Securing Your Enterprise While Leveraging UC

As the enterprise eagerly reaches out to realize the benefits of IP-powered unified communications (cost savings, productivity boosts, mobility and communications-enabled business processes), maintaining effective security for a bundle of modularized functions - and perhaps a mash-up of services, each of which could be delivered over an untrusted network - becomes a daunting prospect. Intrusions and attacks, such as Denial of Service (DoS) attacks and the hijacking of IP phones for theft of service, are always possible. Fortunately, both UC vendors and specialized companies are demonstrating new ways of security policy enforcement, strong user authentication, encryption and other ways of protecting against attacks and maintaining the privacy of signaling and media streams.

Kevin Flynn, Senior Manager, Security Technology Marketing for Unified Communications at Cisco Systems, has said publicly, "Properly configured, UC can be as secure and in some ways even more secure than traditional phone and communications systems. UC is now appearing in some of the most security-conscious locations in the world, such as government agencies and major financial institutions. The phrase ‘defense-in-depth' has been used in data security circles for many years. This means taking a layered approach to security. Multiple levels of defense mechanisms are required, so that should an attacker penetrate one layer, they're stopped at the next layer. The same holds true for security for UC. A comprehensive, systemic approach is required, incorporating all UC layers: the applications, the endpoints, the call control and the network infrastructure. Protection of each layer is critical, and each layer should be designed to work together and be managed
as a whole. Good security really means the proper implementation of policies - in essence, deciding who gets to communicate with whom and enforcing those decisions… At Cisco we have the luxury of bringing various technologies to bear to provide for secure UC… solutions that incorporate routers, switches, firewalls, encryption technologies, wireless technologies, call management systems, telephones and software applications."

Take, for example, the Cisco ASA 5500 Series Adaptive Security Appliance, designed to secure real-time unified communications applications such as voice and video. It delivers several security features that complement the embedded security already within the unified communications system (comprising such UC deployment elements as the network infrastructure, call-control platforms, IP endpoints, and UC applications), providing additional layers of protection. Thus, even though Cisco has built security features into its UC products, it augments them with its Cisco ASA 5500 Series Adaptive Security Appliances.

The Cisco ASA 5500 Series is basically a family of multifunction security appliances for small businesses, branch offices, enterprises, and data center environments. They deliver top-notch voice and video security services for UC, including robust firewall, IP Security (IPsec) and Secure Sockets Layer (SSL) VPN, intrusion prevention, and content security features. For UC deployments, these platforms can protect up to 30,000 phones and deliver application inspection for a range of UC protocols, including Skinny Client Control Protocol (SCCP), Session Initiation Protocol (SIP), H.323, Media Gateway Control Protocol (MGCP), Computer Telephony Interface Quick Buffer Encoding (CTIQBE), Real-Time Transport Protocol (RTP), and Real-Time Transport Control Protocol (RTCP). Other Security features include dynamic and granular policy access control that prevents unauthorized access to unified communications services; threat prevention in the form of protecting the UC infrastructure from attempts to exploit or harm the system (e.g. Denial of Service); network security policy enforcement; voice encryption services in the form of the Cisco Transport Layer Security (TLS) Proxy that helps maintain security policies while encrypting signaling and media; and perimeter security services for UC so that businesses can securely extend communication services to remote users, mobile solutions, and business-to-business collaboration.

Given the increasing popularity of SIP trunking, the CiscoASA
5500 Series provides protection from any attacks through SIP trunks.

Cisco also offers a ton of other stuff, some relating specifically to email and web security, such as the C-Series Email Security Appliances, S-Series Web Security Appliances, ASA Content Security Module (delivers threat protection and content control and the Internet Edge). Their larger, more comprehensive IPS (Intrusion Prevention System) looks like a rackmount computer, but actually classifies and stops known and unknown network threats, including worms, network viruses, applications threats, system intrusion attempts, and application misuse. The Cisco IPS protects your entire network via a range of deployment options (its sensors can be deployed incrementally on servers and endpoints as dedicated appliances, and as service modules on routers, switches, and firewalls. They collaborate and adapt in real time to deal with emerging threats).

