We’ve spent a lot of time over the last few years interviewing IT leaders about their Unified Communications plans-- gathering information on drivers, challenges, and results. While UC managers focus much of their attention on determining business cases, delivering new features, and dealing with integration challenges, two often over-looked areas also require attention: security and performance management.
Often we’ve found companies implement their UC strategy without the involvement of the security team, or they involve them far too late in the implementation. Implementing UC creates new threats toward enterprise voice systems, such as data loss and fraud, as well as attacks against the underlying data network resources. Until now, network managers have primarily worried about these latter threats, such as Denial of Service (DoS) attacks that disrupt not only voice, but other application services, as well.
IT leaders must consider the following security issues when implementing a UC strategy.
SIP trunking. SIP trunking creates a new vector for attacking enterprise phone systems. In most VOIP architectures, the PSTN serves as a firebreak between the enterprise phone system and the rest of the world. Risk of attack from the Internet is low as the VOIP system is physically and potentially logically isolated from the outside. Introducing SIP trunking changes this, as the enterprise phone system is now vulnerable to IP-based attacks via the SIP trunk. Session border controllers or SIP-aware firewalls can mitigate security concerns.
Eavesdropping. VOIP traffic carried via SIP trunk across a service provider network is often not encrypted, meaning that the opportunity exists for a rogue person to listen in on private conversations via comprise of service provider networks. However, this threat is no different than the risk of unauthorized interception of any unencrypted IP traffic carried across a service provider network. Internally few companies encrypt voice or video sessions, meaning that rogue employees with access to network devices can listen in on or capture conversations.
Interconnection. As VOIP and UC systems increasingly peer with external networks via SIP trunking services and direct voice-to-voice peering services, companies open a new potential vector of attack. Here, as in SIP trunking, session border controllers or voice/video/presence aware firewalls can mitigate the threat.
In addition, mobile and wireless services create new vectors that external attackers can use to target business VOIP networks. IT decision-makers should take advantage of security architectures that adequately assess risk and implement mitigation techniques to protect against attacks on UC equipment and the underlying network elements. Be sure to investigate UC security platforms and services as part of your deployment.
Irwin Lazar is the Vice President for Communication and Collaboration Research at Nemertes Research, where he develops and manages research projects, develops cost models, conducts strategic seminars and advises clients. His background is in network operations, network engineering, voice-data convergence, and IP telephony. Mr. Lazar is responsible for benchmarking the adoption and use of emerging technologies in the enterprise in areas including VOIP, unified communications, Web 2.0 initiatives, social networking, and collaboration.
A Certified Information Systems Security Professional (CISSP) and sought-after speaker and author, Mr. Lazar is a columnist for No Jitter and Enterprise2Blog. He is a frequent resource for the business and trade press and is regular speaker at events such as Interop, VoiceCon, and Enterprise 2.0. Mr. Lazar serves as the conference director for FutureNet (formerly MPLScon), and is on the advisory board for the Enterprise 2.0 conference.