- A TechNote on Unified Communications
- Gary Audin, Delphi, Inc.
Unified communications (UC) applications might very well be forming an integral component of your business processes. Protecting those UC applications, securing the data in them and ensuring that your company fulfills privacy requirements takes more than a single solution.
Security in general is an ongoing, never-ending process, and conditions can change daily. It's never a "fix once and go away" situation.The same philosophy holds true when securing UC applications and data. Doing a thorough job encompasses protecting many elements: the endpoints, network and data center. As you add more endpoints, especially mobile devices, security becomes a multidimensional effort.
Evaluating the security risks can be difficult and hard to quantify, and the solutions can be expensive and sometimes difficult to deploy. The Internet Engineering Task Force (IETF)'s Site Security Handbook, RFC 2196, provides background for security planning.
What to Secure
What needs to be protected to secure your UC applications are the following:
The protection solutions will come from many vendors including mobile device management (MDM) vendors, PC security vendors, networking companies and data center suppliers and will need to be well integrated to hide complexity from the end-user. Giving the end user an "easy" method for accessing applications and data ensures that users will take advantage of what the apps have to offer rather than being dissuaded from using them because of a time-consuming or cumbersome access experience.
Endpoint Challenges
Wired and wireless endpoints should have anti-virus software that is regularly updated and run. Implement authentication technologies like 802.1X on both wired and wireless LANs. Device inventory programs running nightly on wired networks can locate unauthorized devices, block their use and report them. Wireless intrusion detection and prevention systems (WIPS) serve a similar function on the WLAN. An MDM system will help to determine the status of the authorized mobile devices, automate access control and enforce usage policies.
Be careful with endpoints primarily designed for voice and video communications: these can be compromised and used to invade the data network and applications. Malicious code can be embedded in voice and video packets. Data sent and received at the endpoint should be encrypted for transmission. Implementing a virtual private network (VPN) at the endpoint might be the best technique to adopt. Cellular data is encrypted over the air by the mobile network operators; WLAN data should be encrypted in an IPsec or Secure Sockets Layer (SSL) VPN (a bit more friendly than IPsec for users on the move) or encrypted over-the-air by an MDM system. Be sure to train users in the security policies and procedures and audit them regularly to ensure compliance.
Protecting the Network
Voice and video add quality-of-service (QoS) complications to the IP network. If QoS measures, such as packet prioritization, aren't upheld, voice and video quality can degrade and users will avoid using the real-time applications.
Malicious users can eavesdrop on voice and video calls and impersonate valid users to gain access. Routers and switches also need to be protected from viruses, worms and Trojan horse attacks. This requires a network management system that can discover these attacks. The assignment of IP addresses should be from a secured Dynamic Host Control Protocol (DHCP) server. Access control lists need to be maintained and secured.
Firewalls are best suited for data applications. When voice and video are in use, then a session border controller (SBC) should be deployed, because firewalls don't process the voice-over-IP (VoIP) signaling. They either open or close access to the internal network. The SBC does process the VoIP signaling, it acts as proxy, and is specifically designed to provide higher access security for VoIP calls.
Intrusion detection and prevention systems (IDS/IPS) might be necessary as well. When very high levels of security are required, such as with financial systems and defense systems, then an IDS will flag potential attacks while the IPS does deep packet inspection looking for and blocking hidden attacks. The IDS can be deployed with VoIP but the IPS causes voice quality problems and should be used only for data applications.
Reinforcing the Data Center
The server is similar to the endpoint but with more elements to protect, such as the database, application programs, operating systems and utilities. Servers also need to be protected from viruses, worms and Trojan horse attacks. You should perform regular security audits and review system logs to look for abnormal usage and operation. System administrators should be well trained in security procedures and policies.
Software patches are part of life for IT, and the same is true for UC applications. There are audit programs that can analyze the security patches in most systems and report what is missing. Sometimes, security patches have been forgotten for years with undesirable ramifications.
Security in general is an ongoing, never-ending process, and conditions can change daily. It's never a "fix once and go away" situation.The same philosophy holds true when securing UC applications and data. Doing a thorough job encompasses protecting many elements: the endpoints, network and data center. As you add more endpoints, especially mobile devices, security becomes a multidimensional effort.
Evaluating the security risks can be difficult and hard to quantify, and the solutions can be expensive and sometimes difficult to deploy. The Internet Engineering Task Force (IETF)'s Site Security Handbook, RFC 2196, provides background for security planning.
