Risks With Unified Communication
-
Upload
devenda789 -
Category
Documents
-
view
218 -
download
0
Transcript of Risks With Unified Communication
-
7/30/2019 Risks With Unified Communication
1/30
UCSecurityBestPractices
September 25, 2008
-
7/30/2019 Risks With Unified Communication
2/30
2
Abstract
UnifiedCommunications(UC)offersthepromiseoffacilitatinganenterprisesdriveforbusinessagility
throughthe
deployment
of
acost
effective
communications
and
collaboration
platform
spanning
its
remotelylocatedandmobileemployees,itssupplychain,itspartnerecosystemanditscustomers.
Usinganontechnicalapproach,wetaketheBusinessDecisionMaker(BDM)throughbestpracticesfor
securingmultimediaUC.
ThekeytosecuringtheUCsolutionrequiresconsideringvoice,data,andvideocommunicationsasa
system,andimplementingamultilayered,uniformlyapplieddefenseconstructforthesystem
infrastructure,callmanagement,applications,andendpoints.Thesolutionshouldbelayered,with
multiplecontrolsandprotectionsatmultiplenetworklevels.Thisdefenseindepthapproachminimizes
thepossibilitythatasinglepointoffailurecouldcompromiseoverallsecurity.Ifaprimarysecuritylayer
isbreached
other
defensive
barriers
are
available
to
deter
the
attack.
Such
an
approach
has
been
consideredbestpracticefordatasecuritysincethefirstdaysoftheInternet.
Thebottomlineisthatconfidentiality,integrity,andavailabilityofcriticalmultimediaresourcesmustbe
ensuredwhilemaintainingtheUCsolutionsperformance.Securityfeaturesshouldbetransparentto
theuser,standardsbased,simpletoadministerandcosteffective.Thereisnoonesizefitsall.
CompaniesshouldexamineUCsecurityfromabusinessperspectivebydefininggoals,policies,and
patternsofusageatthegetgoacrossallapplicationsdata,VoIP,InstantMessaging(IM)andpresence,
Webandaudio/videoconferencing.Securitypoliciesforallmediastreamsneedtobealignedand
properlybalancedagainstbusinessrisks.Wewillfollowthisthemethroughoutthediscussion.
-
7/30/2019 Risks With Unified Communication
3/30
3
UCSecurityBestPractices
1.Introduction
Businessagilityhasbecomethemantrafor21stCenturysuccessinanincreasingglobaleconomy,andUC
isaleadingtechnologysupportingitsattainmentbyenablingorganizationstoembedcommunications
andcollaborationintobusinessprocesses.Individualproductivitygains,whileshowingimproved
performancewithoutimpactonprocessoutcomes,arestillunlikelytoimprovecompetitivepositioning
orthedeliveryofproductsandservices.Contextualcollaboration,ontheotherhand,acrosscustomers,
employees,suppliers,thechannelandamongstrategicpartnerswillaccelerateinnovation,timeto
market,informationdrivendecisionmaking,andcreatethecostefficienciesthatdefinesoughtafter
bestinclassbusinessagility.
Companiesofallsizesareadoptingunifiedcommunicationsandthecollaborationcapabilitiesitfosters
toboostproductivityandinnovation,increasemobilityandenhanceflexibility.
Uponinterviewing315networkandtelecommunicationsdecisionmakersatEuropeanenterprises,
Forrester1findsthatenterpriseimplementationofVoIPinEuropeisfirmlyenteringthemassadoption
phase.Mostenterprises(76%)aregoingdowntheIPPBXrouteeitherinstallingtheequipmenton
theirownpremisesorcontractingamanagedservicefromahostingcenter.UCisfirmlyontheagenda
35%offirmssayUCisapriority,and18%haveimplementedsomeelementofUC.
Inthatsamecontext,,aDimensionData2sponsoredsurveyof390ITmanagersand524endusers
across13countriesintheUnitedStates,AsiaPacificandEurope,MiddleEastandAfricafoundthatmost
organizationshavealreadyinvestedininfrastructuretechnologies,with37%ofcompaniescurrently
usingIPtelephony,followedby36%usingavideoconferencinginfrastructure.AlthoughmobileVoIPis
notwidely
used,
an
investment
is
on
corporate
agendas,
in
the
next
two
years.
The
findings
show
that
organizationsviewclicktodialondesktops(52%),andpresence(42%)asmaturingtechnologiesthat
willberoutinelyusedinthecorporateenvironmentwithintwoyears.Moreover,TheUnitedStates
leadsthewayinIPtelephonyadoption(60%)withMiddleEastandAfricahavingthelowestpenetration
at13%.
AMIPartners3reportsthatsmallandmediumbusinesses(SMBs)aregravitatingtowardsUCwithout
evenrealizingit.Basedonitssurveyof1500companies,AMIfindsthatSMBshaveastrategicinterestin
businesscontinuity,enhancedconnectivity,collaboration,mobility,andstandardizedITinfrastructure
whichareallfoundationalelementsofacomprehensiveUCportfolio.
1TheStateOfEnterpriseVoIPAndUnifiedCommunicationsAdoptionInEurope:2007,December6,2007,
http://www.forrester.com/Research/Document/Excerpt/0,7211,43073,00.html.2UnifiedCommunicationsAdoptionOutpacesExpectations,August20,2007,
http://www.dimensiondata.com/NR/rdonlyres/CD1D2A1041FF412C932C
CAE4D964A7A9/7615/UNIFIEDCOMMUNICATIONSADOPTIONOUTPACESEXPECTATIONS1.pdf .3DrivingUnifiedCommunications&CollaborationintheSMBMarkettheBusinessFocusedWeb2.0,October
2007,http://www.amipartners.com/ami/sections/Studies/UC_telecom_report_TOC.pdf.
-
7/30/2019 Risks With Unified Communication
4/30
4
Clearly,withinthecontextofUCdrivencommunicationsenabledbusinessprocesses,convergedvoice
anddataIPnetworksarebeingentrustedtocarrytheessentialfunctionsofconductingbusinesstoand
fromtheremoteworker,thesupplychainandthepartnerecosystem.Andindoingsothesenetworks
mustbe
secured
in
amanner
that:
Complieswithallapplicablelawsandregulations; Preventsleaksofcustomerrecords; Protectsintellectualpropertyandproprietaryinformation;and Preservescorporatebrandsandreputations.
YetaccordingtoanInStatsurveyofITprofessionalsat299USbusinessesabouttheirsecurityplansfor
VoIPtechnology,NomechanismsforsecuringVoIPhadmorethan50%penetrationacrossallsizesof
business,saysVictoriaFodale4,InStatanalyst.
Ourpurposehereistosetout,innontechnicalterms,bestpracticesforsecuringUC.
ThekeytosecuringUCrequiresconsideringvoice,data,andvideocommunicationsasasystemand
implementingamultilayered,uniformlyapplieddefenseconstructforthesysteminfrastructure,call
management,applications,andendpoints.Thesolutionshouldbelayered,withmultiplecontrolsand
protectionsatmultiplenetworklevels.Thisminimizesthepossibilitythatasinglepointoffailurecould
compromiseoverallsecurity.Ifaprimarysecuritylayerisbreachedotherdefensivebarriersare
availabletodetertheattack.
NowaUCnetworkiscomplex,consistingasitdoesofawiderangeofcomponentsandapplicationssuch
astelephonehandsets,conferencingunits,mobileunits,callmanagers,gateways,presenceservers,
routers,servers,firewalls,specializedprotocolsandapplicationslinkages.ThegoodnewsisthatVoIP,
IM,
and
video
are
all
applications
running
on
an
IP
network,
and
all
of
the
security
technologies
and
policiesthatcompanieshavedeployedfortheirdatanetworkscanbetunedtoemulatethesecurity
levelcurrentlyenjoyedbyPublicSwitchedTelephoneNetwork(PSTN)usersofPlainOldTelephone
Service(POTS).Inmanycases,evenifaconcertedefforttodeploydatanetworksecurityhasnotbeen
implemented,thetechnologylikelyalreadyexistsinyournetworkifyouhavemodernswitches,routers
andsecurityappliances.Infact,takinganetworkcentricapproachwillleadtoimprovedmanageability
anddeploymentthroughreducedcomplexityandmoreefficienttroubleshooting,whichallleadto
lowertotalcostofownership.
Thebottomlineisthattheconfidentiality,integrity,andavailabilityofcriticalmultimediaresources
mustbeensuredwhilemaintainingtheUCsolutionsperformance.Securityfeaturesshouldbe
transparenttotheuser,standardsbased,simpletoadministerandcosteffective.Thereisnoonesize
fitsall.
Companies
should
examine
UC
security
from
abusiness
perspective
by
defining
goals,
policies,
andpatternsofusageatthegetgoacrossallapplicationsdata,VoIP,IMandpresence,Weband
audio/videoconferencing.Securitypoliciesforallmediastreamsneedtobealignedandproperly
balancedagainstbusinessrisks.Wewillfollowthisthemethroughoutthediscussion.
4USBusinessesLagInSecuringVoIP,InStatPressReleaseMarch24,2008,
http://www.instat.com/press.asp?ID=2271&sku=IN0804266CT.
-
7/30/2019 Risks With Unified Communication
5/30
5
2. UCSecurityBestPracticeRecommendationsBelowwewilltaketheBDMthroughanontechnicaldiscussionofbestpracticesforsecuringUCwith
emphasis
on
VoIP.
Key
security
related
terms
will
be
aggregated
for
later
reference
in
a
glossary
at
the
endofthewhitepaper.
2.1GettingStartedPlantheWorkandWorkthePlanAUCsecuritystrategyshouldbedevelopedintheformalizedcontextofenterpriseriskmanagement.
Enterpriseriskmanagementis:
Aprocess,ongoingandflowingthroughanenterprise; Affectedbypeopleateverylevelofanorganization; Appliedinastrategysetting; Appliedacrosstheenterprise,ateverylevelandunit,andincludestakinganenterprisewide
portfolioviewofrisk;
Designedtoidentifypotentialeventsthat,iftheyoccur,willadverselyaffecttheenterpriseandtheassociatedriskmanagedwithintheenterprisesriskappetite;
Abletoprovidereasonableassurancetoenterprisemanagementandboardofdirectors;and Gearedtoachievementofobjectivesinoneormoreseparatebutoverlappingcategories.
Thisisacollaborativecrossorganizationalteameffortrequiringparticipationfrommanyplayers
representingthenetworking,security,telecom,legalandbusinesssidesofyourorganization.Itsalso
appropriateatthestartofanyUCprojecttoinvolveyourserviceprovidersecurityrepresentativesand
possiblyasecurityconsultant.Inparticular,askyourcarrierhowtheycanhelpyoumitigateDistributed
DenialofService(DDoS)andbotnetattacks.