Sipera Systems also offers appliances that can secure your VoIP and UC deployments. The IPCS appliances are based on the Sipera VIPER Engine, which employs sophisticated VoIP-specific security techniques, including real-time caller verification, protocol scrubbing and behavior learning, and applies "vaccines" for previously unidentified threats, to provide comprehensive threat protection against UC application-layer attacks, such as Denial-of-Service (DoS), spoofing, stealth and others.

The Sipera UC security appliances support VoIP VPN capabilities for encrypted signaling, encrypted media, strong two-factor authentication, and VoIP Firewall/SBC functionality to enable enterprises to solve firewall/NAT issues and apply granular UC policies based upon network, user, device and time of day. The Sipera solutions offer Intrusion Prevention and Anti-spam functionality that intelligently analyze every unified communications session to proactively monitor and detect anomalies. This ensures network and user protection from attacks, misuse and service abuse including DoS/DDoS floods, fuzzing, stealth and VoIP spam, in real-time.

Sipera IPCS appliances can also terminate encrypted UC traffic to prevent reconnaissance and eavesdropping. They offer fine-grained policy enforcement to apply different security and call routing rules and support multiple authentication mechanisms for strong access control. Thus, with an IPCS, an enterprise can consolidate PBXs, quickly deploy SIP trunks and eliminate VPN gateways for mobile workspaces which lead to significantly reduced costs without compromising security. Hence, Sipera IPCS products provide threat protection, policy enforcement, access control, and privacy in a single, real-time appliance to securely enable many deployments including IP PBX and VLANs, SIP trunks, mobile workspaces, and secure border access for ILECs and CLECs.

Sipera IPCS products can be deployed in the DMZ ("Demilitarized Zone"), between VLANs or in the core of any existing VoIP and UC infrastructure with no need for on-site interoperability testing, thanks to Sipera's certification and seamless integration with such popular UC system makers as Avaya, Cisco, and Nortel.

To further simplify UC deployments, the Sipera IPCS Element Management System (EMS) enables you to centrally manage UC policies and apply routing and security rules to each session based on network, user, device and time of day. Sipera IPCS appliances come in several different-sized models. The Sipera IPCS 210 is ideal for either a branch office or a small/medium- sized business scenario with 200 users. The IPCS 310 can handle up to 1000 VoIP users. The IPCS 510 can protect up to 50,000 users.

Two Heads Are…

It would be surprising if smaller UC security companies could develop and field equipment covering all possible security threats the way giants such as Cisco and Avaya can. For that reason one sees alliances and joint development/marketing efforts.

Sipera, for example, recently announced a joint sales and marketing partnership with Paranet Solutions, so that Paranet will offer the complete suite of Sipera security products as part of the Paranet Security Solutions Suite. Indeed, the partnership enables Paranet to fully integrate Sipera appliances into its total services and solutions offering. By doing this, Paranet can now provide a whole new level of security solutions that will identify and mitigate emerging threats to the operations of UC deployments that include voice, data and video communications. The partnership also will enable Paranet and Sipera's VIPER Lab to collaborate on Vulnerability Assessment offerings to help enterprises assess, verify and improve their security practices around VoIP and UC.

Simlarly, last year, Voxeo Corporation, makers of the immensely popular, standards-based IVR hosting Prophecy Platform - used by more than 30,000 developers and enterprise customers to deliver innovative IVR, VoIP, outbound notification, unified communications and various new SIP-powered solutions - announced a partnership with VoiceVerified, Inc., a provider of voice biometric verification technology and services, to deliverVoiceVerified's voice authentication technology to new and existing customers using Voxeo's hosted IVR service.

Biometric authentication, such as voice authentication, streamlines the login process and increases security, doing away with forgettable PINs and passwords.

Mouse vs. Mousetrap

Just because unified communications is a mélange of many different forms of communications doesn't mean that more-than-acceptable security can be achieved. If done correctly, it can be as solid as any other form of network security. These days, of course, that may not be such a great boast, given the growing army of nefarious individuals out there in cyberspace, attempting to either bring down systems or steal valuable information from them.

Richard Grigonis is Executive Editor of TMC's IP Communications Group.