocol.Ifwebbasedinterfaceisprovided,SecureHyperTextTransportProtocol(HTTPS)should

replaceHTTP.Ifpractical,avoidusingremotemanagementatallanddoIPPBXaccessfromaphysically

securesystem.

VoiceoverWirelessLAN(VoWLAN)trafficmaybesecuredwiththesametechniquesusedtoprotect

wirelessdatatraffic.TheWiFiProtectedAccessprogramversion2(WPA2)andIEEEstandard802.11i

bothsupporttheAdvancedEncryptionStandard(AES),whichprovidesU.S.governmentlevelprotection.

Withencryptionkeysizesofupto256bits,AESisconsideredextremelysecure.

2.2.7MaintainAdequatePhysicalSecurityandPowerBackup

Evenifencryptionisused,physicalaccesstoUCserversandgatewaysmayallowanattackertoperform

trafficanalysisorcompromisesystems.Adequatephysicalsecurityshouldbeinplacetorestrictaccess

toUCcomponents.Physicalsecuritiesmeasures,includingbarriers,locks,accesscontrolsystems,and

guards,arethefirstlineofdefense.Youmustmakesurethatthepropercountermeasuresareinplace

tomitigatethebiggestrisks,suchasinsertionofsniffersorothernetworkmonitoringdevices.

Installationofasniffercouldresultinnotjustdata,butallvoicecommunicationsbeingintercepted.

Inaddition,allowforsufficientpowerbackupandtheabilitytorolloveryourvoicecallstothePSTN

shouldyourIPWANexperienceanoutage.

2.2.8UseNetworkAccess/AdmissionControl(NAC)

AccordingtoWikipedia,NetworkAccess(orAdmission)Controlisanapproachtocomputernetwork

securitythatattemptstounifyendpointsecuritytechnology(suchasantivirus,hostintrusion

prevention,andvulnerabilityassessment),userorsystemauthentication,andnetworksecurity

enforcement.

NetworkComputing(NWC)9identifiesfivetechnologyfunctionsthatareacceptedandexpectedaspart

ofaNACproduct,basedoninterviewswith303NWCreadersdirectlyinvolvedindeployingor

evaluatingnetworkaccesscontrol,andreviewsofvendorcollateral:

1. Preconnecthostpostureassessment2. Hostquarantineandremediation3. Networkaccesscontrolbasedonuseridentity4. Networkresourcecontrolbasedonidentityandpolicy5. Ongoingthreatanalysisandcontainment.

9NACVendorsSquareOff,NetworkComputingMagazine,July6,2006,pp.5564,

http://i.cmpnet.com/nc/1713/graphics/1713f3_file.pdf


16/30

16

Mostindividualssurveyedwerefocusedontwomainpainpoints:identifyingandpolicinguseraccessto

thenetwork,andeliminatingthreatsbroughtontothenetworkbyinfectedhosts.Thesepainpoints

reflectthefactthatmanyorganizationshaveissueswithnoncorporateassetsconnectingtotheir

network,such

as

employee

owned

devices

or

devices

brought

in

by

guests

and

visitors.

Discovering

whenthesedevicesconnecttothenetworkandlimitingtheiraccessbasedoncorporatepolicyisan

ongoingchallenge.ThesedevicesaretypicallynotmanagedbycentralITpatchmanagementtools.

Thebottomlineisthatwhileestablishingresponsiblecomputingguidelines,requiringuser

authentication,andpassingoutantivirussoftwareandoperatingsystemupdatesthroughpatch

managementsystemsarenecessarysecuritysteps,theyarenotsufficient.Theaddedstepofusingthe

networktoenforcepoliciesensuresthatincomingdevicesarecompliant.Thosejudgedtobevulnerableandnoncompliantarequarantinedorgivenlimitedaccessuntiltheyreachcompliance.Dependingonvendor,NACpoliciescanpermit,deny,prioritize,ratelimit,tag,redirect,andauditnetworktraffic

basedonuseridentity,timeandlocation,devicetype,andotherenvironmentalvariables.

RegulatorycomplianceisakeydriverinNACdemandaccordingtotheNetworkComputingsresearch.

Theirsurveyshowsthat96percentofrespondentsindicatedtheyaregovernedbyatleastone

governmentorindustryregulation,andmanyCEOsandCTOsaremandatingthedeploymentofNAC.

Solutionsthatcouplewithidentitymanagementgreatlyimproveaccountability.


17/30

17

3. SummaryofUCSecurityBestPracticesThedriveforbusinessagilityisspurringcompaniesofallsizestoadoptunifiedcommunicationsasa

primary

vector

for

enhanced

communication

and

collaboration

capabilities

among

remotely

located

and

mobileemployees,itssupplychainandpartnerecosystem,andwithcustomers.Thesebenefits,

however,donotcomewithoutrisks.IntroductionofanIPbasedUCcommunicationsandcollaboration

solutionintroducesanarrayofnewvulnerabilitiesintotheenterprise,andagrowingnumberof

maliciousprogramsareexploitingtheseweaknesses.

