When it comes to VoIP and unified communications, are you sacrificing security for cost savings?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

If you were to ask most IT professionals to connect CRM or ERP applications to an external IP network without some form of network security, they would look at you as if you had lost your mind. Even the most basic cloud-based business applications integrate security to help ensure the integrity of data and continuity of the service. Yet many organizations today are deploying business critical IP-based voice and video communications without applying standard corporate security policies.

For a variety of reasons, IP-based voice is treated differently. This traffic is generally not perceived as a substantial security risk, mostly due to decades' worth of experience using the TDM-based public switched telephony network (PSTN). These "walled gardens" are generally perceived as among the most trusted networks in the world, supporting millions of business users daily in the U.S. alone.

OUTLOOK: Top UC predictions for 2013

However, as businesses migrate away from traditional PSTN telephony toward more affordable and feature-rich IP telephony and unified communications, security concerns should rise to the top of the list. Once-private business conversations can now be carried over multiple service provider networks as well as public Internet backbones, where security can be nonexistent for voice and video traffic or inconsistent and disjointed end to end.

Let's review some of the challenges related to securing unified communications traffic and the solution selection criteria that can result in a secure, enterprise-class deployment suitable for headquarters, branch offices and remote or mobile workers.

Resolving conflicts at the gateway

Challenges: Converging voice and video onto IP networks can cause a pileup at the corporate gateway. NAT/firewalls and other gateway security devices are designed for data security. These data-centric solutions end up blocking IP-based voice and video calls at the boundary between trusted and non-trusted IP networks.

Not only that, existing data security deployments have usually been in place for some time and changing the associated policies and equipment to protect voice and video traffic would result in invasive changes to communications and business processes that are otherwise fully operational. Modifications to existing data security policies also leave the organization vulnerable to security breaches without substantial regression testing to ensure all critical network assets remain secure. Finally, enterprises typically want to preserve their investments in data security infrastructure and do not want to fund a "rip and replace" type of network upgrade.

Solution: A VoIP or unified communications (UC) security solution can and must coexist with existing data networking and security equipment. This means introducing application-aware firewall protection for the voice and video traffic using a network design that works in conjunction with existing security devices. A VoIP/UC security gateway must also offer broad interoperability with PBX systems, video content distribution networks and external carrier networks, which requires support for a wide range of protocols and interface standards.

Securing voice traffic and voice channels

Challenges: Threats that are unique to communications traffic -- eavesdropping, for example -- are not addressed by data security solutions that block viruses, malware or hackers. However, just as hackers and cybercriminals send out bots and phishing attacks to gather digital data assets, a digital eavesdropping attack can target conversations or corporate video content as a method for stealing corporate secrets, private employee identification information, credit card numbers, Social Security numbers and a long list of other sensitive information.

Besides stealing data, security vulnerabilities within an IP-based communications infrastructure can introduce denial-of-service (DoS) attacks and other threats that compromise business continuity, lower productivity in call centers or block customer transactions that result in lower revenues.

Mobility trends, including "bring-your-own-device" (BYOD) initiatives, introduce additional challenges for IT teams responsible for protecting business assets and ensuring infrastructure availability. Mobile users and smart devices must be authenticated and adequately monitored for suspicious behaviors.

Voice communications channels are also the target of toll fraud. A growing number of hackers and Internet crawlers are continually searching out unprotected voice channels. Without adequate protection, a business might see VoIP savings significantly reduced as unapproved voice calls are being routed through a VoIP gateway or SIP trunking service that lacks adequate security.

Solution: Every business-class VoIP solution should include eavesdropping prevention and VoIP-aware security that can address the above-listed types of threats. For those businesses, government agencies and contractors with the most stringent compliance requirements, the VoIP or unified communications solutions should support encryption of communications traffic. External communications are obviously the most critical but some organizations also require encryption of internal communications or communications in and out of critical departments. Any attempts of unauthorized access should be automatically detected, blocked and logged with enough forensic evidence to help track down the offenders.

Visibility and troubleshooting

Challenges: Fraud prevention is just one reason that VoIP infrastructure requires a high degree of visibility. Security without visibility is to a large extent unverifiable. Therefore, secure IP-based communications must include the ability to monitor and manage calls and communication traffic. Additionally, enterprises need affordable managed services with service level agreements designed to ensure reliable, high-quality connections and communication experiences. The service provider, in this case, would require high levels of visibility of voice and video traffic as part of a comprehensive troubleshooting toolset.

Solution: Troubleshooting tools must provide visibility of the end-to-end delivery for critical voice and video traffic, and it makes sense for the visibility to also encompass the unique network performance, quality of service, traffic management and other voice-essential parameters that contribute to the availability of secure communications. Security cannot be introduced at the expense of performance when voice is already much more sensitive to packet loss, latency, jitter and network bandwidth compared to data traffic.

Are we there yet?

Not every VoIP solution or service provider builds in security that addresses the challenges we have touched on in this article. However, best-in-class enterprise session border controllers (ESBCs) are available today with integrated voice-aware security. Unlike early ESBCs, today's highly integrated edge devices come in at price points that easily fit small businesses (5 or more employees) and that can affordably scale up to serve very large enterprises with 10,000 or more employees.

Service providers have been leading the adoption of these edge devices, recognizing their potential as a platform that reduces operating costs for VoIP infrastructure services. Built-in security has been a key differentiator among service providers and should be a key selection criteria for discerning enterprise customers that choose to purchase their own customer-premises VoIP equipment.

Besides security, leading ESBCs build in flexible connections with protocol-aware technology aligned with today's networking, telecommunications and unified communications equipment. They perform protocol mediation to facilitate interoperability of voice and video devices. Voice and video quality are ensured with advanced traffic management, active VoIP line testing, passive call quality monitoring and survivability features.

Businesses do not have to compromise quality, performance or flexible connectivity to obtain affordable security. IP communications can offer not only more affordable local and long-distance calling but also innovative features that offer a competitive advantage and improved customer service -- without introducing vulnerabilities, privacy issues or compliance complications. Make some calls and check it out.

Dave Martin has over 20 years of experience with networking and security technologies. He currently serves as vice president of marketing for Edgewater Networks. For more information about next-generation enterprise session border controllers please visit www.edgewaternetworks.com.

Read more about lans and routers in Network World's LANs & Routers section.

Join the CSO newsletter!

Error: Please check your email address.

Tags unified communicationsESBCtelecommunicationvoipNetworkingsecurityenterprise session border controllerUC securityunified communications securitysecure VoIPVoIP security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dave Martin, vice president of marketing, Edgewater Networks

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place