Theteams
first
project
step
is
to
establish
strategic
objectives
that
are
aligned
with
and
support
the
enterprisesmission,supportcompliancewithapplicablelawsandregulations,andreflect
managementsappetiteforrisk.Incarryingoutitsmissiontheteammustbechargedwitheffectiveuse
ofresources,developmentanddeploymentofreliablereporting,ongoingmonitoringandthosesecurity
systemoptimizationprocessesthatwillallowtheenterprisetomigrateovertimetorichersecurity
implementations.
Performanceofasecurityassessmentcomesnext.Assessmentsidentifysecuritygapssotheycanbe
managedeffectively.Fromthesecurityperspectiveeverybodyisunderthreat,butbyvaryingdegrees.
Inviteyourprojectteamtoabrainstormingsession.Beginbyposingquestionssuchas:
Whatkindofinformationareweholding?
What
would
happen
if
somebody
got
a
hold
of
that
information?
Whatkindoflegalandregulatoryenvironmentsarewedealingwith? Whosepresencestatusandlocationmustbeprotected? WhatwouldhappeniftherewasaUCsystemoutage? Howvisibleatargetdoweconsiderourselvestobe?
Onceyouvedrawnupacomprehensivelistofthreats,moveontoassess:theinterdependencies
betweenthethreats,thefeasibilityofeachofthethreats,thequantitativeimpactofeachthreat,and
-
7/30/2019 Risks With Unified Communication
6/30
6
finallyaprioritizationofmitigationactionsforeachofthepotentialthreats.Youmustfeelconfident
thatyoucanacceptablymanageandmitigatetheriskstoyourcorporateinformation,system
operations,andcontinuityofessentialoperationswhendeployingUCtechnology.
AttacksonUCsystemscanbebroadlycategorizedintothefollowingfivetypes: (1)Confidentiality(or
privacy),whichincludescalleavesdropping,callrecordingandvoicemailtampering;(2)Integrity(or
authenticity),whichincludesregistrationhijacking,callerIDspoofing,andsoundinsertion;(3)
Availability,whichincludesdenialofserviceattacks,bufferoverflowattacks,andmalware;(4)Theft,
whichincludestollfraud(servicetheft)anddatatheftthroughmasqueradingdataasvoiceanddata
networkcrossoverattacks;and(5)VoiceSpam,knownasSPIT,whichincludesunsolicitedcalling,unified
mailboxstuffing,andVishing(voicephishing).
CategorizationofVoIPThreats
ThreatType Examples Impact
Confidentiality Eavesdropping
CallRecording Voicemailtampering
Leakageofsensitiveorconfidentialinformation Compromisedcorporateassets Identitytheft Blackmail
Integrity(or
Authenticity)
Registrationhijacking CallerIDspoofing SoundInsertion
DisruptionandChaos Identitytheft
Availability DenialofService Bufferoverflowattacks Worms&Viruses
ServiceOutageswithimpactonrevenueandbrandimage Extortion Lostproductivity
Theft ServicetheftoTollfraud
DataTheftoMasqueradingdataasvoiceoDatanetworkxoverattacks
Excessivesubscriberphonebills Lostcarrierrevenues Lossoftradesecrets,confidentialdata,etc.
Industrial
espionage
SPIT UnsolicitedCalling Mailboxstuffing Vishing
Reducedproductivityandcoopofsystemresources Identitytheft Financialloss
Confidentialityreferstotheenterprisesneedtokeepthenonpubliccustomer/client/partnerdatathat
itpossessesbothsecureandprivate.Regulatorycomplianceraisesthestakessignificantlyinthequest
foreffectiveUCsecurity.Examplesofconfidentialitythreatsare:calleavesdropping,callrecordingand
voicemailtampering.
MeasuressuchasHealthInsurancePortabilityandAccountabilityAct(HIPAA),SarbanesOxley(SOX),
European
Basel
II
and
the
GrammLeachBliley
Act
(GLB)
pose
a
range
of
potential
legal
and
financial
liabilities5.Inaddition,anyfindingsofnoncomplianceorfailuretocomplywiththerequireddisclosure
ofsecuritybreachescanyieldadversepublicityandthelossofbusinessandbrandvalue.To
5Otherlegislationandregulationsinclude:E911lawsin17states,securitybreachlawsinmorethan34states,
FederalInformationSecurityManagementAct(FISMA),FederalFinancialInstitutionsExaminationCouncil(FFIEC),
SupervisoryControlandDataAcquisition(SCADA),PaymentCardIndustryDataSecurityStandard(PCIDSS)andthe
CommitteeofSupportingOrganizations(COSO)EnterpriseRiskManagementFramework.
-
7/30/2019 Risks With Unified Communication
7/30
7
demonstratefullcompliancewiththesecuritymandatesyourbusinessmustnotonlypreventmalicious
attacksfromoutsidetheorganization,butalsotakenecessaryandprudentmeasurestoprotectagainst
internalrisks.
Integrityofinformationmeansthatinformationremainsunalteredbyunauthorizedusers.Thatis,
informationcannotbechangedintransitoratrestwithoutbeingdetected,andthatmaliciousor
unwanteddatacanbeblocked,filtered,orotherwisekeptawayfrombothserversandusers.Integrity
threatsincludeanyeventinwhichsystemfunctionsordatamaybecorrupted,eitheraccidentallyorasa
resultofmaliciousactions.Misusemayinvolvelegitimateusers(i.e.insidersperformingunauthorized
operations)orintruders.Authenticationprovidesamechanismtoverifythatauserorclientis
legitimateandhasclearanceforagivenlevelofaccess.Thisisnormallyaccomplishedthroughtheuseof
strongpasswordsthatarecentrallyadministered.Also,attheuserlevel,companyemployeesshouldbe
trainedandassessedagainsthighrisksecuritybehavior.Maliciousintegrity(orauthenticity)threats
taketheformofregistrationhijacking,callerIDspoofing,andsoundinsertion.
Availabilityreferstotheprinciplethatdataandservicesareavailableforusewhenneeded.Availability
isacriticalpartofoverallsecurityplanning.Attacksexploitingvulnerabilitiesinthecallmanagement
softwareorprotocolsmayleadtodeteriorationorevendenialofservice,orfunctionalityofthecall
server.Inaddition,specialconsiderationshouldbegiventoE911emergencyservicescommunications,
becauseE911automaticlocationserviceisnotavailablewithVoIPinsomecases(forexample
MicrosoftOfficeCommunicationsServer2007).
2.2TakeaMulti-layeredApproachtoProtectingYourNetworkInfrastructure
Securingthenetworkperimeter,thoughabsolutelynecessary,isnolongersufficient.Thegrowing
internalthreat,
increasingly
mobile
workforce,
more
critical
servers
being
placed
on
the
network,
and
moreattackscominginoncommonportshaveexploitedflawsinthetraditionalfirewallcentricsecurity
solution.Amorematureandenlightenedmarketisevolvingtowardsthenotionoflayeredsecurity
solutions.ThecorenetworklayerprotectionincludesanapplicationawarefirewallandIntrusion
Detection/PreventionSystems.ProtectionaroundthecommunicationslayerinvolvesVoIPencryption.
Perimetersecurity,asappliedtoUCsolutionswouldinferthatthevoicenetworkbesegregated
whereverpossible,sothatunwantedtrafficbetweenthevoiceanddatanetworkisconstrained.
Endpointsecuritymustincludemechanismstocontrolaccesstothedevices.Passwordcontrolpolicies
mustbeenforcedsothatpasswordsarechangedregularlyandstrongpasswordsalwaysused.
2.2.1
Segregate
Voice
and
Data
Traffic
on
Separate
VLANs
Abasictechniqueforvoicesecurityistoassignvoiceanddataonlogicallyseparatenetworks(Virtual
LANsorVLANS)duetotheirdifferentQualityofService6(QoS)andsecurityrequirements.Inaddition,
6SeeCriticalSuccessFactorsinDesignandPerformanceManagementofUCNetworks,March2008,
http://www.ucstrategies.com/UC_Networks.aspx.AnindepthdiscussionisprovidedofVoIPsrequirementsfor
bothQoS,whichconcernsmeasurementofthetreatmentofthepacketstraversinganetworkincludingutilization,
responsetime,latency(delays),delayvariation,packetloss,jitterandavailabilityandapplicationperformance
-
7/30/2019 Risks With Unified Communication
8/30
8
trafficsentoverthevoiceVLANisnotvisibletoinsidersoroutsidersconnectedtodataVLANs,anddata
trafficcannotcrossovertothevoiceVLAN. LANEthernetswitchesshouldbeequippedwith802.1p
prioritizationsotheycanidentifyandprioritizetrafficbasedonVLANtagsandsupportmultiplequeues.
VLANtagging
ensures
that
data
traffic
from
PC
softphones
takes
aseparate
VLAN
from
voice
traffic.
VoicetrafficisverydelaysensitiveandmustbeprioritizedoverdataontheseVLANssothatitgets
throughevenduringanetworkattack.
EstablishingseparatedepartmentalvoiceVLANswilldetertollfraudbypreventingemployeesfrom
tryingtouseanotherdepartmentsVLANfortollcallstoavoidincreasingtheirownphonebills.Itsalso
goodpracticetosegregatethemanagementtrafficonitsownVLAN,togetherwithhostauthentication,
tominimizethelikelihoodofunwantedaccesstothecallcontrolservers.
WhencreatingtheVLAN,besuretoplaceitsequipmentbehindseparatefirewalls.Thispracticewill
restricttrafficcrossingVLANboundariesandpreventvirusesandotherkindsofmalwarefromspreading
fromclients
to
servers.
When
looking
for
firewall
technology,
be
sure
to
examine
products
that
support
bothleadingstandards:SessionInitiationProtocol(SIP)andtheInternationalTelecommunication
Union'sH.323protocol.
InconjunctionwithVLANs,companiescansetupvoiceAccessControlLists(ACLs)fordepartments,
workgroups,andindividuals.Accesscontrollistsareanimportantpartofthetoolsetanetwork
administratorhasathis/herdisposaltomonitorandcontrolaccessintoaVoIPnetwork.ACLsonthe
networkinglayercanbeusedtopreventinbounddatapacketsusedinDoSattacksfromenteringthe
voiceVLAN.ACLsarealsoinstrumentalindefendingagainsteavesdroppingandcallinterceptionby
preventingvoicetrafficfromcrossingovertoanuntrustedportionofthenetwork.
2.2.2Authentication
and
Security
Features
such
as
IEEE
802.1x
and
Access
Control
Lists
are
notenough
ItisimportanttounderstandthatuseofauthenticationandsecurityfeaturessuchasIEEE802.1xand
accesscontrollists,whileanintegralpartofanorganization'sthreatdefensepolicies,cannotprevent
thedatalinklayerattackssuchas"Maninthemiddle"attacksusingGratuitousAddressResolution
Protocol(GARP)andDynamicHostConfigurationProtocol(DHCP)serverspoofing.Theseattacksexploit
normalprotocolprocessingsuchasaswitch'sabilitytolearnMediaAccessControl(MAC)addresses,
endstationMACaddressresolutionviaARP,orDHCPserverIPaddressassignments.