ThegoodnewsisthatVoIPandIMareapplicationsrunningonanIPnetwork,andallofthesecurity

technologiesandpoliciesthatcompanieshavedeployedfortheirdatanetworkscanbetunedto

emulatethesecuritylevelcurrentlyenjoyedbyPSTNusersofPOTS.Inmanycases,evenifaconcerted

efforttodeploydatanetworksecurityhasnotbeenimplemented,thetechnologylikelyalreadyexistsin

yournetworkifyouverecentlypurchasedaswitchorrouter.

Thekey

to

securing

the

UC

network

requires

considering

voice,

data,

and

video

communications

as

a

systemandimplementingamultilayered,uniformlyapplieddefenseconstructforthesystem

infrastructure,callmanagement,applications,andendpoints.Thesolutionshouldbelayered,with

multiplecontrolsandprotectionsatmultiplenetworklevels.Thisminimizesthepossibilitythatasingle

pointoffailurecouldcompromiseoverallsecurity.Ifaprimarysecuritylayerisbreached,other

defensivebarriersareavailabletodetertheattack.

Insummary,bestpracticesentail:

TreatthedevelopmentofaUCsecurityprogramasacollaborativecrossorganizationalproject.Involveyourcarrierandanoutsidesecurityconsultantifnecessary.Bottomline,plantheworkand

workthe

plan.

The

first

step

is

to

perform

asecurity

assessment.

Assessments

identify

security

gaps

sotheycanbemanagedeffectively.Anyactionableriskassessmentneedsfivekeyfactors

consideredacomprehensivelistofthreats,theinterdependenciesbetweenthethreats,the

feasibilityofeachofthethreats,thequantitativeimpactofeachthreat,andfinallyaprioritizationof

mitigationactionsforeachofthepotentialthreats.Youmustfeelconfidentthatyoucanacceptably

manageandmitigatetheriskstoyourcorporateinformation,systemoperations,andcontinuityof

essentialoperationswhendeployingUCsystems.

Andremember,thereisnoonesizefitsall.CompaniesshouldexamineUCsecurityfromabusiness

perspectivebydefininggoals,policies,andpatternsofusageatthestartacrossallapplications

data,VoIP,IMandpresence,Web,andaudio/videoconferencing.Securitypoliciesforallmedia

streamsneedtobealigned,andcompliancewithapplicablelawsandregulationsmustbeproperly

implementedandproperlybalancedagainstbusinessrisks.Onlythencancostsbereconciledwith

benefits.Infact,takinganetworkcentricapproachwillleadtoimprovedmanageabilityand

deploymentthroughreducedcomplexityandmoreefficienttroubleshooting,whichallleadtolower

totalcostofownership.Theflexibilityofthisapproachwillsimplifymigrationovertimetoricher

securityimplementations,ifrequiredbylegal/regulatoryrequirements,changeinriskappetite,or

growingsophisticationandmaliciousnessofhackerattacks.


18/30

18

BalancingSecuritySolutionCostagainstRiskofSecurityBreach

AreaofProtection LowSecurityCost&

Risk

MediumSecurityCost

& Risk

HighSecurityCost&

Risk

Infrastructure Separatevoice/dataVLANS

BasisnetworklayerACLs TrafficPrioritizedwith

QoSontheNetwork

Statefulinspectionfirewalls

Networkratelimiting(Switch/Router/Firewall)

IDSmonitoring DynamicARPinspection DHCPsnooping

Appawarefirewallwithw/TLSProxyfor

inspectionofencrypted

traffic

802.1xforallendpoints NACw/hostedIPS IPSmonitoring&

prevention

Scavenger

class

less

thanbesteffortqueuing

foranomalous,peerto

peer&entertainment

traffic

Centralizednetworkadminforauthentication

&authorization

CallManagement Approvedantivirus Patches Strongadmincredential

policy

StandaloneHIPSsecurityagent

Multileveladmin ManagedHIPSsecurity

agent

TLSSignaling&SRTPmediaencryption

AdvOSHardening IPSec/TLS&SRTP

gateways

Applications(Includes

Toll

Fraud) Approvedantivirus Patches Strongadmincredential

policy

Confcalldropw/initiatorsdeparture

StandaloneHIPSsecurityagent

Forcedaccountcodes Dialingfilters ManagedHIPSsecurity

agent

IPSec/TLS&SRTPtoapps

Endpoints DisableGratuitousARPonphones

Signedfirmware&configurations

DisablePCvoiceVLANaccess

X.509CertificatesinIPphones

SSLVPNforremoteaccesssoftphones

PhoneProxyforremoteIPphones

TLSSignaling&SRTPmediaencryption

Encryptedconfigurationfiles

ManagedHIPSsecurityagent(softphone)

Assignvoiceanddataonlogicallyseparatenetworks(VLANS)duetotheirdifferentQoSandsecurityrequirements.MakesureyourEthernetswitchesareequippedwith802.1pprioritizationsotheycan

identifyandprioritizetrafficbasedonVLANtagsandsupportmultiplequeues.


19/30

19

Protecttheintegrityofmanagementsystems. SegregatemanagementtrafficonitsownVLAN.Useencryption,administratoraccesscontrol,andactivitylogging.

UseVPNstoprovideasecurepathwayforcommunicationwithremoteworkers.AVPNsbuiltinencryptionfeatureenablessecureconnectivitywithbranchofficesandbusinesspartnersthatare

unreachablebyprivatenetworks.VoiceandvideoenabledVPN(V3PN)technology,availablein

manyroutersandsecurityappliances,encryptsvoiceaswellasdatatrafficusingIPsecorAES.

