Security in a Unified Communications Environment

Considering the increasing number of media "conduits" dealt with by unified communications platforms - and considering that users are more mobile and/or access corporate networks from remote locations via everything from analog phones to Skype clients - it's no wonder that security concerns have moved to the forefront.

Cisco's Craig Sanderson, Product Manager in the Unified Communications Security area, says, "Most of the work we've done in recent years is to try and make security more integrated into the system. When I say 'the system' I don't necessarily mean just the communications manager, phones or even the application, but what's happening in the infrastructure too. Customers also want to be able to deploy security as seamlessly as possible, preferably from Day One onwards, rather than building a UC system first and then securing it later, which can lead to various issues, such as limited options in the way they can secure things. We're also are trying to solve some of the interoperability problems. For example, more customers run security and risk analyses and come up with the idea that they need to protect communications managers with things like firewalls - because they can provide a good first line of defense - and encryption."

"But what you sometimes find is that to have a successful encryption system - unlike a normal VPN where the two endpoints negotiate - you end up with a situation where the media or encryption keys are actually passed down to the endpoints in the signaling from the communications manager," says Sanderson. "That normally means that you also have to encrypt the signaling, and when you do that it gives you limited firewalling options to actually protect the communications manager from malicious signaling or an unauthorized signal request. So we've developed one particular feature on our firewall so we can integrate the firewall into the public key infrastructure of the Cisco Communications Manager to allow customers to enjoy the best benefits of having a fully functional firewall, but also one that that can actually understand the encryption, to terminate the encryption and to successfully authenticate the endpoint."

"Up until now, one of the challenges has been that security has been made a bit too difficult a process for customers to handle," says Sanderson. "Some customers found the cost of doing complete security too expensive and, in some cases, not even possible. So what we've done is to leverage our expertise in security as well as switching and routing, and try to make security a bit more pervasive and easier to deploy. That's where a great deal of our effort has gone during the last 12 to 18 months."

"UC guys have always seen the firewall as 'the enemy' rather than something that could actually provide some security and help them out. So I think that what we need to do is make sure that we provide a solution so that all of the component parts work together seamlessly," says Sanderson. "Rather than leave it to customer to find a technological solution to, say, an interoperability problem, it's better to try to leverage the expertise that we at Cisco have in various areas to bring it all together and make things simple to deploy so that it can solve the most problems for them. Until now, it hasn't been easy for a customer to do."

"We're trying to allow UC to break out of the enterprise," says Sanderson. "Right now, especially from a security perspective, the common view is that all of the bad guys are outside the organization and all of the good guys are on the inside. Of course, with the rise of mobile communications, remote access, and a more collaborative architecture, the traditional model of 'bad guys outside of the corporate perimeter' doesn't hold true anymore. What we see with our customers is that remote access and mobility are starting to make security a more high profile matter. Whereas they formally took a more relaxed view of internal security, as they start to extend UC into the remote access and mobility realms, security becomes far more important - it can't be neglected. It has now become a fundamental piece of the architecture. Security must be capable of supporting voice, and in several ways - customers want solutions for remote VPNs, a mobile client, softphones on PCs, video endpoints, standard telephony handsets and so forth, so even a simple Internet connection can be used for a phone call if necessary."

"Add all of this up and there's real synergy between the data remote access and mobility that has been provided up to this point, and the increasing requirements concerning UC endpoints," says Sanderson. "And I think there's a real opportunity to delivery a single architecture that supports both. That's the most common security-related request I get from Cisco customers."

Certifiably Certifiable

ChosenSecurity ChosenSecurity provides digital trust between employees, clients and suppliers doing business over the Internet through On-Demand Digital Identity Management services. Their solutions provide strong authentication, secure email, digital signatures and encryption of data to control access to your digital assets, prevent theft of data and comply with numerous global regulations regarding privacy and digital signatures.

Dean Coclin, ChosenSecurity's Vice President of Business Development, says, "We've involved in authentication using digital certificates. We run a managed service that provides digital certificates for organizations wanting to use them for securing their email, and strong authentication of their users accessing the network or for signing electronic documents. How does this play with communications? We're also particularly involved in mobile communications, specifically wireless carriers. Smartphones now exist that can browse a website and download applications from anywhere on the Internet. There's a potential issue here where you've got websites that could be spoofing other websites and inserting nefarious applications on mobile devices that could cause havoc with the phone network. So we've involved with the Symbian and Java operating systems in terms of issuing certificates to authors of code, and those authors then sign that code with that certificate so that the code will run on the phone. Specifically, the Symbian world requires that all code be digitally signed before it can run on the device. We're the exclusive provider of those signatures for Symbian, the largest OS in the world for mobile phones."

"Specifically, we authenticate the author of the code who signs that code," says Coclin. "So now we know who signed it and when. It's not an anti-virus measure, but it's certainly a deterrent to authors of virus code, because they obviously don't want to be known." "In the area of unified communications," says Coclin, "which in my interpretation means things such as VoIP, mobile VoIP, IPTV, VPNs, and so forth, we're talking about IP-based communications, which comprises traffic that has the potential to become intercepted and manipulated. Has this happened? Has there been many issues involving this? Quite honestly, I don't think so yet. Most of these networks are behind internal firewalls, so any breaches to the network would probably come from the internal side. However, we've seen in security breaches of the past that internal threats are probably greater than external threats. Therefore, an internal attack on a VoIP network or some sort of internal communications network is certainly realistic. What can people do to protect themselves from attacks on the internal network? They can do things such as encrypt voice traffic on the internal network, which has been done with data networks in the past. Digital certificates can be used to encrypt traffic and also provide strong authentication for users on the network. You could have certificates enabling phones or other devices to actually be on the network. There are also things such as mobile VoIP, so mobile devices can access a VoIP network internal to a company. Such companies now face a bigger threat because there isn't a physical device that's tied into the network - instead, there's a mobile device that people are roaming around with, and you want to make sure that's one of your devices and not somebody else's in the building that's fixing onto your network. Certificates can be attached to mobile devices to provide strong authentication."

"We see that Cisco and other vendors have the ability to add security, specifically certificates, into their devices," says Coclin. "Certainly with VPN clients from Cisco you can attach certificates, such as world standard X.509 digital certificates, instead of just a username and password. So somebody could steal a laptop and the laptop isn't password-protected, and they could open it up and start a VPN client - and consider that some VPN clients don't need a username and password, and if even if they do, usernames and passwords are typically written in paper and taped to the laptop or are easily guessed. But certificates are 'something you know' - the PIN to the certificate - and 'something you have', which is the certificate itself. Passwords are just something you know. Certificates, having a two-factor authentication, provides stronger security for the user and the company you're accessing. So if you've got a network that you're trying to protect with a VPN, it makes sense to use a certificate or some other type of authentication token to protect that network, rather than a password."

Technologies such as certificates, encryption and intrusion detection continue to evolve, countering the security holes created by increasingly interoperable and "device friendly" UC solutions.

Richard Grigonis is Executive Editor of TMC's IP Communications Group.