DHCPserverspoofingispreventedbydefiningtrustedportswhichcansendDHCPrequestsand
acknowledgements,and
untrusted
ports
which
can
forward
only
DHCP
requests.
The
Cisco
Catalyst
switch,forexample,assumesthattrustedportsarethosethatconnecttoeithertheDHCPserveritself,
orswitchedports,suchasuplinks,thatinturnconnecttheswitchtotherestofthenetwork.This
managementwithitsfocusontheuniqueVoIPQualityofExperience(QoE)requirementsassociatedwithdiffering
businessscenarios.
-
7/30/2019 Risks With Unified Communication
9/30
9
thwartsmalicioususersactingasanetworkDHCPserverandsendingoutincorrectaddressesunderthe
pretenseofbeingthedefaultgateway,andinterceptingdatatraffic.Inaddition,byinterceptingallDHCP
messageswithintheVLAN,theswitchcanactmuchlikeasmallsecurityfirewallbetweenusersandthe
DHCPserver,
building
abinding
table
containing
client
IP
address,
client
MAC
address,
port,
and
VLAN
number.
BeforeanendpointcantalktoanotherendpointitmustmakeanARPrequesttomaptheIPaddressto
theMACaddress.Themosteffectivewayforanattackertoeavesdropaconnectionistospoofthe
defaultgatewaybysendingagratuitousARPreplycontainingtheIPaddressofthedefaultgatewayto
otherdevicesontheLAN.ThegratuitousARPpacketcausesthedevicestooverwritetheoldentrywith
thenewone,effectivelymakingtheattackerthenewdefaultgatewayforthosedevices.Theattacker
canuseIPforwardingtorelaythetrafficbetweenthedevicesandthedefaultgatewaywithouttheother
devicesbeingawareofwhatishappening.
GARPattacks
can
be
prevented
through
Dynamic
ARP
Inspection
(DAI),
which
helps
to
ensure
that
the
accessswitchrelaysonly"valid"ARPrequestsandresponses.DAIinspectsallARPsandcomparesthem
totheDHCPBindingtable. IfARPdoesnotmatchthebindingtabletheportsareshutdown.
Theincreasingtrendtowardstheuseofsoftphoneclientsposesaproblemforarchitecturesthatrely
purelyonVLANseparationandaccesscontrollists.Inthesedeploymentsthevoicecapabledevicesare
notonlyonthePhoneVLANbutalsoonthedataVLANsincethesoftclientsareapplicationsthat
operateonausersdesktop.Withtheincreasedadoptionofunifiedcommunicationsapplicationssuch
aspresenceandinstantmessagingthistrendislikelytogrow.Theimpactofthesoftclientisthatit
becomesdifficulttodistinguishbetweenagenuinedesktopthathasalegitimatevoicesoftclientanda
roguedevice.AccesscontrollistsarestatelessandcanonlyfilterIPaddressesandports.WithIPvoice
protocols,suchasSIP,negotiatetheporttobeusedinavoicecallfromawiderangeofports(16384to
32767foraudio).Accesscontrollistsmustopenupthisentirerangeasitisimpossiblefortheaccess
controllisttopredictwhichportswillbeused,resultinginarangeofexposedportsthatattackerscan
useforreconnaissance.Tomitigatethisthreat,anewgenerationofproxydevices,oftenintegratedwith
unifiedcommunicationsawarefirewalls,isprovidingservicesforsecureVLANtraversalforsoftclients.
Oftenenforcingdeviceauthenticationtoprotectthecallcontrolinfrastructurefromrogueendpoints
andthenmanipulatingthesignalingtoforcethemediathroughatrusteddeviceinthenetwork,these
proxyservicescanenableenterprisestobuildsecurelyupontheirexistingVLANandACLbased
architectures.TheCiscoAdaptiveSecurityAppliance5500Series(ASA)forexamplehasbeenenhanced
tosupportthisfunctionality
2.2.3Protect
the
Application
Platform
with
Secure
Management
Best
Practices
Protecttheintegrityofmanagementsystems. SegregatemanagementtrafficonitsownVLAN.
Useamultileveladministrationpermissionsconstruct. Organizationsmustdefineadministratorsroles
andrestrictthefunctionstheycanuse.Readonlyprivilegesareassignedtomostadministrators,
reservingreadwriteprivilegesforafewtrustedindividuals.
-
7/30/2019 Risks With Unified Communication
10/30
10
Validateadministratorsandtheirpermissionspriortoallowingthemmanagementaccesstovoice
applications.Requireadministratorstologinataphysicalinterfacedifferentfromthecallprocessing
interface,andonethatisnotaccessibletomostpeople.Administratorsareallowedaccesstothe
managementinterface
only
after
being
authenticated
and
authorized
for
the
task.
Centrally
administeredstrongpasswordsareaneededhere.
Encryptmanagementtraffictopreventinterceptionoreavesdropping.UseIPSecurity(IPsec)orSecure
Shell(SSH)forallremotemanagementandauditingaccess.Ifpractical,avoidusingremotemanagement
atallandperformIPPBXaccessfromaphysicallysecuresystem.
Maintaindetailedaudittrailsbyloggingsecurityalerts,errors,trafficmonitoring,etc.Withsystem
eventlogging,administratorsareawareofandabletoquicklyrespondtoissuesthatcouldcompromise
networkintegrityorusersecurity.
Hardenoperating
systems.
Once
UC
security
is
established
you
must
be
ever
vigilant
to
deploy
only
thosefeaturesinyourUCproductsthatareconsistentwithyourUCsecuritypolicy.Workstations,
servers,anddesktopIPphonestypicallyarrivefromthevendorinstalledwithamultitudeof
developmenttoolsandutilities,which,althoughbeneficialtothenewuser,alsoprovidepotentialback
dooraccesstoanorganization'ssystems.Therefore,removeofallnonessentialtools,utilities,andother
systemsadministrationoptions,anyofwhichcouldbeusedtoeaseahacker'spathtoyoursystems.This
actionenforcesthepolicythatonlyauthorizedpeoplecanaccessandchangeinformationpertainingto
theUCsystem.Thenensurethat:(1)allappropriatesecurityfeaturesareactivatedandconfigured
correctly,and(2)thatpatchmanagementsystemsroutinelypassoutantiXsoftwareandoperating
systemupdates.
2.2.4Virtual
Private
Networks
(VPNs)
Provide
aSecure
Pathway
for
Communication
with
RemoteWorkers
VPNshaveabuiltinencryptionfeaturethatenablessecureconnectivitywithbranchofficesand
businesspartnersthatareunreachablebyprivatenetworks.EvenroadwarriorscanlogintotheVPN
fromtheirPCs.VPNscreatelogicaltunnelsbetweentwoendpointsthatallowfordatatobesecurely
transmittedbetweenthenodes.AnencryptedVPNtunnelprovidesnetwork,data,andaddressing
privacybyscramblingdatasothatonlythedesignatedpartiesunderstandit.Thissecurestheidentities
ofboththeendpointsandprotectstheVoIPtrafficflowingacrossdifferentnetworkcomponentsonthe
corporateLANasifitwereonaprivatenetwork.VoiceandvideoenabledVPNtechnology,availablein
manyroutersandsecurityappliances,encryptsvoiceaswellasdatatrafficusingIPsecorAES.
Encryptionisperformedinhardwaresothatfirewallperformanceisnotaffected.
TheIPsecESP(EncapsulatingSecurityPayloadprotocol)tunnelisaspecifickindofVPNusedtotraverse
theInternetinaprivatemanner.IPsecisthestandardencryptionsuitefortheInternetProtocolandwill
befullysupportedinIPv6.InESPTunnelMode,IPsecprotectsboththedataandtheidentitiesofthe
endpoints.Whileprovidingstrongsecurity,IPsecdoesrequiresignificantefforttosupportdedicated
clientsoneachmachineauthorizedtoconnectremotelytothenetwork.Forthisreason,ithasbecome
increasinglycommonforIPsectobeusedtoprotectvoicetrafficbetweenenterprisesitesaspartofa
sitetositeVPN,whileSSLhasbecomemorecommonforremoteaccessVPNrequirements.Inaddition,
-
7/30/2019 Risks With Unified Communication
11/30
11
withIPsec,makingstructuralchanges,addingnewlocations,orconnectingwithadditionalnetworks
involvesafairamountofconfigurationworkaseachroutermustbeconfiguredtounderstandallthe
otherroutersinthenetwork.Thiscanbeasignificantmaintenanceheadacheiftherearemany
locationsinvolved.
As
aresult
of
this
administrative
burden,
some
vendors
have
adapted
IPsec
VPN
architecturestoenableremotesitestodynamicallyqueryandbuildnewsitetositeconnectionswithout
requiringeachsitetobepreconfiguredwithalistofalltheotherpotentialpeersinthenetwork.This
scalabilityandmanageabilityenhancementalsoallowsenterprisestobuildamoreflexibleencryption
architecture.Inaddition,movingfromhubandspoketopologiestomoredirect,spoketospokedesigns,
providesamoresuitableplatformforvoiceserviceswithminimizedlatencyandjitter.
SSL(SecureSocketLayer)tunnelVPNs,onceviewedasacomplementtotheIPsecVPN,haveevolvedas
adirectcompetitorasitprovidessimplifieddeploymentforremoteaccessVPN.Asoriginallyconceived,
thistypeofSSLVPNallowedausertouseatypicalWebbrowsertosecurelyaccessmultiplenetwork
servicesthroughatunnelthatisrunningunderSSL.TheSSLVPNis,today,themostappropriate
applicationlayer
VPN
technology.
SSL
VPNs
provide
clientless
access
on
aper
application
basis
that
enablesthegranularsecurityneededtosupportbusinessproductivitybyrestrictingapplicationaccess
toonlythosewithatrueneedforaccess.Moreover,startingwithabrowsersession,WAN
managers/administratorsmayofferaccesschoicesrangingfromcompletelyportableclientless
connectionsthroughthinclientmanagedsessionswithdownloadablesecurityfeaturesandapplication
specificservicestofullnetworkconnectivity(includingrouting)thatemulatestraditionaltunnelVPNs,
suchasIPsec.Thebrowsercanbeeliminatedthroughtheuseofamanuallyinstalledclient,while
maintainingconnectivitybenefits.AdditionalSSL,UserDatagramProtocol(UDP),andIPsectunnels,
actingasnetworklayerVPNs,canbeopeneddynamically,asneeded,toimproveQoSforperformance
sensitiveapplications,suchasVoIP.
