November 2002

Securing Converged Networks

BY CHRIS MEANEY

Always a concern, but never really completely addressed, network security has traditionally been viewed more as a cost than a benefit. A pure expense with no clearly visible return on investment, network security has historically played second fiddle to a wide range of other budget imperatives. But global events have removed that naivet� -- if not forever, at least for a long, long while.

Adding to the urgency of the network security problem is the increasing pervasiveness of convergence. Why is this an issue? Because traditional voice-only networks were circuit switched and virtually closed. Sure, toll fraud could be a significant problem -- but this presented a defined financial exposure, not the unlimited information asset risk possible with breaches in data network security.

But now that voice and data are being converged on a single packet-based network infrastructure, every voice port -- and every telephone -- is a potential access point for hackers. Whether converged network users are within the firewall or outside it, or whether they are local, remote, or wireless, the raw number of access points has simply increased, and so too has the risk of exposure. Furthermore, this trend is likely to continue as corporations open their networks to e-business relationships with partners, suppliers, and customers. 

The IT security challenge today is not a new concern; it has plagued us since the first mainframe computers first appeared. Back then, security was primarily password-based. And it still is. Only now, the importance of good password administration is more thoroughly understood, and organizations have a bigger bag of technological tricks to choose from. In fact, by coupling password administration (keep it easy enough to remember, don�t ever write it down, and change it often) with the latest random password generating tokens, smart card, and biometric technologies, fairly decent security can be achieved. 

But be advised: the only absolutely secure environment is one that is powered down and protected by a fully hardened facility. As soon as a server or telephone switch is turned on and connections made, the converged network is an exposed network. In other words, in the real world, where systems are always on, security is never absolute; it is always an issue of degree.

So how can the converged network be protected? Well, understanding that absolute protection is completely unreasonable from a business perspective, achieving good security must begin from the perspective of what is, in fact, doable. Firewalls, for example, are eminently doable, and virtually all companies have taken this vital step; firewalls are fairly inexpensive, easy to implement, and they work. But they only go so far. 

Firewalls do nothing to protect against malicious damage by employees operating within the firewall, or by newly terminated employees whose access has yet to be denied. Nor do firewalls address potential data network breaches that originate through telephones on converged networks. And, if password administration is not what it should be, firewalls do nothing to prevent illicit external access by someone who has found a password posted on a monitor they happened to walk past on their way to a job interview.

What it comes down to is this: firewalls, passwords, and good security administrative procedures are all essential, but they need to be implemented in a context that spans the security requirements of the entire enterprise -- internal employees, mobile or remote employees, partners, vendors, and customers. 

To truly protect network resources, enterprises need to approach security from a holistic perspective. Basically, it does not matter who a network user is, as long as the network knows what kinds of access that individual is entitled to. Can employee �A� access teleconferencing features and long-distance dialing on their telephone as well as all database applications, for example, or should they be restricted to local dialing and read-only access to word processing documents?

To achieve this kind of highly granular security access requires a master database, or security gateway, that details each and every access privilege allowed to each and every authorized network user. In addition to its obvious day-to-day benefits, another key advantage of a security gateway that spans the entire enterprise is its ability to streamline administrative procedures. 

In most organizations, where a siloed approach to security is taken, each time an employee is fired or otherwise leaves, a number of databases have to be changed; the person�s extension on the PBX, for example, needs to be deleted from one server, while their password needs to be deactivated on another. Then, if multiple applications had special sign-on procedures, they too need to be updated. And, of course, the badge that provided physical access to specific offices also needs to be deactivated. If all of these actions are not taken quickly, opportunity for security breaches exists, but getting all databases updated swiftly is often delayed.

Certainly it would be far simpler, faster, and less prone to human error to make all these changes in a single centralized resource that is linked to all other security systems on the network and in the facility. With access control parameters both individualized and centralized on a security gateway the stage is also set for new security modalities that will present themselves for converged networks. Already, for example, IP telephones are becoming available that are only activated by smart cards.

With these phones, the specific types of privileges provided can be linked to individual users. But where is this information to be stored? Certainly, with all the effort to converge voice and data onto a single infrastructure, it would not make much sense to create a new silo for telephone security information.

A far more cost-effective and manageable approach would be to link telephone privilege data with security profile information across all corporate resources. That way, when anyone gained access to any device, be it telephone, PC, or wireless device, the system could recognize that individual and automatically and instantly determine the authorized levels of access. 

Of course for the security gateway to be fully effective, it must be able to determine that each person attempting an access is actually who they say they are. Enter passwords, tokens, smart cards, or biometric analysis. But which of these access techniques is appropriate, and when should it be used? Does an accounts payable database for a city agency, for example, need the same level of protection as a database that lists information about public parks? Clearly not. But does the accounts payables database warrant the best security money can buy, or will something less be adequate?

To make these decisions, organizations need to create an enterprise-wide security policy. Development of this policy should begin with a complete audit of the existing network infrastructure, and all elements in that infrastructure, as well as the physical facilities that house the network. Next, with senior management support, the relative importance of the various assets identified in the audit must be determined. The goal: to determine the specific assets the organization needs to protect and how valuable those assets are. Finally, a gap analysis should be completed that correlates assets and vulnerabilities to create a prioritized set of needs: Do the highest priority assets have the highest vulnerabilities, or do lower value assets have more protection than is required?

Armed with this information, organizations can implement the protective policies and technologies appropriate for every level of their operations. But two caveats are in order here. First, be aware that no single vendor offers the entire suite of solutions required for an enterprise-wide security solution. As a result, a skilled and experienced solutions integrator is often required. And second, good security does not end once a solution is implemented. 

