UC security concerns: VPN is key

Encryption is key to securing communications

Unified communications (UC) adoption is increasing and correspondingly, so too are concerns over security. Sixty percent (60%) of organizations are implementing a UC architecture in 2009, up from 47% in 2008, according to participants in Nemertes UC research.

VoIP continues to be the dominant application in a UC architecture. To date, most security has been the creation of virtual islands: isolating VoIP traffic from the rest of enterprise LAN traffic. But the scope of UC is expanding rapidly to include unified messaging (the integration of e-mail, voice mail and fax), presence, instant messaging, conferencing and social-computing apps (internal blog and wiki apps, Yammer, Facebook, YouTube, Twitter, etc.).

At the same time, the scale of UC also is expanding rapidly as UC connects business partners, customers, mobile workers, and virtual workers; all outside the corporate security boundary, rendering VoIP isolation obsolete.

The bottom-line is UC security also must expand in scope and scale. In this column I'm focusing on issues of scale. Scope will be next week's topic.

Protecting VoIP communications for mobile and virtual workers is one of the greatest challenges. This includes the confidentiality and integrity of the VoIP traffic, but also the protection of availability – something we can assume is table stakes for communications. Anyone plugging into a switch span port may listen to and record VoIP conversations.

Of course, voice snooping is not new (think of tapping the phone lines). Still, telecom and network managers tell us that executives express greater concern over VoIP snooping than analog voice snooping for good reason. The concern is greatest regarding VOIP's susceptibility to eavesdropping on the public Internet: Vulnerability of VoIP is much greater than voice vulnerability on the public switched telephone network (PSTN).

Encryption is the only way to guarantee confidentiality for internal and external VoIP traffic. But the challenge with encryption is, well, everything is encrypted! Recording for archival purposes, scanning for potential wrong-doing and monitoring are all impossible with encrypted VoIP. On the other hand, multiple conversions can negatively affect voice quality; another major concern of corporate executives.

What's needed is encryption outside the firewall and cleartext VoIP inside the firewall. I'll come back to this in a second.

Authentication is the validation that it's really Johna (or someone who has stolen Johna's identity) on the phone. We need at least two out of the three of: Something you have (a valid VoIP phone or computer), something you know (password or PIN) and something you are (biometric). Historically, voice and VoIP authentication has been mostly implicit. If Johna is using Johna's VoIP phone at Johna's desk, it's most likely …. Johna. But, what if Johna is a teleworker, virtual worker or traveling worker? The location is now meaningless and since Johna is out of the office, she's probably using a VoIP softphone, like about 10% of VoIP phone deployments.

The good news is VPNs can address both issues. A VPN agent on the remote PC/laptop will authenticate the user. This may involve authenticating the computer as part of connection establishment or requiring the user to carry a secure token such as an RSA SecurID. Then, the VPN establishes an encrypted tunnel (IPSec or SSL) to protect the confidentiality of the communications. De-encryption occurs at the corporate VPN gateway, alleviating the issues raised above.

Of course, this still leaves us with the challenge of convincing corporate executives that the benefits of unencrypted VoIP and UC traffic on the corporate network outweigh the risks. A topic for another day.

• VoIP / Convergence
• encyrption
• unified communications
• VoIP