VPNisnottheonlyoptionforprovidingconfidentialitytoIPvoicestreams.AccessEdgegatewayscan
encryptSessionInitiationProtocol(SIP)callsignalingtraffictoprotectagainsteavesdroppingand
supportserverauthenticationforremoteusersandfederated7sites.Thisistypicallyachievedthrough
TransportLayerSecurity(TLS)encryptionforsignalingmessagesandSecureRealTimeProtocol(SRTP)
forprotectingthevoicemedia.AccessEdgegatewaysandvoiceawarefirewallscanalsoperform
filteringtasks,suchasblockingtrafficfromuntrustedaddresses.
Morelikelythannot,enterpriseswillbefederatingacrossdifferentvendorsUCenvironmentsinorder
toleverageUCenabledbusinessprocessproductivityenhancementsacrosstheirsupplychain,
hopefullywithwellthoughtoutsecuritysolutions.Ifnotdonewell,sensitiveinformationsentoverthe
publicInternetwillmakeeasytargetstotheevergrowinghackerthreat.ThesidebaroverviewsCiscos
AdaptiveSecurityAppliance(ASA)5500Seriesfeatureswhichsupportsecurefederatedpresence.
7TrustedremoteOCSsites(called"federated"sites)thatconnectovertheInternethaveaccessedgeserversin
theirperimeternetworkstoenablesecurecallcontrolandvoiceandvideotransmissionacrossanorganization's
firewall.
-
7/30/2019 Risks With Unified Communication
12/30
12
SidebarCiscoUCPerimeterSecurityServices
TheCiscoASA5500SeriesAdaptiveSecurityApplianceisahighperformance,multifunctionsecurity
appliance
family
delivering
converged
firewall
with
application
layer
and
protocol
aware
inspection
services,IPS,networkantiXandURLfiltering,SSL/IPsecVPNservices,encryptedtrafficinspection,
presencefederationandbothremoteworkerhardphoneandmobilephoneproxyservices.TheASAisa
keycomponentoftheCiscoSelfDefendingNetwork.Amongitsdifferentiatingfeaturesare:
ASAprovidessecurityandinspectioncapabilityforCiscoapplications(Presence,Unity,MeetingPlace),andthirdpartyapplicationslikeMicrosoftOCS.AnyCiscoUCcommunicationsencryptedwithSRTP/TLS
canbeinspectedbyCiscoASA5500AdaptiveSecurityAppliances:
o MaintainsintegrityandconfidentialityofcallwhileenforcingsecuritypolicythroughadvancedSIP/SCCPfirewallservices
o TLSsignalingisterminatedandinspected,thenreencryptedforconnectiontodestination(leveragingintegratedhardwareencryptionservicesforscalableperformance)
o DynamicportisopenedforSRTPencryptedmediastream,andautomaticallyclosedwhencallends
ASAenablesinterenterprisepresencecommunicationsbetweenCiscoandMicrosoftpresenceserversandendpoints
ASAphoneproxyisateleworkersolutionthatterminatesSRTP/TLSencryptedremoteendpointsofferingbenefitofsecureremoteaccesswithouttheneedforarouterattheremoteworkerssite.
Withintheenterprise,theASAphoneproxycanbeusedforvoice/dataVLANtraversalinthefollowing
manner:
o Allcommunicatororiginatingfromsoftclientsmustbeproxiedo SoftclientcommunicationisrestrictedtospecificVLANonASAo CiscoASAperformsinspectionontrafficandopensmediaportdynamicallyforsoftclients
Asamobilityproxy,theASAterminatesTLSsignalingfromCiscoUnifiedMobileCommunicatortoCiscoUnifiedMobilityserverandenforcessecuritypolicies.TheASAisamandatorycomponentofCiscos
mobilityarchitectureandreplacesCiscoMobilityProxy.
-
7/30/2019 Risks With Unified Communication
13/30
13
2.2.5FirewallsandIntrusionDetection/PreventionSystems
VoIPready
firewalls
are
essential
components
in
the
VoIP
network
and
should
be
used
along
with
stateoftheartintrusiondetectionandpreventionsystems.
Firewallsworkbyblockingtrafficdeemedtobeinvasive,intrusive,orjustplainmaliciousfromflowing
throughthem.Theyprovideacentrallocationfordeployingsecuritypolicies,andwhenproperly
deployedinsurethatnotrafficcanenterorexittheLANwithoutfirstbeingfilteredbythefirewall.An
advancedfirewallwithstatefulpacketfilteringkeepstrackofthestateofnetworkconnections(such
asTransportControlProtocol(TCP)streamsandUDPcommunicationtravellingacrossit.)Thefirewallis
programmedtodistinguishbetweenlegitimatepacketsfordifferenttypesofconnections.Onlypackets
matchingaknownconnectionstatewillbeallowedbythefirewall;otherswillberejected.Stateful
filteringcangrantordenynetworkaccessbasedontimeofday,application,IPaddress,portrangeand
otherattributes.
Observing
normal
traffic
patterns
and
then
applying
appropriate
rules
can
set
Media
andsignalratelimits.
Ifpossible,afirewallwithapplicationfilteringshouldbeutilized.Applicationfilteringisanextensionto
statefulpacketinspection.Whereasstatefulpacketinspectioncandeterminewhattypeofprotocolis
beingsentovereachport,applicationlevelfilterslookatwhataprotocolisbeingusedfor. Application
layerfirewallssupportmultipleapplicationproxiesonasinglefirewall.Theproxiessitbetweenthe
clientandserver,passingdatabetweenthetwoendpoints.Suspiciousdataisdroppedandtheclient
andservernevercommunicatedirectlywitheachother.Becauseapplicationlevelproxiesare
applicationaware,theproxiescanmoreeasilyhandlecomplexprotocolslikeH.323andSIP,whichare
usedforVoIPandvideoconferencing.Often,bydeployingprotocolconformanceinunified
communicationsawarefirewalls,enterprisescanmitigatemanyofthevulnerabilitiespostedagainstthe
leadingcall
control
platforms.
This
is
because
the
vulnerabilities
are
often
exploited
by
sending
malformedpacketsthatcanadverselyimpactthecallcontrolsystem.Byapplyingarigorousprotocol
conformancepolicy,thesemalformedpacketscanbefilteredwithinthenetworkratherthanattemptto
bedealtwithbythetargetmachine.
CorenetworklayerprotectionincludesIntrusionDetectionandPreventionSystems(IDS/IPS)
technologies,whichcomplimentfirewallsbyestablishingsensorsrunningonindependenthardware
platformsthroughoutthenetwork.Thesesensorsmonitortrafficforunwarrantedbehaviorortraffic
patterns,andrespondaccordinglybasedonpreestablishedrules.Malicioustrafficisidentifiedthrough
comparisonagainsttypicaltrafficbehaviorassociatedwithalistofknownattacks.Basedonnetwork
intelligence,youcanadjustandtuneforthenumberandtypesofchecksperformedonspecificnetwork
segmentsor
assets.
Network
Intrusion
Prevention
differs
from
firewalls
in
that
they
use
alist
of
known
signaturestoidentifyattemptstoexploitknownvulnerabilities.Incontrast,firewallsapplypolicywhich
controlaccessandselectivelyappliessecurityservices.
HostIDS/IPStechnologiesserveasimilarpurposeastheirnetworkcounterparts,butresideassoftware
onahostmachine(serverorclient)presentwithinthenetwork.Theevergrowingmobileworkforce,
continuingincreaseinthenumberofattackvectorstargetingtheactualhostmachine,andgrowthin
deploymentofSSLVPNsolutionsinmanyorganizationsaredrivingadoptionofhostbasedproducts.
-
7/30/2019 Risks With Unified Communication
14/30
14
Traditionalnetworkbasedproducts,forexample,cannotdecryptthetrafficonthelineandthe
potentialforcertainattacksispassedtothehostdirectly.Currently,customersareexpanding
deploymentscenariostoincludeallmissioncriticalapplicationanddataservers,wirelessaccesspoints,
VPNaccess
points,
and
remote
machines.
Additionally,
there
are
many
compliance
issues
that
can
only
bemeasuredbyanagentonthehostdeployingpredefinedandcustomizedbehaviorbasedprotections.
SinceaHostIPS(HIPS)securityagentinterceptsallrequeststothesystemitprotects,ithascertain
prerequisites:itmustbeveryreliable,mustnotnegativelyimpactperformance,mustnotblock
legitimatetrafficandshouldbecentrallymanagedforefficientreportingandauditingofactivities.Host
IDS/IPStechnologyalsoincludesfileintegrity,DDoSprotection,authenticationandOShardening.
AsanexampleoftheofferingsinthiscompetitiveareawetakeabrieflookattheCiscoSecurityAgent
(CSA)whichusesbehavioralanomalydetectiontoprovidepowerfulendpointprotectionagainstday
zerothreats.CSAusesnosignatures,reducingthepressuretoupdatesystems,whilekeepingthehost
coveredduringtheshrinkingvulnerabilitywindow. CSAskeyfeaturesare:
Zeroupdateprotectionbasedonoperatingsystemandapplicationbehavior Controlofcontentafterdecryptionorbeforeencryption(e.g.,SSL,IPsec) AccesscontrolforI/Odevicesbasedonprocess,networklocationandfilecontent Centralizedmanagementandmonitoringofevents SelfDefendingNetworkinteractionwithsuchsolutionsasASA,NetworkAccessControl,IPS,
QoS,Monitoring,Analysis,andResponseSystems,etc.
2.2.6UseVoIPnetworkencryption
Firewalls,gateways,andothersuchdevicescanhelpkeepintrudersfromcompromisinganetwork.But
unlesstheVoIPnetworkisencrypted,anyonewithphysicalaccesstotheofficeLANcouldpotentially
tapintotelephoneconversations8.Moreover,firewalls,gatewaysandsuchdontprotectvoicepackets
traversingtheInternet.Encryptionattheprotocollevelisnecessarytodefeateavesdroppingattacks.
TransportLayerSecurity(TLS)andIPsecaretwomainencryptionmethods.Bothprotocolsaimtokeep
unauthorizedpartiesfrominterferingwithorlisteningtocalls,andtheyarealmostimpossibleto
manipulateexternally.
Toinstallmultipleencryptionlayers,useSecureRealTimeProtocol(SRTP)atthecommunicationslayer
formediaencryptionandTLSforsignaling.Encryptingtheactualcontentofcommunicationsbetween
users(mediaencryption)preventseavesdroppingintoprivatematters,whetherthecommunicationis
voice,videoorIM.Signalingencryptionpreventsillicitmonitoringortamperingofthesignalingthat
directsnetworkoperations,suchascallsetupandrouting,serviceperformance,eventrecording,billing,
etc.Nonetheless,
if
you
use
encryption
its
imperative
to
have
in
place
asolution
that
terminates
and
inspectsUCcommunicationsencryptedwithSRTP/TLS,thenreencryptsthemediaandsignalingfor
connectiontoitsdestination.Withoutsuchinspection,malicioustrafficcouldentertheorganization.
