February 17, 2012

Keeping UC App Data Secure

Unified communications (UC) applications might very well be forming an integral component of your business processes. Protecting those UC applications, securing the data in them and ensuring that your company fulfills privacy requirements takes more than a single solution.

Security in general is an ongoing, never-ending process, and conditions can change daily. It's never a "fix once and go away" situation.The same philosophy holds true when securing UC applications and data. Doing a thorough job encompasses protecting many elements: the endpoints, network and data center. As you add more endpoints, especially mobile devices, security becomes a multidimensional effort.

Evaluating the security risks can be difficult and hard to quantify, and the solutions can be expensive and sometimes difficult to deploy. The Internet Engineering Task Force (IETF)'s Site Security Handbook, RFC 2196, provides background for security planning.

What to Secure

What needs to be protected to secure your UC applications are the following:

  • Hardware - servers, switches, routers, firewalls, session border controllers (SBCs), wired phones and desktops, wireless devices
  • Software - operating systems, database systems, source programs, utility programs
  • Data - stored information, communications paths, backups, audit logs

The protection solutions will come from many vendors including mobile device management (MDM) vendors, PC security vendors, networking companies and data center suppliers and will need to be well integrated to hide complexity from the end-user. Giving the end user an "easy" method for accessing applications and data ensures that users will take advantage of what the apps have to offer rather than being dissuaded from using them because of a time-consuming or cumbersome access experience.

Endpoint Challenges

Wired and wireless endpoints should have anti-virus software that is regularly updated and run. Implement authentication technologies like 802.1X on both wired and wireless LANs. Device inventory programs running nightly on wired networks can locate unauthorized devices, block their use and report them. Wireless intrusion detection and prevention systems (WIPS) serve a similar function on the WLAN. An MDM system will help to determine the status of the authorized mobile devices, automate access control and enforce usage policies.

Be careful with endpoints primarily designed for voice and video communications: these can be compromised and used to invade the data network and applications. Malicious code can be embedded in voice and video packets. Data sent and received at the endpoint should be encrypted for transmission. Implementing a virtual private network (VPN) at the endpoint might be the best technique to adopt. Cellular data is encrypted over the air by the mobile network operators; WLAN data should be encrypted in an IPsec or Secure Sockets Layer (SSL) VPN (a bit more friendly than IPsec for users on the move) or encrypted over-the-air by an MDM system. Be sure to train users in the security policies and procedures and audit them regularly to ensure compliance.

Protecting the Network

Voice and video add quality-of-service (QoS) complications to the IP network.  If QoS measures, such as packet prioritization, aren't upheld, voice and video quality can degrade and users will avoid using the real-time applications.

Malicious users can eavesdrop on voice and video calls and impersonate valid users to gain access. Routers and switches also need to be protected from viruses, worms and Trojan horse attacks. This requires a network management system that can discover these attacks. The assignment of IP addresses should be from a secured Dynamic Host Control Protocol (DHCP) server. Access control lists need to be maintained and secured.

Firewalls are best suited for data applications. When voice and video are in use, then a session border controller (SBC) should be deployed, because firewalls don't process the voice-over-IP (VoIP) signaling. They either open or close access to the internal network. The SBC does process the VoIP signaling, it acts as proxy, and is specifically designed to provide higher access security for VoIP calls.

Intrusion detection and prevention systems (IDS/IPS) might be necessary as well. When very high levels of security are required, such as with financial systems and defense systems, then an IDS will flag potential attacks while the IPS does deep packet inspection looking for and blocking hidden attacks. The IDS can be deployed with VoIP but the IPS causes voice quality problems and should be used only for data applications.

Reinforcing the Data Center

The server is similar to the endpoint but with more elements to protect, such as the database, application programs, operating systems and utilities. Servers also need to be protected from viruses, worms and Trojan horse attacks. You should perform regular security audits and review system logs to look for abnormal usage and operation. System administrators should be well trained in security procedures and policies.

Software patches are part of life for IT, and the same is true for UC applications. There are audit programs that can analyze the security patches in most systems and report what is missing. Sometimes, security patches have been forgotten for years with undesirable ramifications.

IR Prognosis

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.