Encryptionisperformedinhardwaresothatfirewallperformanceisnotaffected.

ImplementVoIPreadyfirewallscapableofhandlingthelatencysensitiveneedsofvoicetraffic.Suchfirewallsproviderichgranularcontrols,protocolconformancechecking,protocolstatetracking,

securitychecks,andNATservices.TheseareessentialcomponentsintheVoIPnetwork.Ifpossible,a

firewallwithapplicationfilteringshouldbeutilized.Applicationfilteringisanextensiontostateful

packetinspection.Whereasstatefulpacketinspectioncandeterminewhattypeofprotocolisbeing

sentover

each

port,

application

level

filters

look

at

what

aprotocol

is

being

used

for.

In

addition,

stateof theartintrusiondetectionandpreventionsystemsshouldalsobeinstalled.

UseVoIPnetworkencryption.TLSandIPsecaretwomainencryptionmethods.Makesureyourfirewallcanprovidefortheinspectionofencryptedvoicetraffic.

ApplyadequatephysicalsecuritytorestrictaccesstoVoIPcomponents.Evenifencryptionisused,physicalaccesstoVoIPserversandgatewaysmayallowanattackertodotrafficanalysisor

compromisethesystems.Physicalsecuritiesmeasures,includingbarriers,locks,accesscontrol

systems,andguardsarethefirstlineofdefense.Inaddition,allowforsufficientpowerbackupand

theabilitytorolloveryourvoicecallstothePSTNshouldyourIPWANexperienceanoutage.

ImplementNetworkAccess(orAdmission)Controlinordertounifyendpointsecuritytechnology(suchasantivirus,hostintrusionprevention,andvulnerabilityassessment),userorsystem

authenticationandnetworksecurityenforcementsothatnetworkaccessiscontingenton

compliancewithestablishedsecuritypolicies.

Traineveryoneintheenterpriseontheirresponsibilityforexecutingenterpriseriskmanagementinaccordancewithestablisheddirectivesandprotocols.

PictoriallyyoursecureUCinfrastructurewilllooklikethis.


20/30

20

SecureUCSolution

Router/GW

Router/GW

CallMgmt

CallMgmt

Telecommuter

BranchOffice

Headquarters

RegionalOffice

IPWAN

Security

Agent(HIPS)

VLANsPortSecurity

PrivateAddresses

Antivirus

Encryption

FraudProtection(dialplans)Secure

transport(VPN)

DPS/IPS

PhoneProxy

Internet

RoadWarrior

MobilityProxy

IPWAN

Authenticated Routing

ApplicationfirewallNAC


21/30

21

AbouttheAuthors

PaulRobinson,PhDDavidYedwab

FoundingPartners

www.mktstrategyanalytics.com

MarketStrategyandAnalyticsPartnerscustomdesignsmarketingandsalesstrategiesthatareconsistentwithclientcorecompetencies,marketfocusandcompetitiveenvironment,andcoupled

withoperationalizedgotomarketplansacrossthevaluechaintoensureeliminationofbottlenecks

andcomplete

consideration

of

end

to

end

financials.

Our

clients

include

equipment

and

software

providers,serviceprovidersandinformationintenseenterprises.

Market Strategyand AnalyticsPartners LLC


22/30

22

GlossaryofKeyVoIPSecurityTerms

Acronym Term Definition

ACL

AccessControl

List

The

Access

Control

List

is

afile

which

acomputers

operating

system

uses

to

determinetheusers'individualaccessrightsandprivilegestofolders/

directoriesandfilesonagivensystem. InanACLbasedsecuritymodel,whena

subjectrequeststoperformanoperationonanobject,thesystemfirstchecks

thelistforanapplicableentryinordertodecidewhetherornottoproceed

withtheoperation.AkeyissueinthedefinitionofanyACLbasedsecurity

modelisthequestionofhowaccesscontrollistsareedited.Foreachobject;

whocanmodifytheobject'sACLandwhatchangesareallowed.

AES Advanced

EncryptionStandard

AESisablockcipheradoptedasanencryptionstandardbytheU.S.government

asofMay2002.Ithasbeenanalyzedextensivelyandisnowusedworldwide,as

wasthecasewithitspredecessor,theDataEncryptionStandard(DES).

Application

Anapplication

is

aprogram

or

group

of

programs

designed

for

end

users.

Applicationssoftware(alsocalledenduserprograms)includesdatabase

programs,wordprocessors,andspreadsheets.Figurativelyspeaking,

applicationssoftwaresitsontopofsystemssoftwarebecauseitisunabletorun

withouttheoperatingsystemandsystemutilities.

ApplicationFilteringApplicationfilteringisanextensiontostatefulpacketinspection.Stateful

packetinspectioncandeterminewhattypeofprotocolisbeingsentovereach

port,whileapplicationlevelfilterslookatwhataprotocolisbeingusedfor.

Applicationlayerfirewallssupportmultipleapplicationproxiesonasingle

firewall.Theproxiessitbetweentheclientandserver,passingdatabetween

thetwoendpoints.Suspiciousdataisdroppedandtheclientandservernever

communicatedirectly

with

each

other.