All security solutions and systems need to be continually monitored, administered, updated, and evaluated. Just because you implement a firewall, for example, does not mean that no one will try to penetrate it. And if they do, what kinds of systems are available for detecting the intrusion and what kinds of policies are available for reacting to that action? How will you determine which systems were attacked and what, if any, impacts exist? Should you react by shutting down systems, and if so, for how long?

All of these questions need to be asked, answered, and re-evaluated periodically to ensure that policies and systems are always meeting risk protection requirements. Again, a security solutions integrator is probably the ideal place to turn for assistance in resolving these issues, helping to keep security polices both current and meaningful, and for assisting in completing periodic penetration tests that assess the effectiveness of the security environment.

Organizations need to understand that even with limited budgets they can take significant steps towards creating and implementing this type of security solution. By starting with a security plan that prioritizes assets and risks, the security battle can at least begin to be fought. These first steps are especially critical for converged networks where every telephone and PC are access points to the entire IT infrastructure, the lifeblood of every organization.

Chris Meaney is director of secure networks, Siemens Enterprise Networks. Siemens is a leading provider of integrated voice and data networks and solutions for enterprises, carriers, and service providers. For more information, please visit the company online at www.siemensenterprise.com.

[ Return To The November 2002 Table Of Contents ]

Securing Your Converged Network � 
Cracking the Code for Mass Telecommuting

BY RICHARD KAGAN

With the advent of low-cost, broadband IP services such as xDSL and Cable modems, millions of homes and non-traditional work locations have access to high-bandwidth Internet connections. These high-bandwidth connections can support converged IP voice and data applications that enable a new generation of telecommuters. For example, customer service agents, who traditionally work in tightly packed cubes in company call centers, could work from home by using a broadband connection to deliver integrated data and voice streams. The benefits to companies and their workers are compelling, and include a more flexible work force, reduced absenteeism, lower occupancy costs, extended working hours, reduced employee stress, and higher employee loyalty.

Of course, there�s a catch: Enabling telecommuting for call center agents and other remote employees requires more than just high-bandwidth pipes. The special requirements of voice over IP (VoIP) traffic can make security especially challenging for converged voice/data applications. However, with the right approach, converged services are possible that enable high-quality, high-performance services without compromising security. 

Know Your Application
All converged applications are not created equal. Consider the following two scenarios:

1. In a large call center, voice calls initiated from customers via the public telephone network are distributed to agents, who respond orally to customer queries by accessing a database hosted in the call center. The goal is to enable the agents to work from home.

2. In a customer support center, technicians respond to inbound help requests placed over the public telephone network, and occasionally they need to establish three-way NetMeeting conferences between the support technician, the customer, and a technical expert. The goal is to enable the technical experts to work from home.

3. While the basic requirements for the two scenarios are the same -- both require integrated, IP-based voice and data communications without compromising security -- each application must be treated in a unique way, as described below.

VPNs Work Well For Pre-Determined End Points
The key to the first scenario is the fact that the agents and the company are known to each other and have a long-term, pre-existing �trust� relationship. In addition, there is a measurable return on the company�s investment (e.g., reduced occupancy costs, reduced absenteeism and overtime, and the like) that can offset the cost of capital equipment required at each agent location. In this case, the best approach is to place an IPsec VPN gateway at each agent location, along with a corresponding VPN gateway at the main call center location, installed between the call center�s Internet connection and the VoIP gateway. The IPsec encryption and authentication will protect the IP voice and data streams between the remote agents and the call center, and will also prevent any unauthorized users from accessing either the headquarters network or the individual agents� PCs via the public network. As long as the VPN gateways at the headquarters and at each agent location are sufficiently high-performance and do not introduce excessive latency, the voice and data streams will be synchronized and secure, and will not be adversely impacted by the VPN processing. In order to ensure sufficient performance -- less than 20 milliseconds latency per gateway -- a hardware-based VPN gateway is recommended.

Ad-Hoc Connections Require �VoIP-Aware NAT�
The remote technical experts in the second case are much like the call center agents in the first scenario, and warrant the installation of a VPN gateway at headquarters and at each expert�s home. However, the need to include the customer in the call adds a big wrinkle. From a network security point of view, the customer is �untrusted,� and the duration of the ad-hoc relationship (i.e., the support call) is short. These factors rule out the use of a VPN gateway at the customer site. Instead, the link to the customer must be treated as a potentially hostile public connection, subject to firewall processing, anti-virus filtering, intrusion detection, and all of the functions needed to ensure complete protection for the headquarters network. This however, leads to the so-called �VoIP/NAT traversal problem.�

Network address translation (NAT) is a common technique used by firewalls to hide the private, internal addresses on a LAN from the public Internet in order to thwart intruders. Conventional NAT operates at the network layer, and only requires analysis of the packet addresses, or �headers,� to work properly. Conventional NAT works fine for most Web applications and protocols, such as Web browsing (HTTP), e-mail (SMTP, POP3, IMAP), and so on. However, for voice/data applications such as NetMeeting, which use the H.323 protocol, conventional NAT prevents VoIP calls from working properly. In order to do address translation for VoIP traffic requires an application-level, �VoIP-aware� NAT gateway at the call center, installed between the Internet connection and the H.323 gateway. Again, processing speed is critical due to the latency-sensitive nature of VoIP traffic. The ideal solution would be a hardware-based network protection gateway that supported VoIP-aware NAT, and that also could filter the customer�s voice/data stream for viruses and worms, intrusion attacks, and other threats in real time.

Richard Kagan is vice president of marketing at Fortinet, Inc. Fortinet, is a leading provider of network protection systems, enabling enterprises and service providers to improve the security of their networks, reduce misuse and abuse, and better utilize network resources without compromising performance at dramatically lower costs. Visit them at www.fortinet.com.

[ Return To The November 2002 Table Of Contents ]