For example, recently (October 2007) it was revealed that Cisco's Unified CallManager - which is now officially called the Cisco Unified Communications Manager (CUCM), contains two Denial of Service (DoS) vulnerabilities: First, a massive stream of UDP SIP (Session Initiation Protocol) INVITE messages could cause a "resource exhaustion condition" on CUCM systems resulting in a "kernel panic" Second, the CUCM Trivial File Transfer Protocol (TFTP) service contains a buffer overflow vulnerability that may result in a denial of service condition or allow a remote, unauthenticated user to execute arbitrary code. Although no workarounds exist, Cisco has made free software available "to address these vulnerabilities" for affected customers.
One company that has carefully considered UC security is Dimension Data (www.dimensiondata.com), which provides highly integrated voice, video, data and web tools. Jim Koniecki, Dimension Data's Integrated Collaboration Solutions Manager, says, "The integration of multiple communications systems - many of which are mission-critical to business operations - brings about many pressing security considerations. We recommend that organizations adopt a built-in - rather than bolt-on - security approach. With a built-in approach, security tools are built into an application, rather than being applied from a third-party device. This approach is more holistic, with security tailored and applied to of the whole of specific applications."
"To secure unified communications systems," says Koniecki, "organizations should take advantage of the capabilities that exist within network equipment such as routers and switches and of the encryption designed into the UC devices themselves. Security for these systems should be viewed as a natural extension of an organization's existing security technologies like firewalls and intrusion detection. Keep in mind that robust, well-designed security for unified communications should involve the infrastructure, call management, endpoints and application levels."
"The proliferation of enterprise instant messaging [IM] brings additional security concerns," says Koniecki. "One of the main motivators for the deployment of enterprise - rather than commercial - IM systems is the additional security they offer through better control, conformity to corporate policy and archiving capabilities. In order to take advantage of these security and compliance benefits, organizations should consider at least three major pertinent areas: First, archiving - will communication sessions, especially IM, be archived and stored? Will this occur centrally or at distributed locations? What impact will this have on data storage systems [NAS, SANs, etc.]? For example, Microsoft Live Communications Server [LCS] archives IM sessions in an SQL database. It is important to ensure this database is secured and that adequate capacity has been provided for future growth of this archive."
"Second, there's Federation - many organizations will wish to federate their LCS system with other companies or with public IM servers," says Koniecki. "This process requires careful planning of certificates, server names and Internet Domain Name System [DNS] entries. It's important to plan what external connectivity will be required at the architectural stage and to design accordingly."
"Third and finally, there's the matter of Policies - the implementation of suitable policies will determine the features enabled - file transfer, call control, etc.," says Koniecki. "Policies should be tailored to security concerns - addressing what types of information can travel over IM."
"Organizations also need to be prepared to address overall system security," says Koniecki. " By implementing integrated collaboration tools, many systems throughout an organization will be exposed to one another. For example, PBXs will be exposed to the IP network via Computer Telephony Integration [CTI] interfaces, and messaging and presence systems will be exposed to the public Internet to enable remote connectivity and federation. Close attention needs to be paid to securing these previously isolated systems to enable safe and secure interactions." [Note: For a more generalized view of UC by Dimension Data, see the "60 Seconds with Jim Koniecki" piece at the end of this issue.]
Securing Office Communication Server 2007
Somewhere in the hoopla over Microsoft's announcement of Office Communications Server 2007 and its plunge into the world of UC, Securent (www.securent.com) announced that OCS 2007 could be supported (and hence "fortified") with its XACML-based Entitlement Management Solution (EMS). Securent's product was already wellknown among the Fortune 500 for its ability to enable organizations to centrally administer, enforce, and audit fine-grained access policies across heterogeneous application and IT environments. Now, teamed with OCS 2007, Securent's EMS solution will further secure any business communications running on Microsoft's platform, providing such things as policy-based control and visibility into OCS 2007-based communications, allowing security teams, administrators, compliance officials, IT managers, and even end users control over who and which devices get to communicate over the platform.
Many times the problem is simply one of using a risky component in a larger suite or platform, such as the continued popularity of public P2P applications, such as chat and instant messages traveling over federated public IM clients. Indeed, NewDiligence Market Research says that 74% of organizations that use enterprise IM or UC applications such as Microsoft Office Communicator 2007, nevertheless continue to use public IM. Such "greynets" pose security risks such as malware, identity theft, intellectual property loss and compliance risks.
Fortunately, in such cases, FaceTime Communications (www.facetime.com) offers a suite of management security and compliance products, and now supports the new Microsoft OCS 2007. Aside from IM, its scalable, API-based architecture can add an extra line of defense against malware and information leakage, and its abilities can extent to VoIP and web conferencing. Moreover, if a server fails, policies are still enforced and messages continue to be archived for compliance and audit purposes. (Which is probably why FaceTime now has Gold Certified Partner status in the Microsoft Partner Program.)
As UC proliferates on the coattails of Microsoft OCS 2007, we'll see how many unique security issues pop up. Fortunately, a whole phalanx of third-party vendors will be ready and waiting to counter whatever comes along.
Richard "Zippy" Grigonis is Executive Editor of TMC's IP Communications Group.
Unified Communications Communications Magazine Table of Contents