Because

application

level

proxies

are

applicationaware,theproxiescanmoreeasilyhandlecomplexprotocolslike

H.323andSIP,whichareusedforVoIPandvideoconferencing.

ApplicationLayer Thislayersendsandreceivesdataforparticularapplications,suchasDomain

NameSystem(DNS),HyperTextTransferProtocol(HTTP),andSimpleMail

TransferProtocol(SMTP). Separateapplicationsecuritycontrolsmustbe

establishedforeachapplication;thisprovidesaveryhighdegreeofcontroland

flexibilityovereachapplicationssecurity,butitmaybeveryresourceintensive.

Whileapplicationlayercontrolscanprotectapplicationdata,theycannot

protectTCP/IPinformationsuchasIPaddressesbecausethisinformationexists

atalowerlayer.

ALP/ALG

Application

Level

Proxy/Gateway An

application

level

gateway,

also

known

as

application

proxy

or

application

levelproxy,isanapplicationprogramthatrunsonafirewallsystembetween

twonetworks.Whenaclientprogramestablishesaconnectiontoadestination

service,itconnectstoanapplicationgateway,orproxy.Theclientthen

negotiateswiththeproxyserverinordertocommunicatewiththedestination

service.Ineffect,theproxyestablishestheconnectionwiththedestination

behindthefirewallandactsonbehalfoftheclient,hidingandprotecting

individualcomputersonthenetworkbehindthefirewall.Thiscreatestwo


23/30

23

connections:onebetweentheclientandtheproxyserverandonebetweenthe

proxyserverandthedestination.Onceconnected,theproxymakesallpacket

forwardingdecisions.Sinceallcommunicationisconductedthroughtheproxy

server,computers

behind

the

firewall

are

protected.

ARP AddressResolution

Protocol

AddressResolutionProtocolisadatalinklayernetworkprotocol,whichmapsa

networklayerprotocoladdresstoadatalinklayerhardwareaddress.Ahostin

anEthernetnetworkcancommunicatewithanotherhost,onlyifitknowsthe

Ethernetaddress(MACaddress)ofthathost.ThehigherlevelprotocolslikeIP

useadifferentkindofaddressingscheme(likeIPaddress)fromthelowerlevel

hardwareaddressingschemelikeMACaddress.ARPisusedtogettheEthernet

addressofahostfromitsIPaddress.ARPisextensivelyusedbyallthehostsin

anEthernetnetwork.

Botnet BotnetorStorm

BotnetAttack

TheStormbotnetorStormwormbotnetisaremotelycontrollednetworkof

"zombie"computers(or"botnet")thathasbeenlinkedbytheStormWorm,a

Trojanhorse

spread

through

email

spam.

Some

have

estimated

that

by

September2007theStormbotnetwasrunningonanywherefrom1millionto

50millioncomputersystems. TheStormbotnetwasfirstidentifiedaround

January2007,withtheStormwormatonepointaccountingfor8%ofall

malwareonMicrosoftWindowscomputers.

BufferOverflow

Attack

Abufferoverflowoccurswhenaprogramorprocesstriestostoremoredatain

abuffer(temporarydatastoragearea)thanitwasintendedtohold. Since

buffersarecreatedtocontainafiniteamountofdata,theextrainformation

whichhastogosomewhere canoverflowintoadjacentbuffers,corruptingor

overwritingthevaliddataheldinthem.Inbufferoverflowattacks,theextra

datamaycontaincodesdesignedtotriggerspecificactions,ineffectsending

newinstructions

to

the

attacked

computer

that

could,

for

example,

damage

the

user'sfiles,changedata,ordiscloseconfidentialinformation.

CallerIDspoofing CallerIDspoofingisthepracticeofcausingthetelephonenetworktodisplaya

numberontherecipient'scallerIDdisplaywhichisnotthatoftheactual

originatingstation;thetermiscommonlyusedtodescribesituationsinwhich

themotivationisconsiderednefariousbythespeaker.

CallHijack Anattackreferstoasituationwhereoneoftheintendedendpointsofthe

conversationisexchangedwiththeattacker.

CallManagers Callmanagersarerequiredtosetupcalls,monitorcallstate,handlenumber

translation,andprovidebasictelephonyservices.Callmanagersalsohandle

signalingfunctionsthatcoordinatewithmediagateways,whicharethe

interfacebetween

the

VoIP

network

and

the

public

switched

telephone

network(PSTN).

DataLinkLayer Thislayerhandlescommunicationsonthephysicalnetworkcomponents.The

bestknowndatalinklayerprotocolisEthernet.Securitycontrols here are

suitableforprotectingaspecificphysicallink,suchasadedicatedcircuit

betweentwobuildingsoradialupmodemconnectiontoanISP.Becauseeach

physicallinkmustbesecuredseparately,datalinklayercontrolsgenerallyare

notfeasibleforprotectingconnectionsthatinvolveseverallinks,suchas


24/30

24

connectionsacrosstheInternet.

DDoS DistributedDenial

ofService

Adistributeddenialofserviceattackoccurswhenmultiplecompromised

systemsflood

the

bandwidth

or

resources

of

atargeted

system,

usually

one

or

morewebservers.Thesesystemsarecompromisedbyattackersusingavariety

ofmethods.MalwarecancarryDDoSattackmechanisms;oneofthemorewell

knownexamplesofthiswasMyDoom.ItsDoSmechanismwastriggeredona

specificdateandtime.ThistypeofDDoSinvolvedhardcodingthetargetIP

addresspriortoreleaseofthemalwareandnofurtherinteractionwas

necessarytolaunchtheattack.

