Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Considering Convergence

Navigation

Securing the Line Part 4 - COS Planning / Auditing

COS, or Class of Service, is not a new term or idea. Also known as the 'effective permissions' of the telecom world, COS is often overlooked in a security analysis.

In fact, the fundamental ideas and implementations of Class of Service have changed very little from the PBX "boom" of the 80's to today. Typically COS is assigned to groups of users (or terminals) to determine who can do what, when, and how. For instance, COS rules may exist to limit international dialing, feature usage such as off-net-call-forwarding, or even for messaging features such as mailbox features and message length, etc.

Even for non-IP switches, a lack of COS policies or proper allocation can open serious security holes. Simply put, these vulnerabilities usually exist because users or terminals simply have too much power. We've all heard about the instances of 'phone phreaking' which can utilize errors in COS implementation to gain access from outside sources.

So, how do you analyze and reorganize your Class of Service permissions? First, conduct a COS audit to determine what levels of COS are available on your switch. It's important to realize the COS "bounds" of your telecom environment to determine literally how much control is available.

Secondly, work with your users to determine what, how, and why the utilize the features or services your environment provides. Using the Principle of Least Privileges, restrict groups of users or departments to the features or permissions they absolutely require. For "power users", implement a method to notify them of their responsibilities of watching for, and reporting, potential security problems.

COS and permission reassignment takes time! Especially in large organizations, the auditing and analysis process make take months or years. However, COS is a critically important piece to the security puzzle that is often overlooked.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Matthew Nickasch

Nickasch has been very involved in IT since he was just 13. His current and previous consulting experience includes systems architecture, virtualization, and converged networks for the financial, education, and healthcare industries. Matthew currently attends the University of Wisconsin-Platteville, where he also works as a network management assistant. While his interests include directory services and routing protocols, Nickasch's focus is on converged networks and voice over IP.

RSS feed XML feed

Nickasch's archive.

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: