Security is high on the business agenda, as demonstrated by the recent emergence and rise (in some cases to the board) of the Chief Security Officer (CSO). Typically, the CSO’s role embraces both traditional physical (e.g. in a high street bank branch, access control, alarms and safes) and network security.
When it comes to network or IT security, the main job of the CSO is to build staff awareness, instigate comprehensive training and, crucially, establish clear accountability, since a serious network security breach can cause problems for the whole business. Above all, as the cornerstone of an organisation’s security strategy, he needs to drive an analysis of vulnerabilities in the voice infrastructure.
One area of vulnerability that must be carefully managed is the voice-signalling server, which is used to set up and manage calls. If attackers manage to breach this system they can potentially gain access to complete lists of all incoming and outgoing calls and details about their duration. Even more problematic is the fact that if attackers manage to penetrate the VoIP gateway, then actual voice conversations themselves could be at risk from eavesdropping, recording, replaying or even call redirection.
Not only can these security breaches cause problems for voice communications, but as it runs on the same infrastructure as data traffic, the entire availability of the IP network could be compromised, threatening the ability of an organisation to communicate via either voice or data.
Any enterprise contemplating an investment in a new server-based converged voice and data system will demand that it can offer availability at least equal to the traditional robust and resilient telephony environment to which it is accustomed. In addition, the supplier must be able to guarantee the integrity of the voice infrastructure. For example it is important that user access is managed properly, and that threats of spoofing and identity theft are properly managed.
It is important that the customer organisation is aware that many security threats now come from internal sources, meaning that simply using firewalls to protect the network from the outside world is no longer an effective way to guarantee security. Companies need to guard carefully against disaffected members of staff who might want to change their ´class of service´ characteristics to make free calls from IP phones, hack into the network or initiate denial of service attacks.
Another significant problem with voice is the need to keep latency very low. This requirement impacts on the way companies implement voice security– if security makes the quality of VoIP unacceptable, then it will be a barrier to companies conducting their daily business.
When implementing VoIP, it is essential that the traffic is secured in transit. A potential solution to this problem is effective encryption, ensuring that as the voice data is transmitted through the network infrastructure, it is adequately secured to prevent outside parties from retrieving and reading it.
Another security issue is the threat of intrusion – people infiltrating either the network itself or devices on the network and corrupting, adjusting or reconfiguring them. The accepted approach is to control user access by passwords – but these must be implemented correctly, managed properly, and be controlled with a publicised and effective policy.
Another tool in the CSO’s arsenal is the new type of ‘fingerprinting’ security systems, sometimes referred to as intrusion detection systems, that are now available to track the activities of those who have broken into the network and to identify and eliminate any viruses they leave behind.
One of the most cost effective and easiest administrative techniques to increase security on a server-based network is to divide it into distinct groups using a technique known as virtual LAN (VLAN) segmentation. This enables the network manager to restrict the number of users in a VLAN group and to disallow another user from joining without prior approval.
The benefit here is that network managers can use VLANs to provide security firewalls, restrict individual user access, flag any unwanted intrusion to a network manager, and control the size and composition of the group.
The most important factor to consider, however, when implementing security to VoIP, or anything else on the network, is how quickly technology progresses. And not just the VoIP application itself, but also the tools and methods used by the attackers. It is a constant battle and the CSO needs to make sure his organisation’s security is always one step ahead. The IT department needs to be aware of changing threats, and make sure they are prepared – even by something as simple as making sure they download new software patches from the manufacturers as soon as they are available.
Understanding the ‘Bigger Picture’
Of course voice security mustn’t be seen in isolation. It is just one important part of the complex integration challenge facing providers of converged solutions today.
Voice networks have traditionally been reliable, robust and built on long-established and evolved standards. Users never wondered if their phone was going to work. Equally, the process of PBX configuration had become almost routine and voice transmission plans, interface and integration processes were all well practiced and rehearsed.
Customers knew what they were getting and when they purchased a PBX they would know exactly what configuration and functionality they needed. The pre-configured PBX would then be shipped to site and connected to the installed network circuits and the whole system would be ready to switch on – simple. But adding voice functionality to a business’ existing IT infrastructure is much more complex.
With new, converged technology, almost every element of the solution from the WAN to the call server, and from the LAN to desktop, contains a high degree of proprietary customisation to make it work in the customer’s unique environment.
Typically, the integrator will first build the voice servers, before implementing Quality of Service across both the WAN and the LAN, and then the infrastructure is overlaid with a security platform that protects the platform from threats from both internal users and attackers in the outside world.
This complexity coupled with many organisations’ increased awareness and fear of security breaches, means that they often demand that their integration partners have got a wealth of security expertise and voice experience to enable them to counter these threats.
Unfortunately such companies and skills are in short supply, as traditionally individuals and organisations working within a data environment have been far more attuned to security issues than their voice counterparts. Companies with a voice focus have not had to be so closely focused on security largely because of the protective proprietary operating system of the old PBX.
This skills gap is a major concern, and could well result in VoIP networks being implemented without the appropriate security measures – because the individuals implementing them don’t have the necessary understanding of the requirements. But if the voice security battle is ultimately to be won and VoIP traffic is to continue to be effectively protected, the skills and expertise of those implementing converged solutions will be the critical factor.