8YoumightnotneedtrafficencryptedattheLAN,butyoucertainlywillwanttoencryptitattherouterasit
traversestheWAN.Seriouslyconsidersecuritysolutionsthatoffertheflexibilitytohaveeitherencryptionoffthe
handsetorencryptioninbulkovertheWANlinks.
-
7/30/2019 Risks With Unified Communication
15/30
15
Authenticationandencryptionwithoutinspectioncangiveafalsesenseofsecurity.Thisisparticularly
valuableinacontactcenterwhereyourequireencryptedcallingbetweentheservicerepresentative
andthecustomer,butyouwanttoallowsupervisoryinterceptforqualitycontrolpurposes
GatewaysandswitchesshoulduseIPsecorSSHinsteadofothercleartextprotocolsastheremote
accessprotocol.Ifwebbasedinterfaceisprovided,SecureHyperTextTransportProtocol(HTTPS)should
replaceHTTP.Ifpractical,avoidusingremotemanagementatallanddoIPPBXaccessfromaphysically
securesystem.
VoiceoverWirelessLAN(VoWLAN)trafficmaybesecuredwiththesametechniquesusedtoprotect
wirelessdatatraffic.TheWiFiProtectedAccessprogramversion2(WPA2)andIEEEstandard802.11i
bothsupporttheAdvancedEncryptionStandard(AES),whichprovidesU.S.governmentlevelprotection.
Withencryptionkeysizesofupto256bits,AESisconsideredextremelysecure.
2.2.7MaintainAdequatePhysicalSecurityandPowerBackup
Evenifencryptionisused,physicalaccesstoUCserversandgatewaysmayallowanattackertoperform
trafficanalysisorcompromisesystems.Adequatephysicalsecurityshouldbeinplacetorestrictaccess
toUCcomponents.Physicalsecuritiesmeasures,includingbarriers,locks,accesscontrolsystems,and
guards,arethefirstlineofdefense.Youmustmakesurethatthepropercountermeasuresareinplace
tomitigatethebiggestrisks,suchasinsertionofsniffersorothernetworkmonitoringdevices.
Installationofasniffercouldresultinnotjustdata,butallvoicecommunicationsbeingintercepted.
Inaddition,allowforsufficientpowerbackupandtheabilitytorolloveryourvoicecallstothePSTN
shouldyourIPWANexperienceanoutage.
2.2.8UseNetworkAccess/AdmissionControl(NAC)
AccordingtoWikipedia,NetworkAccess(orAdmission)Controlisanapproachtocomputernetwork
securitythatattemptstounifyendpointsecuritytechnology(suchasantivirus,hostintrusion
prevention,andvulnerabilityassessment),userorsystemauthentication,andnetworksecurity
enforcement.
NetworkComputing(NWC)9identifiesfivetechnologyfunctionsthatareacceptedandexpectedaspart
ofaNACproduct,basedoninterviewswith303NWCreadersdirectlyinvolvedindeployingor
evaluatingnetworkaccesscontrol,andreviewsofvendorcollateral:
1. Preconnecthostpostureassessment2. Hostquarantineandremediation3. Networkaccesscontrolbasedonuseridentity4. Networkresourcecontrolbasedonidentityandpolicy5. Ongoingthreatanalysisandcontainment.
9NACVendorsSquareOff,NetworkComputingMagazine,July6,2006,pp.5564,
http://i.cmpnet.com/nc/1713/graphics/1713f3_file.pdf
-
7/30/2019 Risks With Unified Communication
16/30
16
Mostindividualssurveyedwerefocusedontwomainpainpoints:identifyingandpolicinguseraccessto
thenetwork,andeliminatingthreatsbroughtontothenetworkbyinfectedhosts.Thesepainpoints
reflectthefactthatmanyorganizationshaveissueswithnoncorporateassetsconnectingtotheir
network,such
as
employee
owned
devices
or
devices
brought
in
by
guests
and
visitors.
Discovering
whenthesedevicesconnecttothenetworkandlimitingtheiraccessbasedoncorporatepolicyisan
ongoingchallenge.ThesedevicesaretypicallynotmanagedbycentralITpatchmanagementtools.
Thebottomlineisthatwhileestablishingresponsiblecomputingguidelines,requiringuser
authentication,andpassingoutantivirussoftwareandoperatingsystemupdatesthroughpatch
managementsystemsarenecessarysecuritysteps,theyarenotsufficient.Theaddedstepofusingthe
networktoenforcepoliciesensuresthatincomingdevicesarecompliant.Thosejudgedtobevulnerableandnoncompliantarequarantinedorgivenlimitedaccessuntiltheyreachcompliance.Dependingonvendor,NACpoliciescanpermit,deny,prioritize,ratelimit,tag,redirect,andauditnetworktraffic
basedonuseridentity,timeandlocation,devicetype,andotherenvironmentalvariables.
RegulatorycomplianceisakeydriverinNACdemandaccordingtotheNetworkComputingsresearch.
Theirsurveyshowsthat96percentofrespondentsindicatedtheyaregovernedbyatleastone
governmentorindustryregulation,andmanyCEOsandCTOsaremandatingthedeploymentofNAC.
Solutionsthatcouplewithidentitymanagementgreatlyimproveaccountability.
-
7/30/2019 Risks With Unified Communication
17/30
17
3. SummaryofUCSecurityBestPracticesThedriveforbusinessagilityisspurringcompaniesofallsizestoadoptunifiedcommunicationsasa
primary
vector
for
enhanced
communication
and
collaboration
capabilities
among
remotely
located
and
mobileemployees,itssupplychainandpartnerecosystem,andwithcustomers.Thesebenefits,
however,donotcomewithoutrisks.IntroductionofanIPbasedUCcommunicationsandcollaboration
solutionintroducesanarrayofnewvulnerabilitiesintotheenterprise,andagrowingnumberof
maliciousprogramsareexploitingtheseweaknesses.
ThegoodnewsisthatVoIPandIMareapplicationsrunningonanIPnetwork,andallofthesecurity
technologiesandpoliciesthatcompanieshavedeployedfortheirdatanetworkscanbetunedto
emulatethesecuritylevelcurrentlyenjoyedbyPSTNusersofPOTS.Inmanycases,evenifaconcerted
efforttodeploydatanetworksecurityhasnotbeenimplemented,thetechnologylikelyalreadyexistsin
yournetworkifyouverecentlypurchasedaswitchorrouter.
Thekey
to
securing
the
UC
network
requires
considering
voice,
data,
and
video
communications
as
a
systemandimplementingamultilayered,uniformlyapplieddefenseconstructforthesystem
infrastructure,callmanagement,applications,andendpoints.Thesolutionshouldbelayered,with
multiplecontrolsandprotectionsatmultiplenetworklevels.Thisminimizesthepossibilitythatasingle
pointoffailurecouldcompromiseoverallsecurity.Ifaprimarysecuritylayerisbreached,other
defensivebarriersareavailabletodetertheattack.
Insummary,bestpracticesentail:
TreatthedevelopmentofaUCsecurityprogramasacollaborativecrossorganizationalproject.Involveyourcarrierandanoutsidesecurityconsultantifnecessary.Bottomline,plantheworkand
workthe
plan.
The
first
step
is
to
perform
asecurity
assessment.
Assessments
identify
security
gaps
sotheycanbemanagedeffectively.Anyactionableriskassessmentneedsfivekeyfactors
consideredacomprehensivelistofthreats,theinterdependenciesbetweenthethreats,the
feasibilityofeachofthethreats,thequantitativeimpactofeachthreat,andfinallyaprioritizationof
mitigationactionsforeachofthepotentialthreats.Youmustfeelconfidentthatyoucanacceptably
manageandmitigatetheriskstoyourcorporateinformation,systemoperations,andcontinuityof
essentialoperationswhendeployingUCsystems.
Andremember,thereisnoonesizefitsall.CompaniesshouldexamineUCsecurityfromabusiness
perspectivebydefininggoals,policies,andpatternsofusageatthestartacrossallapplications
data,VoIP,IMandpresence,Web,andaudio/videoconferencing.Securitypoliciesforallmedia
streamsneedtobealigned,andcompliancewithapplicablelawsandregulationsmustbeproperly
implementedandproperlybalancedagainstbusinessrisks.Onlythencancostsbereconciledwith
benefits.Infact,takinganetworkcentricapproachwillleadtoimprovedmanageabilityand
deploymentthroughreducedcomplexityandmoreefficienttroubleshooting,whichallleadtolower
totalcostofownership.Theflexibilityofthisapproachwillsimplifymigrationovertimetoricher
securityimplementations,ifrequiredbylegal/regulatoryrequirements,changeinriskappetite,or
growingsophisticationandmaliciousnessofhackerattacks.
-
7/30/2019 Risks With Unified Communication
18/30
18
BalancingSecuritySolutionCostagainstRiskofSecurityBreach
AreaofProtection LowSecurityCost&
Risk
MediumSecurityCost
& Risk
HighSecurityCost&
Risk
Infrastructure Separatevoice/dataVLANS
BasisnetworklayerACLs TrafficPrioritizedwith
QoSontheNetwork
Statefulinspectionfirewalls
Networkratelimiting(Switch/Router/Firewall)
IDSmonitoring DynamicARPinspection DHCPsnooping
Appawarefirewallwithw/TLSProxyfor
inspectionofencrypted
traffic
802.1xforallendpoints NACw/hostedIPS IPSmonitoring&
prevention
Scavenger
class
less
thanbesteffortqueuing
foranomalous,peerto
peer&entertainment
traffic
Centralizednetworkadminforauthentication
&authorization
CallManagement Approvedantivirus Patches Strongadmincredential
policy
StandaloneHIPSsecurityagent
Multileveladmin ManagedHIPSsecurity
agent
TLSSignaling&SRTPmediaencryption
AdvOSHardening IPSec/TLS&SRTP
gateways
Applications(Includes
Toll
Fraud) Approvedantivirus Patches Strongadmincredential
policy
Confcalldropw/initiatorsdeparture
StandaloneHIPSsecurityagent
Forcedaccountcodes Dialingfilters ManagedHIPSsecurity
agent
IPSec/TLS&SRTPtoapps
Endpoints DisableGratuitousARPonphones
Signedfirmware&configurations
DisablePCvoiceVLANaccess
X.509CertificatesinIPphones
SSLVPNforremoteaccesssoftphones
PhoneProxyforremoteIPphones
TLSSignaling&SRTPmediaencryption
Encryptedconfigurationfiles
ManagedHIPSsecurityagent(softphone)
Assignvoiceanddataonlogicallyseparatenetworks(VLANS)duetotheirdifferentQoSandsecurityrequirements.MakesureyourEthernetswitchesareequippedwith802.1pprioritizationsotheycan
identifyandprioritizetrafficbasedonVLANtagsandsupportmultiplequeues.
