On May 9, 2005, The New York Times referred to an alarming incident that occurred last year in which an intruder breached a major network and seized programming instructions for many of the computers that control the flow of the Internet, including those serving the U.S. military, NASA, and research laboratories. Said the Times: ...the case illustrates the ease with which Internet-connected computers even those of sophisticated corporate and government networks can be penetrated, and also the difficulty in tracing those responsible.
For those of us who stay up at night thinking of how to protect organizations from security breaches, this case provides a reality check about what it will take to harden our defenses against increasingly destructive zero day exploits or previously unknown breaches in which intruders find new ways to break through an organizations defenses and do serious damage. A successful attack could cripple an enterprise, interrupt business continuity, and result in lost revenue.
The convergence of voice and data networks complicates the issue. While it fosters a more intelligent communications environment where workers, processes, and customers are connected to the right people at the right time convergence also requires skillful management of a new generation of cyber threats. Until now, most attacks have targeted data networks, but as voice applications become even more strategic on IP networks, they too can be exposed to many of the same vulnerabilities that plague data networks, including denial of service (DoS), application layer attacks, spoofing, trust exploitation, and so on. In fact, in another example of todays vulnerabilities, on July 14 The Wall Street Journal reported that critical flaws in one vendors IP telephony software could allow hackers to gain control and shut down voice systems, redirect phone calls, eavesdrop, or gain access to other computers running that vendors telephony.
But theres good news and no need to panic. For one thing, all IP telephony platforms in the market do not share the same architecture. Vulnerabilities in one are likely to be absent in another. Further, multiple lines of defense can protect businesses that launch into the new era of intelligent communications. Most communications vendors provide solid security solutions now and are developing many others. But in order to succeed against the hackers, thieves and phishers that threaten us, businesses must first recognize that security in a converged world does not have a simple, one-step, one-layer, one-vendor solution. The industry itself must also come together to educate customers about potential dangers and to develop new security solutions to address emerging threats.
The first step is to know what can be done. Here are some key principles for defending converged networks, ensuring that voice applications remain secure and protecting an enterprises global communications.
Protect Communications Flow At Every Level Of A Multivendor Network
With cyber attacks becoming more sophisticated, organizations that rely on securing the network infrastructure alone will find themselves defenseless if an intruder penetrates that first level. Enterprises must also provide strong security at the application and unified access layers. Every vulnerable point and application within the organization needs to be able to defend itself from attack.
Take denial of service for example. Providing protection only at the network infrastructure layer (i.e., the router) can pose a major problem if an intruder gets into the network and most attacks happen within the network infrastructure. Remember the old adage: Youre only as strong as your weakest link. Ignoring DoS protection within the server at gateways and endpoints can make a business less secure.
The best strategy is to provide layers of protection all the way from the network infrastructure through the application level to the user device. A practical fact of life is that most networks are multivendor through acquisitions, mergers, and reuse of legacy systems and the best technology combinations. So, multilayer protection must work well even in a network created by multiple vendors.
While it is imperative to repair and harden the problems of network infrastructure, just relying on the infrastructure alone is playing with fate. New threats will evolve, new attackers will emerge. Make it harder for attackers by increasing the number and types of hurdles they have to pass through up and down the communications stack.
Use Open Rather Than Proprietary Solutions
The major benefit of open standards is that vendors and users alike are able to build on whats already been accomplished to solve security problems, so the level of protection is constantly improving. The protection is also more likely to work in multivendor environments and continue to protect the network as new elements are added, as long as they, too, adhere to industry standards.
In a proprietary implementation, businesses rely on a vendors claims of the security being provided, which could put a company at risk if those claims have not been tested and certified through rigorous industry peer review. In an open environment, vendors are challenged to meet specific government certification criteria, and must be tested to prove they do what they say they do. Open standards let customers choose the best, most cost-effective security solutions that make the most sense for their particular business. Those who are locked into one vendors proprietary security system year after year could find themselves in a precarious situation through lack of interoperability and an inability to keep up with the best available solutions.
Because a total security solution requires protection at the unified access and business application levels, as well as the network infrastructure level, an open standards approach is vital to securing business communications. Every vulnerable point and application within the organization needs to be able to defend itself from attacks, and an open standards-based strategy for multivendor networks works best.
Trust Vendors That Take A Holistic Approach To Security And Collaborate With The Industry
Security-conscious vendors take a multifaceted approach to delivering secure products and solutions, not just by addressing all entry points along the stack, but also all milestones in the lifecycle of an installation. Be sure to ask vendors about their approach and evaluate how they deliver secure products solutions.
Media encryption is one example: It is not just offered on high-end elements, those requiring third-party adjuncts, or for just point-to-point calls. Why secure an executive telephone only, if every telephone on a floor is also a point of system vulnerability? There should be a clear understanding of the vendors policy for addressing new vulnerabilities, such as a rapid response team that initiates assessment, communicates whether the customer is at risk and, if necessary, takes steps to mitigate that risk.
Some vendors also offer key services that can enhance the security of converged networks. A knowledgeable vendor can help in the initial architectural planning of a secure converged network, paying special attention to the availability of mission-critical IP telephony applications. In implementing a solution, make sure the chosen vendor has the expertise to not only execute, but also service security processes. Once a network is in, experts must help monitor it securely, so choose a vendor that offers a level of support commensurate with business needs. A vendor should be able to remotely maintain a network securely, and provide a total managed service that includes monitoring, root cause analysis, and remediation for security functions across the converged infrastructure.
However complete any one vendors approach might be, no single vendor is likely to be able to protect customers from all future threats. Meeting this challenge requires the industry to pull together and share information to help educate customers and, as new threats and solutions are developed, provide defense mechanisms that can be rapidly tailored to the new challenges. Why reinvent the wheel if people have already done productive work and have done it well?
It is important for todays leading vendors to work with groups like the VoIP Security Alliance (VOIPSA), a premier alliance of the VoIP and security communities, focused on increasing vendor and customer awareness of threats to IP communications. Another industry group, Trusted Computing Group (TCG), develops and promotes open specifications for use in products that check the integrity of a computing platform, and protect it against software-based threats. TCG provides an architecture that helps enterprises validate clients before admitting them into a network, raising defenses to another level.
As an industry, we are not yet at the point where every business network and the applications on it are completely safe from malicious attacks. The network penetrations already reported demonstrate that these threats are still very real. But steps can be taken to reinforce and protect business communications against bedeviling attacks. Holistic security must transcend all layers of the enterprise, and encompass network infrastructure, communications and business applications, as well as end points. Open, standards-based, multivendor solutions and services, combined with industry best practices, are the path to greater integrity in an increasingly hostile communications environment. Once these essential principles are incorporated throughout a communications framework, a business will have a secure foundation from which to reap the extraordinary benefits offered by the new age of intelligent communications. IT
Joseph Curcio is vice president of security strategy and development at Avaya. For more information, please visit the companys Web site at www.avaya.com.
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.