When it comes to VoIP and unified communications, are you sacrificing security for cost savings?
- — 04 January, 2013 22:03
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
If you were to ask most IT professionals to connect CRM or ERP applications to an external IP network without some form of network security, they would look at you as if you had lost your mind. Even the most basic cloud-based business applications integrate security to help ensure the integrity of data and continuity of the service. Yet many organizations today are deploying business critical IP-based voice and video communications without applying standard corporate security policies.
For a variety of reasons, IP-based voice is treated differently. This traffic is generally not perceived as a substantial security risk, mostly due to decades' worth of experience using the TDM-based public switched telephony network (PSTN). These "walled gardens" are generally perceived as among the most trusted networks in the world, supporting millions of business users daily in the U.S. alone.
OUTLOOK: Top UC predictions for 2013
However, as businesses migrate away from traditional PSTN telephony toward more affordable and feature-rich IP telephony and unified communications, security concerns should rise to the top of the list. Once-private business conversations can now be carried over multiple service provider networks as well as public Internet backbones, where security can be nonexistent for voice and video traffic or inconsistent and disjointed end to end.
Let's review some of the challenges related to securing unified communications traffic and the solution selection criteria that can result in a secure, enterprise-class deployment suitable for headquarters, branch offices and remote or mobile workers.
Resolving conflicts at the gateway
Challenges: Converging voice and video onto IP networks can cause a pileup at the corporate gateway. NAT/firewalls and other gateway security devices are designed for data security. These data-centric solutions end up blocking IP-based voice and video calls at the boundary between trusted and non-trusted IP networks.
Not only that, existing data security deployments have usually been in place for some time and changing the associated policies and equipment to protect voice and video traffic would result in invasive changes to communications and business processes that are otherwise fully operational. Modifications to existing data security policies also leave the organization vulnerable to security breaches without substantial regression testing to ensure all critical network assets remain secure. Finally, enterprises typically want to preserve their investments in data security infrastructure and do not want to fund a "rip and replace" type of network upgrade.
Solution: A VoIP or unified communications (UC) security solution can and must coexist with existing data networking and security equipment. This means introducing application-aware firewall protection for the voice and video traffic using a network design that works in conjunction with existing security devices. A VoIP/UC security gateway must also offer broad interoperability with PBX systems, video content distribution networks and external carrier networks, which requires support for a wide range of protocols and interface standards.
Securing voice traffic and voice channels
Challenges: Threats that are unique to communications traffic -- eavesdropping, for example -- are not addressed by data security solutions that block viruses, malware or hackers. However, just as hackers and cybercriminals send out bots and phishing attacks to gather digital data assets, a digital eavesdropping attack can target conversations or corporate video content as a method for stealing corporate secrets, private employee identification information, credit card numbers, Social Security numbers and a long list of other sensitive information.
Besides stealing data, security vulnerabilities within an IP-based communications infrastructure can introduce denial-of-service (DoS) attacks and other threats that compromise business continuity, lower productivity in call centers or block customer transactions that result in lower revenues.
Mobility trends, including "bring-your-own-device" (BYOD) initiatives, introduce additional challenges for IT teams responsible for protecting business assets and ensuring infrastructure availability. Mobile users and smart devices must be authenticated and adequately monitored for suspicious behaviors.
Voice communications channels are also the target of toll fraud. A growing number of hackers and Internet crawlers are continually searching out unprotected voice channels. Without adequate protection, a business might see VoIP savings significantly reduced as unapproved voice calls are being routed through a VoIP gateway or SIP trunking service that lacks adequate security.
Solution: Every business-class VoIP solution should include eavesdropping prevention and VoIP-aware security that can address the above-listed types of threats. For those businesses, government agencies and contractors with the most stringent compliance requirements, the VoIP or unified communications solutions should support encryption of communications traffic. External communications are obviously the most critical but some organizations also require encryption of internal communications or communications in and out of critical departments. Any attempts of unauthorized access should be automatically detected, blocked and logged with enough forensic evidence to help track down the offenders.
Visibility and troubleshooting
Challenges: Fraud prevention is just one reason that VoIP infrastructure requires a high degree of visibility. Security without visibility is to a large extent unverifiable. Therefore, secure IP-based communications must include the ability to monitor and manage calls and communication traffic. Additionally, enterprises need affordable managed services with service level agreements designed to ensure reliable, high-quality connections and communication experiences. The service provider, in this case, would require high levels of visibility of voice and video traffic as part of a comprehensive troubleshooting toolset.
Solution: Troubleshooting tools must provide visibility of the end-to-end delivery for critical voice and video traffic, and it makes sense for the visibility to also encompass the unique network performance, quality of service, traffic management and other voice-essential parameters that contribute to the availability of secure communications. Security cannot be introduced at the expense of performance when voice is already much more sensitive to packet loss, latency, jitter and network bandwidth compared to data traffic.
Are we there yet?
Not every VoIP solution or service provider builds in security that addresses the challenges we have touched on in this article. However, best-in-class enterprise session border controllers (ESBCs) are available today with integrated voice-aware security. Unlike early ESBCs, today's highly integrated edge devices come in at price points that easily fit small businesses (5 or more employees) and that can affordably scale up to serve very large enterprises with 10,000 or more employees.
Service providers have been leading the adoption of these edge devices, recognizing their potential as a platform that reduces operating costs for VoIP infrastructure services. Built-in security has been a key differentiator among service providers and should be a key selection criteria for discerning enterprise customers that choose to purchase their own customer-premises VoIP equipment.
Besides security, leading ESBCs build in flexible connections with protocol-aware technology aligned with today's networking, telecommunications and unified communications equipment. They perform protocol mediation to facilitate interoperability of voice and video devices. Voice and video quality are ensured with advanced traffic management, active VoIP line testing, passive call quality monitoring and survivability features.
Businesses do not have to compromise quality, performance or flexible connectivity to obtain affordable security. IP communications can offer not only more affordable local and long-distance calling but also innovative features that offer a competitive advantage and improved customer service -- without introducing vulnerabilities, privacy issues or compliance complications. Make some calls and check it out.
Dave Martin has over 20 years of experience with networking and security technologies. He currently serves as vice president of marketing for Edgewater Networks. For more information about next-generation enterprise session border controllers please visit www.edgewaternetworks.com.
Read more about lans and routers in Network World's LANs & Routers section.