-
7/30/2019 Risks With Unified Communication
19/30
19
Protecttheintegrityofmanagementsystems. SegregatemanagementtrafficonitsownVLAN.Useencryption,administratoraccesscontrol,andactivitylogging.
UseVPNstoprovideasecurepathwayforcommunicationwithremoteworkers.AVPNsbuiltinencryptionfeatureenablessecureconnectivitywithbranchofficesandbusinesspartnersthatare
unreachablebyprivatenetworks.VoiceandvideoenabledVPN(V3PN)technology,availablein
manyroutersandsecurityappliances,encryptsvoiceaswellasdatatrafficusingIPsecorAES.
Encryptionisperformedinhardwaresothatfirewallperformanceisnotaffected.
ImplementVoIPreadyfirewallscapableofhandlingthelatencysensitiveneedsofvoicetraffic.Suchfirewallsproviderichgranularcontrols,protocolconformancechecking,protocolstatetracking,
securitychecks,andNATservices.TheseareessentialcomponentsintheVoIPnetwork.Ifpossible,a
firewallwithapplicationfilteringshouldbeutilized.Applicationfilteringisanextensiontostateful
packetinspection.Whereasstatefulpacketinspectioncandeterminewhattypeofprotocolisbeing
sentover
each
port,
application
level
filters
look
at
what
aprotocol
is
being
used
for.
In
addition,
stateof theartintrusiondetectionandpreventionsystemsshouldalsobeinstalled.
UseVoIPnetworkencryption.TLSandIPsecaretwomainencryptionmethods.Makesureyourfirewallcanprovidefortheinspectionofencryptedvoicetraffic.
ApplyadequatephysicalsecuritytorestrictaccesstoVoIPcomponents.Evenifencryptionisused,physicalaccesstoVoIPserversandgatewaysmayallowanattackertodotrafficanalysisor
compromisethesystems.Physicalsecuritiesmeasures,includingbarriers,locks,accesscontrol
systems,andguardsarethefirstlineofdefense.Inaddition,allowforsufficientpowerbackupand
theabilitytorolloveryourvoicecallstothePSTNshouldyourIPWANexperienceanoutage.
ImplementNetworkAccess(orAdmission)Controlinordertounifyendpointsecuritytechnology(suchasantivirus,hostintrusionprevention,andvulnerabilityassessment),userorsystem
authenticationandnetworksecurityenforcementsothatnetworkaccessiscontingenton
compliancewithestablishedsecuritypolicies.
Traineveryoneintheenterpriseontheirresponsibilityforexecutingenterpriseriskmanagementinaccordancewithestablisheddirectivesandprotocols.
PictoriallyyoursecureUCinfrastructurewilllooklikethis.
-
7/30/2019 Risks With Unified Communication
20/30
20
SecureUCSolution
Router/GW
Router/GW
CallMgmt
CallMgmt
Telecommuter
BranchOffice
Headquarters
RegionalOffice
IPWAN
Security
Agent(HIPS)
VLANsPortSecurity
PrivateAddresses
Antivirus
Encryption
FraudProtection(dialplans)Secure
transport(VPN)
DPS/IPS
PhoneProxy
Internet
RoadWarrior
MobilityProxy
IPWAN
Authenticated Routing
ApplicationfirewallNAC
-
7/30/2019 Risks With Unified Communication
21/30
21
AbouttheAuthors
PaulRobinson,PhDDavidYedwab
FoundingPartners
www.mktstrategyanalytics.com
MarketStrategyandAnalyticsPartnerscustomdesignsmarketingandsalesstrategiesthatareconsistentwithclientcorecompetencies,marketfocusandcompetitiveenvironment,andcoupled
withoperationalizedgotomarketplansacrossthevaluechaintoensureeliminationofbottlenecks
andcomplete
consideration
of
end
to
end
financials.
Our
clients
include
equipment
and
software
providers,serviceprovidersandinformationintenseenterprises.
Market Strategyand AnalyticsPartners LLC
-
7/30/2019 Risks With Unified Communication
22/30
22
GlossaryofKeyVoIPSecurityTerms
Acronym Term Definition
ACL
AccessControl
List
The
Access
Control
List
is
afile
which
acomputers
operating
system
uses
to
determinetheusers'individualaccessrightsandprivilegestofolders/
directoriesandfilesonagivensystem. InanACLbasedsecuritymodel,whena
subjectrequeststoperformanoperationonanobject,thesystemfirstchecks
thelistforanapplicableentryinordertodecidewhetherornottoproceed
withtheoperation.AkeyissueinthedefinitionofanyACLbasedsecurity
modelisthequestionofhowaccesscontrollistsareedited.Foreachobject;
whocanmodifytheobject'sACLandwhatchangesareallowed.
AES Advanced
EncryptionStandard
AESisablockcipheradoptedasanencryptionstandardbytheU.S.government
asofMay2002.Ithasbeenanalyzedextensivelyandisnowusedworldwide,as
wasthecasewithitspredecessor,theDataEncryptionStandard(DES).
Application
Anapplication
is
aprogram
or
group
of
programs
designed
for
end
users.
Applicationssoftware(alsocalledenduserprograms)includesdatabase
programs,wordprocessors,andspreadsheets.Figurativelyspeaking,
applicationssoftwaresitsontopofsystemssoftwarebecauseitisunabletorun
withouttheoperatingsystemandsystemutilities.
ApplicationFilteringApplicationfilteringisanextensiontostatefulpacketinspection.Stateful
packetinspectioncandeterminewhattypeofprotocolisbeingsentovereach
port,whileapplicationlevelfilterslookatwhataprotocolisbeingusedfor.
Applicationlayerfirewallssupportmultipleapplicationproxiesonasingle
firewall.Theproxiessitbetweentheclientandserver,passingdatabetween
thetwoendpoints.Suspiciousdataisdroppedandtheclientandservernever
communicatedirectly
with
each
other.
Because
application
level
proxies
are
applicationaware,theproxiescanmoreeasilyhandlecomplexprotocolslike
H.323andSIP,whichareusedforVoIPandvideoconferencing.
ApplicationLayer Thislayersendsandreceivesdataforparticularapplications,suchasDomain
NameSystem(DNS),HyperTextTransferProtocol(HTTP),andSimpleMail
TransferProtocol(SMTP). Separateapplicationsecuritycontrolsmustbe
establishedforeachapplication;thisprovidesaveryhighdegreeofcontroland
flexibilityovereachapplicationssecurity,butitmaybeveryresourceintensive.
Whileapplicationlayercontrolscanprotectapplicationdata,theycannot
protectTCP/IPinformationsuchasIPaddressesbecausethisinformationexists
atalowerlayer.
ALP/ALG
Application
Level
Proxy/Gateway An
application
level
gateway,
also
known
as
application
proxy
or
application
levelproxy,isanapplicationprogramthatrunsonafirewallsystembetween
twonetworks.Whenaclientprogramestablishesaconnectiontoadestination
service,itconnectstoanapplicationgateway,orproxy.Theclientthen
negotiateswiththeproxyserverinordertocommunicatewiththedestination
service.Ineffect,theproxyestablishestheconnectionwiththedestination
behindthefirewallandactsonbehalfoftheclient,hidingandprotecting
individualcomputersonthenetworkbehindthefirewall.Thiscreatestwo
-
7/30/2019 Risks With Unified Communication
23/30
23
connections:onebetweentheclientandtheproxyserverandonebetweenthe
proxyserverandthedestination.Onceconnected,theproxymakesallpacket
forwardingdecisions.Sinceallcommunicationisconductedthroughtheproxy
server,computers
behind
the
firewall
are
protected.
ARP AddressResolution
Protocol
AddressResolutionProtocolisadatalinklayernetworkprotocol,whichmapsa
networklayerprotocoladdresstoadatalinklayerhardwareaddress.Ahostin
anEthernetnetworkcancommunicatewithanotherhost,onlyifitknowsthe
Ethernetaddress(MACaddress)ofthathost.ThehigherlevelprotocolslikeIP
useadifferentkindofaddressingscheme(likeIPaddress)fromthelowerlevel
hardwareaddressingschemelikeMACaddress.ARPisusedtogettheEthernet
addressofahostfromitsIPaddress.ARPisextensivelyusedbyallthehostsin
anEthernetnetwork.
Botnet BotnetorStorm
BotnetAttack
TheStormbotnetorStormwormbotnetisaremotelycontrollednetworkof
"zombie"computers(or"botnet")thathasbeenlinkedbytheStormWorm,a
Trojanhorse
spread
through
email
spam.
Some
have
estimated
that
by
September2007theStormbotnetwasrunningonanywherefrom1millionto
50millioncomputersystems. TheStormbotnetwasfirstidentifiedaround
January2007,withtheStormwormatonepointaccountingfor8%ofall
malwareonMicrosoftWindowscomputers.
BufferOverflow
Attack
Abufferoverflowoccurswhenaprogramorprocesstriestostoremoredatain
abuffer(temporarydatastoragearea)thanitwasintendedtohold. Since
buffersarecreatedtocontainafiniteamountofdata,theextrainformation
whichhastogosomewhere canoverflowintoadjacentbuffers,corruptingor
overwritingthevaliddataheldinthem.Inbufferoverflowattacks,theextra
datamaycontaincodesdesignedtotriggerspecificactions,ineffectsending
newinstructions
to
the
attacked
computer
that
could,
for
example,
damage
the
user'sfiles,changedata,ordiscloseconfidentialinformation.
CallerIDspoofing CallerIDspoofingisthepracticeofcausingthetelephonenetworktodisplaya
numberontherecipient'scallerIDdisplaywhichisnotthatoftheactual
originatingstation;thetermiscommonlyusedtodescribesituationsinwhich
themotivationisconsiderednefariousbythespeaker.
CallHijack Anattackreferstoasituationwhereoneoftheintendedendpointsofthe
conversationisexchangedwiththeattacker.
CallManagers Callmanagersarerequiredtosetupcalls,monitorcallstate,handlenumber
translation,andprovidebasictelephonyservices.Callmanagersalsohandle
signalingfunctionsthatcoordinatewithmediagateways,whicharethe
interfacebetween
the
VoIP
network
and
the
public
switched
telephone
network(PSTN).
DataLinkLayer Thislayerhandlescommunicationsonthephysicalnetworkcomponents.The
bestknowndatalinklayerprotocolisEthernet.Securitycontrols here are
suitableforprotectingaspecificphysicallink,suchasadedicatedcircuit
betweentwobuildingsoradialupmodemconnectiontoanISP.Becauseeach
physicallinkmustbesecuredseparately,datalinklayercontrolsgenerallyare
notfeasibleforprotectingconnectionsthatinvolveseverallinks,suchas
-
7/30/2019 Risks With Unified Communication
24/30
24
connectionsacrosstheInternet.