DHCP DynamicHost

Configuration

Protocol

DynamicHostConfigurationProtocolisaprotocolusedbynetworkeddevices

(clients)toobtainvariousparametersnecessaryfortheclientstooperateinan

IPnetwork.Byusingthisprotocol,systemadministrationworkloadgreatly

decreases,anddevicescanbeaddedtothenetworkwithminimalornomanual

configurations.

DoS DenialofService Anattackonacomputersystemornetworkthatcausesalossofserviceto

users,typicallythelossofnetworkconnectivityandservicesbyconsumingthe

bandwidthofthevictimnetworkoroverloadingthecomputationalresourcesof

thevictimsystem.

Eavesdropping Theinterceptingandreadingofmessagesandconversationsbyunintended

recipients.InVoIP,eavesdroppingisanattackgivinganattackertheabilityto

listenandrecordprivatephoneconversations.

Endpoint Anendpointisasourceand/orreceivingsideofmediasuchasaudioorvideo.

ExamplesofendpointsareaPCrunninganaudio/videocommunication

applicationorasoftphone.Anendpointcanalsobeanautomateddevice,such

asavoiceorunifiedcommunicationsmailbox.Theendpointalsoterminatesa

signalingprotocol,suchasSIPorH.323,andmaybecontrollablefromsomeapplicationthroughanapplicationprograminterface(API).

Fuzzing Functionalprotocoltestingalsocalledfuzzingisapopularwayoffindingbugs

andvulnerabilities.Fuzzinginvolvescreatingdifferenttypesofpacketsfora

protocolwhichcontaindatathatpushestheprotocolsspecificationstothe

pointofbreakingthem.Thesepacketsaresenttoanapplication,operating

system,orhardwaredevicecapableofprocessingthatprotocol,andtheresults

arethenmonitoredforanyabnormalbehavior(crash,resourceconsumption,

etc.).

Gateway Agatewayisanodeonanetworkthatservesasanentrancetoanother

network.Inenterprises,thegatewaynodeoftenactsasaproxyserveranda

firewall.The

gateway

is

also

associated

with

both

arouter,

which

use

headers

andforwardingtablestodeterminewherepacketsaresent,andaswitch,

whichprovidestheactualpathforthepacketinandoutofthegateway.

HostAuthenticationAhostkeyisusedbyaservertoproveitsidentitytoaclientandbyaclientto

verifya"known"host.Hostkeysaredescribedaspersistent(theyarechanged

infrequently)andareasymmetricmuchlikethepublic/privatekeypairs

discussedaboveinthePublickeysection.IfamachineisrunningonlyoneSSH

server,asinglehostkeyservestoidentifyboththemachineandtheserver.


25/30

25

HostauthenticationguardsagainsttheManintheMiddleattack.

IP InternetProtocol TheInternetProtocol(IP)isadataorientedprotocolusedforcommunicating

dataacross

apacket

switched

internetwork.

IP

is

anetwork

layer

protocol

in

theInternetprotocolsuiteandisencapsulatedinadatalinklayerprotocol(e.g.,

Ethernet).Asalowerlayerprotocol,IPprovidestheserviceofcommunicable

uniqueglobaladdressingamongstcomputers.

IPsec IPSecurity IPsecisthestandardencryptionsuitefortheInternetProtocolandwillbefully

supportedinIPv6.IPsecenforcesdataconfidentialitybyencryptingpackets

beforetransmission.Ithelpsensuretheintegrityofdatabyauthenticating

packets,andvalidatestheoriginofdatabyauthenticatingthesourceofpackets

thatarereceived.Finally,IPseccanhelppreventattacksbyidentifyingagedor

duplicatepackets.

MAC TheMediaAccessControldatacommunicationprotocolisasublayerofthe

datalink

layer.

It

provides

addressing

and

channel

access

control

mechanisms

thatmakeitpossibleforseveralterminalsornetworknodestocommunicate

withinamultipointnetwork,typicallyaLANormetropolitanareanetwork

(MAN).

MITM Maninthemiddle Anattackinwhichanattackerisabletoread,insertandmodifyatwill,

messagesbetweentwopartieswithouteitherpartyknowingthatthelink

betweenthemhasbeencompromised.

MOS MeanOpinionScoreMeanOpinionScore(MOS)istheaverageoftheopinionsexpressedbyagroup

ofsubjectspresentedwithasamplestimulus,e.g.avoicesample.Subjects

expresstheiropinionagainsta5pointscale,e.g.:excellent(5),good(4),fair(3),

poor(2),bad(1). Objectivemeasurementmethodsattempttopredicthuman

opinionto

provide

anumerical

indication

of

the

perceived

quality

of

received

mediaaftercompressionand/ortransmission.

NAT NetworkAddress

Translation

NATisapowerfultoolthatcanbeusedtohideinternalnetworkaddressesand

enableseveralendpointswithinaLANtosharethesame(external)IPaddress.

NATsalsoindirectlycontributetosecurityforaLAN,makinginternalIP

addresseslessaccessiblefromthepublicInternet.Thus,allattacksagainstthe

networkmustbefocusedattheNATrouteritself.Likefirewalls,thisprovides

securitybecauseonlyonepointofaccessmustbeprotected,andtherouterwill

generallybefarmoresecurethanaPCdirectlyconnectedtotheInternet(less

likelihoodofopenports,maliciousprograms,etc.).

NetworkLayer Thislayerroutespacketsacrossnetworks.InternetProtocol(IP)isthe

fundamental

network

layer

protocol

for

TCP/IP.

Other

commonly

used

protocolsatthenetworklayerareInternetControlMessageProtocol(ICMP)

andInternetGroupManagementProtocol(IGMP).Security controlsatthis

layerapplytoallapplicationsandarenotapplicationspecific,soapplications

donothavetobemodifiedtousethecontrols.However,networklayer

controlsprovidelesscontrolandflexibilityforprotectingspecificapplications

thantransportandapplicationlayercontrols.Networklayercontrolscan

protectboththedatawithinpacketsandtheIPinformationforeachpacket.


26/30

26

Proxy

impersonation

AProxyImpersonationattacktricksthevictimintocommunicatingwitha

rogueproxy

set

up

by

the

attacker.

Once

an

attacker

impersonates

aproxy,

he

hascompletecontrolofthecall.

ProxyServer Aproxyserverisaserver(acomputersystemoranapplicationprogram)which

servicestherequestsofitsclientsbyforwardingrequeststootherservers.A

clientconnectstotheproxyserver,requestingsomeservice,suchasafile,

connection,webpage,orotherresource,availablefromadifferentserver.The

proxyserverprovidestheresourcebyconnectingtothespecifiedserverand

requestingtheserviceonbehalfoftheclient.Aproxyservermayoptionally

altertheclient'srequestortheserver'sresponse,andsometimesitmayserve

therequestwithoutcontactingthespecifiedserver.Inthiscase,itwould

'cache'thefirstrequesttotheremoteserver,soitcouldsavetheinformation

forlater,

and

make

everything

as

fast

as

possible.

PSTN PublicSwitched

TelephoneNetwork

Thepublicswitchedtelephonenetworkisthenetworkoftheworld'spublic

circuitswitchedtelephonenetworks,inmuchthesamewaythattheInternetis

thenetworkoftheworld'spublicIPbasedpacketswitchednetworks.Originally

anetworkoffixedlineanalogtelephonesystems,thePSTNisnowalmost

entirelydigitalandnowincludesmobileaswellasfixedtelephones.ThePSTNis

largelygovernedbytechnicalstandardscreatedbytheITUT,anduses

E.163/E.164addresses(knownmorecommonlyastelephonenumbers)for

addressing.

QoS QualityofService Inthefieldsofpacketswitchednetworksandcomputernetworking,thetraffic

engineeringtermQualityofService,abbreviatedQoS,referstoresource

reservation

control

mechanisms

rather

than

the

achieved

service

quality.

QualityofServiceistheabilitytoprovidedifferentprioritytodifferent

applications,users,ordataflows,ortoguaranteeacertainlevelof

performancetoadataflow.QoSmechanismsimplementedintheIPdata

networkarekeytoprovidinghighqualityVoIPconnections.

QoE Qualityof

Experience

EnduserQualityofExperienceisdeterminedbytheperformanceofboththe

networkandthecommunicationsapplication.InthecaseofVoIPQoEis

determinedbytheperformanceoftheIPNetwork(todeliverthepackets

acrossthenetwork)andapplicationlevelfactorssuchas;echo,speechlevel,

delay,noiselevel,andspeechdistortion.Effectiveandperformance

managementmustaccountforbothnetworkandapplicationperformance.

RateLimiting RatelimitingorratecontrolisusedtomaintainfairnessinInternetbandwidth

allocationtoensuretheeffectivemanagementoflimitednetworkresource.

Italsocanlimittheeffectofattacksthattrytooverwhelmthenetwork.

Registration

hijacking

Registrationhijackinghappenswhenanattackerreplacesthelegitimate

registrationofthevictimwithhisaddress.Theattackcausesallincomingcalls

forthevictimtobesenttotheattackersaddress.

RTP RealTimeTransport

Protocol

TheRealtimeTransportProtocol(orRTP)definesastandardizedpacket

formatfordeliveringaudioandvideoovertheInternet.Itwasdevelopedbythe


27/30

27

AudioVideoTransportWorkingGroupoftheIETFandfirstpublishedin1996as

RFC1889.RTPdoesnotprovidemechanismstoensuretimelydeliveryof

packets.TheyalsodonotgiveanyQualityofService(QoS)guaranteessoQoS

needsto

be

provided

by

some

other

mechanism.

SBC SessionBorder

Controller

SBCsarededicatedappliancesthatofferoneormoreofthefollowingservices

toaVoIPperimeter:Firewall/NATtraversal,CallAdmissionControl,Service

LevelAgreementmonitoring,supportforlawfulintercept,andprotocol

interworking.