What to Secure
What needs to be protected to secure your UC applications are the following:
- Hardware - servers, switches, routers, firewalls, session border controllers (SBCs), wired phones and desktops, wireless devices
- Software - operating systems, database systems, source programs, utility programs
- Data - stored information, communications paths, backups, audit logs
The protection solutions will come from many vendors including mobile device management (MDM) vendors, PC security vendors, networking companies and data center suppliers and will need to be well integrated to hide complexity from the end-user. Giving the end user an "easy" method for accessing applications and data ensures that users will take advantage of what the apps have to offer rather than being dissuaded from using them because of a time-consuming or cumbersome access experience.
Endpoint Challenges
Wired and wireless endpoints should have anti-virus software that is regularly updated and run. Implement authentication technologies like 802.1X on both wired and wireless LANs. Device inventory programs running nightly on wired networks can locate unauthorized devices, block their use and report them. Wireless intrusion detection and prevention systems (WIPS) serve a similar function on the WLAN. An MDM system will help to determine the status of the authorized mobile devices, automate access control and enforce usage policies.
Be careful with endpoints primarily designed for voice and video communications: these can be compromised and used to invade the data network and applications. Malicious code can be embedded in voice and video packets. Data sent and received at the endpoint should be encrypted for transmission. Implementing a virtual private network (VPN) at the endpoint might be the best technique to adopt. Cellular data is encrypted over the air by the mobile network operators; WLAN data should be encrypted in an IPsec or Secure Sockets Layer (SSL) VPN (a bit more friendly than IPsec for users on the move) or encrypted over-the-air by an MDM system. Be sure to train users in the security policies and procedures and audit them regularly to ensure compliance.
Protecting the Network
Voice and video add quality-of-service (QoS) complications to the IP network. If QoS measures, such as packet prioritization, aren't upheld, voice and video quality can degrade and users will avoid using the real-time applications.
Malicious users can eavesdrop on voice and video calls and impersonate valid users to gain access. Routers and switches also need to be protected from viruses, worms and Trojan horse attacks. This requires a network management system that can discover these attacks. The assignment of IP addresses should be from a secured Dynamic Host Control Protocol (DHCP) server. Access control lists need to be maintained and secured.
Firewalls are best suited for data applications. When voice and video are in use, then a session border controller (SBC) should be deployed, because firewalls don't process the voice-over-IP (VoIP) signaling. They either open or close access to the internal network. The SBC does process the VoIP signaling, it acts as proxy, and is specifically designed to provide higher access security for VoIP calls.
Intrusion detection and prevention systems (IDS/IPS) might be necessary as well. When very high levels of security are required, such as with financial systems and defense systems, then an IDS will flag potential attacks while the IPS does deep packet inspection looking for and blocking hidden attacks. The IDS can be deployed with VoIP but the IPS causes voice quality problems and should be used only for data applications.
Reinforcing the Data Center
The server is similar to the endpoint but with more elements to protect, such as the database, application programs, operating systems and utilities. Servers also need to be protected from viruses, worms and Trojan horse attacks. You should perform regular security audits and review system logs to look for abnormal usage and operation. System administrators should be well trained in security procedures and policies.
Software patches are part of life for IT, and the same is true for UC applications. There are audit programs that can analyze the security patches in most systems and report what is missing. Sometimes, security patches have been forgotten for years with undesirable ramifications.
Trending Discussions
- If you would like to see the other articles in the blog post of the "Top Ten VoIP Articles of All Ti... Steven Taylor, Webtorials on "Is VoIP Secure? YOU Make the Call":
- Great job I followed since the begining thanks... Eduardo Pérez Telesystems SpA on "The 2018 Guide to WAN Architecture and Design - Executive Summary":
- Thanks to Marjorie at RingCentral for reminding me that this paper existed. Looking forward to your... Steven Taylor, Webtorials on "Is VoIP Secure? YOU Make the Call":
- looking at WAN re-engineering projects... Sunny on "The 2018 Guide to WAN Architecture and Design - Part 2: Key Considerations when Choosing new WAN and Branch Office Solutions":
- Hi Richard. We appreciate your feedback. Jim Metzler always provides excellent analysis on the ever-... Nancy Leonard, Webtorials on "The 2017 State-of-the-WAN Report":
- Interesting reading... Richard Fausey, Plow, LLC on "The 2017 State-of-the-WAN Report":
- I needed this document. Thank you.... AO NII Mashtab on "The 2017 Guide to WAN Architecture and Design - Executive Summary":
- I look forward to reviewing more info on this topic.
... trevor evans - fox group on "2017 Workplace Productivity and Communications Technology Report":
- I would like access to your "2017 Workplace Productivity and Communications Technology Report"
Than... Paul Zielie, Harman Professional Solutions on "2017 Workplace Productivity and Communications Technology Report":
- I'm Telecommunications Engineer at PETROBRAS S.A. and i have overall interest about WAN. ... JOSE CEREZO, PETROBRAS S.A. on "The 2017 Guide to WAN Architecture and Design - Part 1: State of the WAN":
See more discussions...