DDoS DistributedDenial
ofService
Adistributeddenialofserviceattackoccurswhenmultiplecompromised
systemsflood
the
bandwidth
or
resources
of
atargeted
system,
usually
one
or
morewebservers.Thesesystemsarecompromisedbyattackersusingavariety
ofmethods.MalwarecancarryDDoSattackmechanisms;oneofthemorewell
knownexamplesofthiswasMyDoom.ItsDoSmechanismwastriggeredona
specificdateandtime.ThistypeofDDoSinvolvedhardcodingthetargetIP
addresspriortoreleaseofthemalwareandnofurtherinteractionwas
necessarytolaunchtheattack.
DHCP DynamicHost
Configuration
Protocol
DynamicHostConfigurationProtocolisaprotocolusedbynetworkeddevices
(clients)toobtainvariousparametersnecessaryfortheclientstooperateinan
IPnetwork.Byusingthisprotocol,systemadministrationworkloadgreatly
decreases,anddevicescanbeaddedtothenetworkwithminimalornomanual
configurations.
DoS DenialofService Anattackonacomputersystemornetworkthatcausesalossofserviceto
users,typicallythelossofnetworkconnectivityandservicesbyconsumingthe
bandwidthofthevictimnetworkoroverloadingthecomputationalresourcesof
thevictimsystem.
Eavesdropping Theinterceptingandreadingofmessagesandconversationsbyunintended
recipients.InVoIP,eavesdroppingisanattackgivinganattackertheabilityto
listenandrecordprivatephoneconversations.
Endpoint Anendpointisasourceand/orreceivingsideofmediasuchasaudioorvideo.
ExamplesofendpointsareaPCrunninganaudio/videocommunication
applicationorasoftphone.Anendpointcanalsobeanautomateddevice,such
asavoiceorunifiedcommunicationsmailbox.Theendpointalsoterminatesa
signalingprotocol,suchasSIPorH.323,andmaybecontrollablefromsomeapplicationthroughanapplicationprograminterface(API).
Fuzzing Functionalprotocoltestingalsocalledfuzzingisapopularwayoffindingbugs
andvulnerabilities.Fuzzinginvolvescreatingdifferenttypesofpacketsfora
protocolwhichcontaindatathatpushestheprotocolsspecificationstothe
pointofbreakingthem.Thesepacketsaresenttoanapplication,operating
system,orhardwaredevicecapableofprocessingthatprotocol,andtheresults
arethenmonitoredforanyabnormalbehavior(crash,resourceconsumption,
etc.).
Gateway Agatewayisanodeonanetworkthatservesasanentrancetoanother
network.Inenterprises,thegatewaynodeoftenactsasaproxyserveranda
firewall.The
gateway
is
also
associated
with
both
arouter,
which
use
headers
andforwardingtablestodeterminewherepacketsaresent,andaswitch,
whichprovidestheactualpathforthepacketinandoutofthegateway.
HostAuthenticationAhostkeyisusedbyaservertoproveitsidentitytoaclientandbyaclientto
verifya"known"host.Hostkeysaredescribedaspersistent(theyarechanged
infrequently)andareasymmetricmuchlikethepublic/privatekeypairs
discussedaboveinthePublickeysection.IfamachineisrunningonlyoneSSH
server,asinglehostkeyservestoidentifyboththemachineandtheserver.
-
7/30/2019 Risks With Unified Communication
25/30
25
HostauthenticationguardsagainsttheManintheMiddleattack.
IP InternetProtocol TheInternetProtocol(IP)isadataorientedprotocolusedforcommunicating
dataacross
apacket
switched
internetwork.
IP
is
anetwork
layer
protocol
in
theInternetprotocolsuiteandisencapsulatedinadatalinklayerprotocol(e.g.,
Ethernet).Asalowerlayerprotocol,IPprovidestheserviceofcommunicable
uniqueglobaladdressingamongstcomputers.
IPsec IPSecurity IPsecisthestandardencryptionsuitefortheInternetProtocolandwillbefully
supportedinIPv6.IPsecenforcesdataconfidentialitybyencryptingpackets
beforetransmission.Ithelpsensuretheintegrityofdatabyauthenticating
packets,andvalidatestheoriginofdatabyauthenticatingthesourceofpackets
thatarereceived.Finally,IPseccanhelppreventattacksbyidentifyingagedor
duplicatepackets.
MAC TheMediaAccessControldatacommunicationprotocolisasublayerofthe
datalink
layer.
It
provides
addressing
and
channel
access
control
mechanisms
thatmakeitpossibleforseveralterminalsornetworknodestocommunicate
withinamultipointnetwork,typicallyaLANormetropolitanareanetwork
(MAN).
MITM Maninthemiddle Anattackinwhichanattackerisabletoread,insertandmodifyatwill,
messagesbetweentwopartieswithouteitherpartyknowingthatthelink
betweenthemhasbeencompromised.
MOS MeanOpinionScoreMeanOpinionScore(MOS)istheaverageoftheopinionsexpressedbyagroup
ofsubjectspresentedwithasamplestimulus,e.g.avoicesample.Subjects
expresstheiropinionagainsta5pointscale,e.g.:excellent(5),good(4),fair(3),
poor(2),bad(1). Objectivemeasurementmethodsattempttopredicthuman
opinionto
provide
anumerical
indication
of
the
perceived
quality
of
received
mediaaftercompressionand/ortransmission.
NAT NetworkAddress
Translation
NATisapowerfultoolthatcanbeusedtohideinternalnetworkaddressesand
enableseveralendpointswithinaLANtosharethesame(external)IPaddress.
NATsalsoindirectlycontributetosecurityforaLAN,makinginternalIP
addresseslessaccessiblefromthepublicInternet.Thus,allattacksagainstthe
networkmustbefocusedattheNATrouteritself.Likefirewalls,thisprovides
securitybecauseonlyonepointofaccessmustbeprotected,andtherouterwill
generallybefarmoresecurethanaPCdirectlyconnectedtotheInternet(less
likelihoodofopenports,maliciousprograms,etc.).
NetworkLayer Thislayerroutespacketsacrossnetworks.InternetProtocol(IP)isthe
fundamental
network
layer
protocol
for
TCP/IP.
Other
commonly
used
protocolsatthenetworklayerareInternetControlMessageProtocol(ICMP)
andInternetGroupManagementProtocol(IGMP).Security controlsatthis
layerapplytoallapplicationsandarenotapplicationspecific,soapplications
donothavetobemodifiedtousethecontrols.However,networklayer
controlsprovidelesscontrolandflexibilityforprotectingspecificapplications
thantransportandapplicationlayercontrols.Networklayercontrolscan
protectboththedatawithinpacketsandtheIPinformationforeachpacket.
-
7/30/2019 Risks With Unified Communication
26/30
26
Proxy
impersonation
AProxyImpersonationattacktricksthevictimintocommunicatingwitha
rogueproxy
set
up
by
the
attacker.
Once
an
attacker
impersonates
aproxy,
he
hascompletecontrolofthecall.
ProxyServer Aproxyserverisaserver(acomputersystemoranapplicationprogram)which
servicestherequestsofitsclientsbyforwardingrequeststootherservers.A
clientconnectstotheproxyserver,requestingsomeservice,suchasafile,
connection,webpage,orotherresource,availablefromadifferentserver.The
proxyserverprovidestheresourcebyconnectingtothespecifiedserverand
requestingtheserviceonbehalfoftheclient.Aproxyservermayoptionally
altertheclient'srequestortheserver'sresponse,andsometimesitmayserve
therequestwithoutcontactingthespecifiedserver.Inthiscase,itwould
'cache'thefirstrequesttotheremoteserver,soitcouldsavetheinformation
forlater,
and
make
everything
as
fast
as
possible.
PSTN PublicSwitched
TelephoneNetwork
Thepublicswitchedtelephonenetworkisthenetworkoftheworld'spublic
circuitswitchedtelephonenetworks,inmuchthesamewaythattheInternetis
thenetworkoftheworld'spublicIPbasedpacketswitchednetworks.Originally
anetworkoffixedlineanalogtelephonesystems,thePSTNisnowalmost
entirelydigitalandnowincludesmobileaswellasfixedtelephones.ThePSTNis
largelygovernedbytechnicalstandardscreatedbytheITUT,anduses
E.163/E.164addresses(knownmorecommonlyastelephonenumbers)for
addressing.
QoS QualityofService Inthefieldsofpacketswitchednetworksandcomputernetworking,thetraffic
engineeringtermQualityofService,abbreviatedQoS,referstoresource
reservation
control
mechanisms
rather
than
the
achieved
service
quality.
QualityofServiceistheabilitytoprovidedifferentprioritytodifferent
applications,users,ordataflows,ortoguaranteeacertainlevelof
performancetoadataflow.QoSmechanismsimplementedintheIPdata
networkarekeytoprovidinghighqualityVoIPconnections.
QoE Qualityof
Experience
EnduserQualityofExperienceisdeterminedbytheperformanceofboththe
networkandthecommunicationsapplication.InthecaseofVoIPQoEis
determinedbytheperformanceoftheIPNetwork(todeliverthepackets
acrossthenetwork)andapplicationlevelfactorssuchas;echo,speechlevel,
delay,noiselevel,andspeechdistortion.Effectiveandperformance
managementmustaccountforbothnetworkandapplicationperformance.
RateLimiting RatelimitingorratecontrolisusedtomaintainfairnessinInternetbandwidth
allocationtoensuretheeffectivemanagementoflimitednetworkresource.
Italsocanlimittheeffectofattacksthattrytooverwhelmthenetwork.
Registration
hijacking
Registrationhijackinghappenswhenanattackerreplacesthelegitimate
registrationofthevictimwithhisaddress.Theattackcausesallincomingcalls
forthevictimtobesenttotheattackersaddress.
RTP RealTimeTransport
Protocol
TheRealtimeTransportProtocol(orRTP)definesastandardizedpacket
formatfordeliveringaudioandvideoovertheInternet.Itwasdevelopedbythe
-
7/30/2019 Risks With Unified Communication
27/30
27
AudioVideoTransportWorkingGroupoftheIETFandfirstpublishedin1996as
RFC1889.RTPdoesnotprovidemechanismstoensuretimelydeliveryof
packets.TheyalsodonotgiveanyQualityofService(QoS)guaranteessoQoS
needsto
be
provided
by
some
other
mechanism.
SBC SessionBorder
Controller
SBCsarededicatedappliancesthatofferoneormoreofthefollowingservices
toaVoIPperimeter:Firewall/NATtraversal,CallAdmissionControl,Service
LevelAgreementmonitoring,supportforlawfulintercept,andprotocol
interworking.
Scavengerclass
queuing
ScavengerclassorlessthanBestEffortqueuingisastrategyusedkeep
criticalapplicationsavailableduringDoSattacks.Thefirststepindeploying
ScavengerclassQoSistoprofileapplicationstodeterminewhatconstitutesa
normalvs.abnormalflow.Applicationtrafficexceedingthisnormalratewillbe
assignedtoaminimalbandwidthqueueforcingittobesquelchedtovirtually
nothingduringperiodsofcongestion,butallowingittobeavailableif
bandwidthis
not
being
used
for
business
purposes,
such
as
might
occur
during
offpeakhours.Applicationsassignedtothisclasshavelittleornocontribution
totheorganizationalobjectivesoftheenterpriseandaretypically
entertainmentorientedinnatureincludingpeertopeermediasharing
applications.
SIP SessionInitiation
Protocol
SIPisanapplicationlayercontrol(signaling)protocolforcreating,modifying,
andterminatingsessionswithoneormoreparticipants.Itcanbeusedtocreate
twoparty,multiparty,ormulticastsessionsthatincludeInternettelephone
calls,multimediadistribution,andmultimediaconferences.ItisbasedonIETF
RFC3261.ItiswidelyusedasasignalingprotocolforVoiceoverIP,alongwith
H.323,MGCPandotherprotocols.
SoundInsertion
Sound
Insertion
is
an
attack
that
will
insert
the
contents
of
asound
file
into
an
existingRTPstream.TheapproachistorecordunencryptedRTPstreamsof
someone'sconversationsandbuildupavocabularyforthatperson.Youwould
thenassembleyourinjectionphrasefromthatperson'spriorconversationsand
thenwaitfortherightmomenttoinjectit.Thisdoes,ofcourse,requirea
somewhatsignificantamountofwork,networkaccessandthepropertiming.
SPI StatefulPacket
Inspection
Statefulpacketinspectionisafirewallarchitecturethatworksatthenetwork
layer.Unlikestaticpacketfiltering,whichexaminesapacketbasedonthe
informationinitsheader,statefulinspectiontrackseachconnectiontraversing
allinterfacesofthefirewallandmakessuretheyarevalid. Astatefulinspection
firewallalsomonitorsthestateoftheconnectionandcompilestheinformation
inastate
table.
Because
of
this,
filtering
decisions
are
based
not
only
on
administratordefinedrules(asinstaticpacketfiltering)butalsooncontextthat
hasbeenestablishedbypriorpacketsthathavepassedthroughthefirewall.
SPIT SpamoverInternet
Telephony
VoIPspamisunsolicitedandunwantedbulkmessagesbroadcastoverVoIPto
anenterprisenetworksendusers.ThesehighvolumebulkcallsroutedoverIP
areoftenverydifficulttotraceandhavetheinherentcapacityforfraud,
unauthorizedresourceuse,andprivacyviolations.
-
7/30/2019 Risks With Unified Communication
28/30
28
Spoofing Aspoofingattack,incomputersecurityterms,referstoasituationinwhichone
personorprogramisabletomasqueradesuccessfullyasanother.
SRTP SecureRealtime
Protocol
SRTPprovidesaframeworkforencryptionandmessageauthenticationofRTP
andRTCPstreams. Itcanprovideconfidentiality,messageauthenticationand
replayprotectionforaudioandvideostreams.SRTPachieveshighthroughput
andlowpacketexpansion.ItisindependentofaspecificRTPstack
implementationandofaspecifickeymanagementstandard,butMultimedia
InternetKeying(MIKEY)hasbeendesignedtoworkwithSRTP.
SSH SecureShell SecureShellorSSHisanetworkprotocolthatallowsdatatobeexchangedover
asecurechannelbetweentwocomputers.Encryptionprovidesconfidentiality
andintegrityofdata.SSHusespublickeycryptographytoauthenticatethe
remotecomputerandallowtheremotecomputertoauthenticatetheuser,if
necessary.
TCP Transmission
ControlProtocol
TransmissionControlProtocolisoneofthecoreprotocolsoftheInternet
protocolsuite.
It
is
the
transport
protocol
that
manages
the
individual
conversationsbetweenwebserversandwebclients.TCPdividestheHTTP
messagesintosmallerpieces,calledsegments,tobesenttothedestination
client.Itisalsoresponsibleforcontrollingthesizeandrateatwhichmessages
areexchangedbetweentheserverandtheclient.
TransportLayer Thislayerprovidesconnectionorientedorconnectionlessservicesfor
transportingapplicationlayerservicesbetweennetworks.Thetransportlayer
canoptionallyassurethereliabilityofcommunications.TransmissionControl
Protocol(TCP)andUserDatagramProtocol(UDP)arecommonlyusedtransport
layerprotocols. Security controlsatthislayercanprotectthedatainasingle
communicationssessionbetweentwohosts.Themostfrequentlyused
transportlayer
control
is
SSL,
which
most
often
secures
HTTP
traffic
but
is
also
usedtoimplementVPNs.Tobeused,transportlayercontrolsmustbe
supportedbyboththeclientsandservers.BecauseIPinformationisaddedat
thenetworklayer,transportlayercontrolscannotprotectit.
TLS/SSL TransportLayer
SecurityandSecure
SocketsLayer
TLSanditspredecessorSSLarecryptographicprotocolsthatprovidesecure
communicationsontheInternetforsuchthingsaswebbrowsing,email,
Internetfaxing,instantmessagingandotherdatatransfers.Thereareslight
differencesbetweenSSLandTLS,buttheyaresubstantiallythesame.
UDP UserDatagram
Protocol
UserDatagramProtocolisoneofthecoreprotocolsoftheInternetprotocol
suite.UsingUDP,programsonnetworkedcomputerscansendshortmessages
sometimesknownasdatagramstooneanother.UDPdoesnotguarantee
reliabilityor
ordering
in
the
way
that
TCP
does.
Datagrams
may
arrive
out
of
order,appearduplicated,orgomissingwithoutnotice.Avoidingtheoverhead
ofcheckingwhethereverypacketactuallyarrivedmakesUDPfasterandmore
efficient,atleastforapplicationsthatdonotneedguaranteeddelivery.Time
sensitiveapplicationsoftenuseUDPbecausedroppedpacketsarepreferableto
delayedpackets.CommonnetworkapplicationsthatuseUDPinclude:the
DomainNameSystem(DNS),streamingmediaapplicationssuchasIPTV,Voice
overIP(VoIP),TrivialFileTransferProtocol(TFTP)andonlinegames.
-
7/30/2019 Risks With Unified Communication
29/30
29
VGW VoiceGateway AVoiceGatewayisusedastheconnectingpointbetweenaVoIPsystemand
thePSTNorotherlegacyequipmentsuchas,analogphones. Thusitisusedto
convertfromIPtotraditionalanalogordigitalformatstoprovidesconnections
suchas,
FXS,
FXO
,PRI,
T1,
or
other
types
of
ports.
Voice
gateways
can
be
implementedindedicateddevicesorareoftenimplementedinrouters.
Vishing VishingisthecriminalpracticeofusingsocialengineeringandVoIPtogain
accesstoprivatepersonalandfinancialinformationfromthepublicforthe
purposeoffinancialreward.Thetermisacombinationof"voice"andphishing.
VLAN VirtualLANs VLANssegregatedifferentareasofthesamenetwork,forexample,separatinga
companysclientrecordserversfromitspublicWebserversorseparatingIP
phonesfromPCsandsoftphones(PCsequippedtoperformlikeIPphones).
VLANscontrolthepropagationoftrafficbetweennetworkcomponents,
creatingalogicalseparationevenwherethereisnophysicalseparation.
VoIP
Voiceover
Internet
Protocol
Voiceover
Internet
Protocol
is
aprotocol
optimized
for
the
transmission
of
voicethroughtheInternetorotherpacketswitchednetworks,typicallyasan
RTPstream.VoIPisoftenusedabstractlytorefertotheactualtransmissionof
voice(ratherthantheprotocolimplementingit).VoIPisalsoknownasIP
Telephony,Internettelephony.
VoMIT Voiceover
misconfigured
internet
telephony
Voiceovermisconfiguredinternettelephonyreferstotheattachmentofa
packetsniffertotheVOIPnetworksegmentinordertointerceptvoicetraffic.
VoMITisfreelyavailableovertheInternet.
VPN VirtualPrivate
Network
AVPNisavirtualnetwork,builtontopofexistingphysicalnetworks,whichcan
provideasecurecommunicationsmechanismfordataandotherinformation
transmittedbetween
networks.
Because
aVPN
can
be
used
over
existing
networks,suchastheInternet,itcanfacilitatethesecuretransferofsensitive
dataacrosspublicnetworks.Thisisoftenlessexpensivethanalternativessuch
asdedicatedprivatetelecommunicationslinesbetweenorganizationsorbranch
offices.VPNscanalsoprovideflexiblesolutions,suchassecuring
communicationsbetweenremotetelecommutersandtheorganizations
servers,regardlessofwherethetelecommutersarelocated.AVPNcanevenbe
establishedwithinasinglenetworktoprotectparticularlysensitive
communicationsfromotherpartiesonthesamenetwork.
WAN WideAreaNetwork WideAreaNetwork(WAN)isacomputernetworkthatcoversabroadarea
(i.e.,anynetworkwhosecommunicationslinkscrossmetropolitan,regional,or
nationalboundaries.
The
largest
and
most
well
known
example
of
aWAN
is
the
Internet.WANsareusedtoconnectLANsandothertypesofnetworkstogether,
sothatusersandcomputersinonelocationcancommunicatewithusersand
computersinotherlocations.ManyWANsarebuiltforoneparticular
organizationandareprivate.
WPA2 IEEEstandard
802.11i
WPAandWPA2Authentication&Encryptionfor802.11Securityare
standardsbasedsecuritysolutionsfromtheWiFiAlliancethataddressesthe
vulnerabilitiesinnativeWLANsandprovidesenhancedprotectionfrom
-
7/30/2019 Risks With Unified Communication
30/30
targetedattacks.WPAwasdesignedtoaddresstheweaknessesofWEP.Itisa
subsetof802.11i(theratifiedIEEEstandardforWLANsecurity)andconsistsof
anauthenticationmechanism(802.1Xorpresharedkeys)andencryption
mechanism(Temporal
Key
Integrity
Protocol
(TKIP),
as
defined
in
802.11i,
which
canbesupportedinsoftwarebyproductsthatsupportWEP).WPA2isthe
secondgenerationofWPAsecurityfromtheWiFiAlliancethatsupportseither
802.1Xorpresharedkeysauthenticationmechanismbutalsosupports
AdvancedEncryptionStandards(AES).
Worm Awormisatypeofvirusprogramthatpropagatesitselfoveranetwork,
reproducingitselfasitgoes.