All companies these days pay at least some attention to security; it’s hard not to when news breaks about major breaches seemingly every week. While organizations of all stripes almost certainly do their best to protect intellectual property, customer data and anything covered by industry regulations, whether security efforts extend to all areas of their unified communications implementations, including voice, is another question.
“UC is flexible, has multiple modalities and mobility features – these are all new ways attackers can try to penetrate the network, or for data to leave the company,” says Paul DeLuca, Director of Infrastructure and Security for Sonus Networks.
Sonus makes session border controllers, which play a significant role in securing UC networks in general. But DeLuca isn’t involved in hawking their products. Rather, he’s responsible for Sonus’ own internal networks, including securing those networks. He also led the team that implemented UC internally, so seemed a good source to offer tips for ensuring the security of voice in a UC environment.
He breaks the issue down into three broad areas:
Monitoring and process
People and training
Architecting Unified Communications Voice for Security
Architecture involves having the right “plumbing” in place to address the key risks to UC. With respect to voice, one of those risks is denial of service attacks that can render the voice service unavailable. That’s an especially big risk for larger enterprises or call centers, where the ability to take calls directly affects revenue, DeLuca notes.
Another risk is that the UC voice ports become another avenue for intruders to gain entry to the corporate network, and to glean information about the topology and internal infrastructure, he says.
SBCs play a crucial role in combating both threats. They act as the firewall for UC voice – and the UC implementation in general – and can protect against DOS attacks. An SBC is able to weed out voice packets that don’t fit known patterns, in the process ensuring that legitimate calls can get through. And they handle call admission control, to ensure the phone system isn’t overwhelmed by call volume.
SBCs also hide the internal network topology from would-be intruders. Essentially, an attacker will see the IP address of the SBC, but that’s it – he will have no knowledge of what’s behind the curtain, so to speak, and thus will likely move on to an easier target.
“If attackers can glean information about topology and internal infrastructure, that gives them more potential ways to break in,” DeLuca says. “Guarding against that is critical.”
UC Voice Monitoring and Process
Security tools alone are not enough to protect against potential UC voice attacks, however. You also need processes in place to ensure an appropriate response to whatever the tools may tell you, DeLuca says.
Such processes cover many areas, including keeping your tools updated. You need to consistently update signatures on firewalls and intrusion detection/prevention systems, for example, to ensure you’re protecting against the latest attacks. And you’ve got to ensure the systems keep up with changes to your UC infrastructure. As you tack on additional components, the monitoring solution must be aware of them or else you can miss important events. “They can become another avenue for attack,” DeLuca says.
Also crucial is having a process for how to classify and respond to events that your monitoring tools find. “Make sure IT folks have a clear process for how they evaluate the risk, how much time they have to respond to it, and how they communicate about it,” he says. “There needs to be an escalation process for severe risks, for example.”
People and Training
UC brings big changes to the way companies deal with voice in their networks. In the old days, when the PBX was the center of the voice universe, a telecom team was responsible for voice – and only voice.
“With UC, those silos break down,” DeLuca says. “UC truly requires cross-functional support among telecom, networking, security, systems administration, across the board.” That goes for everything from the initial design of the system to ongoing monitoring and support; the left hand has to know what the right is doing.
At the same time, training is key for both end users and IT personnel around phishing and other forms of social engineering attacks. “Attackers are good at using fear and a false sense of urgency to motivate people to make mistakes and share data that they normally wouldn’t, and to circumvent normal procedures” DeLuca says. “If you don’t raise awareness, it can result in huge losses.”