Scavengerclass

queuing

ScavengerclassorlessthanBestEffortqueuingisastrategyusedkeep

criticalapplicationsavailableduringDoSattacks.Thefirststepindeploying

ScavengerclassQoSistoprofileapplicationstodeterminewhatconstitutesa

normalvs.abnormalflow.Applicationtrafficexceedingthisnormalratewillbe

assignedtoaminimalbandwidthqueueforcingittobesquelchedtovirtually

nothingduringperiodsofcongestion,butallowingittobeavailableif

bandwidthis

not

being

used

for

business

purposes,

such

as

might

occur

during

offpeakhours.Applicationsassignedtothisclasshavelittleornocontribution

totheorganizationalobjectivesoftheenterpriseandaretypically

entertainmentorientedinnatureincludingpeertopeermediasharing

applications.

SIP SessionInitiation

Protocol

SIPisanapplicationlayercontrol(signaling)protocolforcreating,modifying,

andterminatingsessionswithoneormoreparticipants.Itcanbeusedtocreate

twoparty,multiparty,ormulticastsessionsthatincludeInternettelephone

calls,multimediadistribution,andmultimediaconferences.ItisbasedonIETF

RFC3261.ItiswidelyusedasasignalingprotocolforVoiceoverIP,alongwith

H.323,MGCPandotherprotocols.

SoundInsertion

Sound

Insertion

is

an

attack

that

will

insert

the

contents

of

asound

file

into

an

existingRTPstream.TheapproachistorecordunencryptedRTPstreamsof

someone'sconversationsandbuildupavocabularyforthatperson.Youwould

thenassembleyourinjectionphrasefromthatperson'spriorconversationsand

thenwaitfortherightmomenttoinjectit.Thisdoes,ofcourse,requirea

somewhatsignificantamountofwork,networkaccessandthepropertiming.

SPI StatefulPacket

Inspection

Statefulpacketinspectionisafirewallarchitecturethatworksatthenetwork

layer.Unlikestaticpacketfiltering,whichexaminesapacketbasedonthe

informationinitsheader,statefulinspectiontrackseachconnectiontraversing

allinterfacesofthefirewallandmakessuretheyarevalid. Astatefulinspection

firewallalsomonitorsthestateoftheconnectionandcompilestheinformation

inastate

table.

Because

of

this,

filtering

decisions

are

based

not

only

on

administratordefinedrules(asinstaticpacketfiltering)butalsooncontextthat

hasbeenestablishedbypriorpacketsthathavepassedthroughthefirewall.

SPIT SpamoverInternet

Telephony

VoIPspamisunsolicitedandunwantedbulkmessagesbroadcastoverVoIPto

anenterprisenetworksendusers.ThesehighvolumebulkcallsroutedoverIP

areoftenverydifficulttotraceandhavetheinherentcapacityforfraud,

unauthorizedresourceuse,andprivacyviolations.


28/30

28

Spoofing Aspoofingattack,incomputersecurityterms,referstoasituationinwhichone

personorprogramisabletomasqueradesuccessfullyasanother.

SRTP SecureRealtime

Protocol

SRTPprovidesaframeworkforencryptionandmessageauthenticationofRTP

andRTCPstreams. Itcanprovideconfidentiality,messageauthenticationand

replayprotectionforaudioandvideostreams.SRTPachieveshighthroughput

andlowpacketexpansion.ItisindependentofaspecificRTPstack

implementationandofaspecifickeymanagementstandard,butMultimedia

InternetKeying(MIKEY)hasbeendesignedtoworkwithSRTP.

SSH SecureShell SecureShellorSSHisanetworkprotocolthatallowsdatatobeexchangedover

asecurechannelbetweentwocomputers.Encryptionprovidesconfidentiality

andintegrityofdata.SSHusespublickeycryptographytoauthenticatethe

remotecomputerandallowtheremotecomputertoauthenticatetheuser,if

necessary.

TCP Transmission

ControlProtocol

TransmissionControlProtocolisoneofthecoreprotocolsoftheInternet

protocolsuite.

It

is

the

transport

protocol

that

manages

the

individual

conversationsbetweenwebserversandwebclients.TCPdividestheHTTP

messagesintosmallerpieces,calledsegments,tobesenttothedestination

client.Itisalsoresponsibleforcontrollingthesizeandrateatwhichmessages

areexchangedbetweentheserverandtheclient.

TransportLayer Thislayerprovidesconnectionorientedorconnectionlessservicesfor

transportingapplicationlayerservicesbetweennetworks.Thetransportlayer

canoptionallyassurethereliabilityofcommunications.TransmissionControl

Protocol(TCP)andUserDatagramProtocol(UDP)arecommonlyusedtransport

layerprotocols. Security controlsatthislayercanprotectthedatainasingle

communicationssessionbetweentwohosts.Themostfrequentlyused

transportlayer

control

is

SSL,

which

most

often

secures

HTTP

traffic

but

is

also

usedtoimplementVPNs.Tobeused,transportlayercontrolsmustbe

supportedbyboththeclientsandservers.BecauseIPinformationisaddedat

thenetworklayer,transportlayercontrolscannotprotectit.

TLS/SSL TransportLayer

SecurityandSecure

SocketsLayer

TLSanditspredecessorSSLarecryptographicprotocolsthatprovidesecure

communicationsontheInternetforsuchthingsaswebbrowsing,email,

Internetfaxing,instantmessagingandotherdatatransfers.Thereareslight

differencesbetweenSSLandTLS,buttheyaresubstantiallythesame.

UDP UserDatagram

Protocol

UserDatagramProtocolisoneofthecoreprotocolsoftheInternetprotocol

suite.UsingUDP,programsonnetworkedcomputerscansendshortmessages

sometimesknownasdatagramstooneanother.UDPdoesnotguarantee

reliabilityor

ordering

in

the

way

that

TCP

does.

Datagrams

may

arrive

out

of

order,appearduplicated,orgomissingwithoutnotice.Avoidingtheoverhead

ofcheckingwhethereverypacketactuallyarrivedmakesUDPfasterandmore

efficient,atleastforapplicationsthatdonotneedguaranteeddelivery.Time

sensitiveapplicationsoftenuseUDPbecausedroppedpacketsarepreferableto

delayedpackets.CommonnetworkapplicationsthatuseUDPinclude:the

DomainNameSystem(DNS),streamingmediaapplicationssuchasIPTV,Voice

overIP(VoIP),TrivialFileTransferProtocol(TFTP)andonlinegames.


29/30

29

VGW VoiceGateway AVoiceGatewayisusedastheconnectingpointbetweenaVoIPsystemand

thePSTNorotherlegacyequipmentsuchas,analogphones. Thusitisusedto

convertfromIPtotraditionalanalogordigitalformatstoprovidesconnections

suchas,

FXS,

FXO

,PRI,

T1,

or

other

types

of

ports.

Voice

gateways

can

be

implementedindedicateddevicesorareoftenimplementedinrouters.

Vishing VishingisthecriminalpracticeofusingsocialengineeringandVoIPtogain

accesstoprivatepersonalandfinancialinformationfromthepublicforthe

purposeoffinancialreward.Thetermisacombinationof"voice"andphishing.

VLAN VirtualLANs VLANssegregatedifferentareasofthesamenetwork,forexample,separatinga

companysclientrecordserversfromitspublicWebserversorseparatingIP

phonesfromPCsandsoftphones(PCsequippedtoperformlikeIPphones).

VLANscontrolthepropagationoftrafficbetweennetworkcomponents,

creatingalogicalseparationevenwherethereisnophysicalseparation.

VoIP

Voiceover

Internet

Protocol

Voiceover

Internet

Protocol

is

aprotocol

optimized

for

the

transmission

of

voicethroughtheInternetorotherpacketswitchednetworks,typicallyasan

RTPstream.VoIPisoftenusedabstractlytorefertotheactualtransmissionof

voice(ratherthantheprotocolimplementingit).VoIPisalsoknownasIP

Telephony,Internettelephony.

VoMIT Voiceover

misconfigured

internet

telephony

Voiceovermisconfiguredinternettelephonyreferstotheattachmentofa

packetsniffertotheVOIPnetworksegmentinordertointerceptvoicetraffic.

VoMITisfreelyavailableovertheInternet.

VPN VirtualPrivate

Network

AVPNisavirtualnetwork,builtontopofexistingphysicalnetworks,whichcan

provideasecurecommunicationsmechanismfordataandotherinformation

transmittedbetween

networks.

Because

aVPN

can

be

used

over

existing

networks,suchastheInternet,itcanfacilitatethesecuretransferofsensitive

dataacrosspublicnetworks.Thisisoftenlessexpensivethanalternativessuch

asdedicatedprivatetelecommunicationslinesbetweenorganizationsorbranch

offices.VPNscanalsoprovideflexiblesolutions,suchassecuring

communicationsbetweenremotetelecommutersandtheorganizations

servers,regardlessofwherethetelecommutersarelocated.AVPNcanevenbe

establishedwithinasinglenetworktoprotectparticularlysensitive

communicationsfromotherpartiesonthesamenetwork.

WAN WideAreaNetwork WideAreaNetwork(WAN)isacomputernetworkthatcoversabroadarea

(i.e.,anynetworkwhosecommunicationslinkscrossmetropolitan,regional,or

nationalboundaries.

The

largest

and

most

well

known

example

of

aWAN

is

the

Internet.WANsareusedtoconnectLANsandothertypesofnetworkstogether,

sothatusersandcomputersinonelocationcancommunicatewithusersand

computersinotherlocations.ManyWANsarebuiltforoneparticular

organizationandareprivate.

WPA2 IEEEstandard

802.11i

WPAandWPA2Authentication&Encryptionfor802.11Securityare

standardsbasedsecuritysolutionsfromtheWiFiAlliancethataddressesthe

vulnerabilitiesinnativeWLANsandprovidesenhancedprotectionfrom


30/30

targetedattacks.WPAwasdesignedtoaddresstheweaknessesofWEP.Itisa

subsetof802.11i(theratifiedIEEEstandardforWLANsecurity)andconsistsof

anauthenticationmechanism(802.1Xorpresharedkeys)andencryption

mechanism(Temporal

Key

Integrity

Protocol

(TKIP),

as

defined

in

802.11i,

which

canbesupportedinsoftwarebyproductsthatsupportWEP).WPA2isthe

secondgenerationofWPAsecurityfromtheWiFiAlliancethatsupportseither

802.1Xorpresharedkeysauthenticationmechanismbutalsosupports

AdvancedEncryptionStandards(AES).

Worm Awormisatypeofvirusprogramthatpropagatesitselfoveranetwork,

reproducingitselfasitgoes.

Risks With Unified Communication

Documents

Transcript of Risks With Unified Communication