UCSecurityBestPractices

September25,2008

Abstract
UnifiedCommunications(UC)offersthepromiseoffacilitatinganenterprisesdriveforbusinessagility throughthedeploymentofacosteffectivecommunicationsandcollaborationplatformspanningits remotelylocatedandmobileemployees,itssupplychain,itspartnerecosystemanditscustomers. Usinganontechnicalapproach,wetaketheBusinessDecisionMaker(BDM)throughbestpracticesfor securingmultimediaUC. ThekeytosecuringtheUCsolutionrequiresconsideringvoice,data,andvideocommunicationsasa system,andimplementingamultilayered,uniformlyapplieddefenseconstructforthesystem infrastructure,callmanagement,applications,andendpoints.Thesolutionshouldbelayered,with multiplecontrolsandprotectionsatmultiplenetworklevels.Thisdefenseindepthapproachminimizes thepossibilitythatasinglepointoffailurecouldcompromiseoverallsecurity.Ifaprimarysecuritylayer isbreachedotherdefensivebarriersareavailabletodetertheattack.Suchanapproachhasbeen consideredbestpracticefordatasecuritysincethefirstdaysoftheInternet. Thebottomlineisthatconfidentiality,integrity,andavailabilityofcriticalmultimediaresourcesmustbe ensuredwhilemaintainingtheUCsolutionsperformance.Securityfeaturesshouldbetransparentto theuser,standardsbased,simpletoadministerandcosteffective.Thereisnoonesizefitsall. CompaniesshouldexamineUCsecurityfromabusinessperspectivebydefininggoals,policies,and patternsofusageatthegetgoacrossallapplicationsdata,VoIP,InstantMessaging(IM)andpresence, Webandaudio/videoconferencing.Securitypoliciesforallmediastreamsneedtobealignedand properlybalancedagainstbusinessrisks.Wewillfollowthisthemethroughoutthediscussion.

UCSecurityBestPractices
1. Introduction
Businessagilityhasbecomethemantrafor21stCenturysuccessinanincreasingglobaleconomy,andUC isaleadingtechnologysupportingitsattainmentbyenablingorganizationstoembedcommunications andcollaborationintobusinessprocesses.Individualproductivitygains,whileshowingimproved performancewithoutimpactonprocessoutcomes,arestillunlikelytoimprovecompetitivepositioning orthedeliveryofproductsandservices.Contextualcollaboration,ontheotherhand,acrosscustomers, employees,suppliers,thechannelandamongstrategicpartnerswillaccelerateinnovation,timeto market,informationdrivendecisionmaking,andcreatethecostefficienciesthatdefinesoughtafter bestinclassbusinessagility. Companiesofallsizesareadoptingunifiedcommunicationsandthecollaborationcapabilitiesitfosters toboostproductivityandinnovation,increasemobilityandenhanceflexibility. Uponinterviewing315networkandtelecommunicationsdecisionmakersatEuropeanenterprises, Forrester1findsthatenterpriseimplementationofVoIPinEuropeisfirmlyenteringthemassadoption phase.Mostenterprises(76%)aregoingdowntheIPPBXrouteeitherinstallingtheequipmenton theirownpremisesorcontractingamanagedservicefromahostingcenter.UCisfirmlyontheagenda 35%offirmssayUCisapriority,and18%haveimplementedsomeelementofUC. Inthatsamecontext,,aDimensionData2sponsoredsurveyof390ITmanagersand524endusers across13countriesintheUnitedStates,AsiaPacificandEurope,MiddleEastandAfricafoundthatmost organizationshavealreadyinvestedininfrastructuretechnologies,with37%ofcompaniescurrently usingIPtelephony,followedby36%usingavideoconferencinginfrastructure.AlthoughmobileVoIPis notwidelyused,aninvestmentisoncorporateagendas,inthenexttwoyears.Thefindingsshowthat organizationsviewclicktodialondesktops(52%),andpresence(42%)asmaturingtechnologiesthat willberoutinelyusedinthecorporateenvironmentwithintwoyears.Moreover,TheUnitedStates leadsthewayinIPtelephonyadoption(60%)withMiddleEastandAfricahavingthelowestpenetration at13%. AMIPartners3reportsthatsmallandmediumbusinesses(SMBs)aregravitatingtowardsUCwithout evenrealizingit.Basedonitssurveyof1500companies,AMIfindsthatSMBshaveastrategicinterestin businesscontinuity,enhancedconnectivity,collaboration,mobility,andstandardizedITinfrastructure whichareallfoundationalelementsofacomprehensiveUCportfolio.

TheStateOfEnterpriseVoIPAndUnifiedCommunicationsAdoptionInEurope:2007,December6,2007, http://www.forrester.com/Research/Document/Excerpt/0,7211,43073,00.html. 2 UnifiedCommunicationsAdoptionOutpacesExpectations,August20,2007, http://www.dimensiondata.com/NR/rdonlyres/CD1D2A1041FF412C932C CAE4D964A7A9/7615/UNIFIEDCOMMUNICATIONSADOPTIONOUTPACESEXPECTATIONS1.pdf. 3 DrivingUnifiedCommunications&CollaborationintheSMBMarkettheBusinessFocusedWeb2.0,October 2007,http://www.amipartners.com/ami/sections/Studies/UC_telecom_report_TOC.pdf.

 Clearly,withinthecontextofUCdrivencommunicationsenabledbusinessprocesses,convergedvoice anddataIPnetworksarebeingentrustedtocarrytheessentialfunctionsofconductingbusinesstoand fromtheremoteworker,thesupplychainandthepartnerecosystem.Andindoingsothesenetworks mustbesecuredinamannerthat: Complieswithallapplicablelawsandregulations; Preventsleaksofcustomerrecords; Protectsintellectualpropertyandproprietaryinformation;and Preservescorporatebrandsandreputations. YetaccordingtoanInStatsurveyofITprofessionalsat299USbusinessesabouttheirsecurityplansfor VoIPtechnology,NomechanismsforsecuringVoIPhadmorethan50%penetrationacrossallsizesof business,saysVictoriaFodale4,InStatanalyst. Ourpurposehereistosetout,innontechnicalterms,bestpracticesforsecuringUC. ThekeytosecuringUCrequiresconsideringvoice,data,andvideocommunicationsasasystemand implementingamultilayered,uniformlyapplieddefenseconstructforthesysteminfrastructure,call management,applications,andendpoints.Thesolutionshouldbelayered,withmultiplecontrolsand protectionsatmultiplenetworklevels.Thisminimizesthepossibilitythatasinglepointoffailurecould compromiseoverallsecurity.Ifaprimarysecuritylayerisbreachedotherdefensivebarriersare availabletodetertheattack. NowaUCnetworkiscomplex,consistingasitdoesofawiderangeofcomponentsandapplicationssuch astelephonehandsets,conferencingunits,mobileunits,callmanagers,gateways,presenceservers, routers,servers,firewalls,specializedprotocolsandapplicationslinkages.ThegoodnewsisthatVoIP, IM,andvideoareallapplicationsrunningonanIPnetwork,andallofthesecuritytechnologiesand policiesthatcompanieshavedeployedfortheirdatanetworkscanbetunedtoemulatethesecurity levelcurrentlyenjoyedbyPublicSwitchedTelephoneNetwork(PSTN)usersofPlainOldTelephone Service(POTS).Inmanycases,evenifaconcertedefforttodeploydatanetworksecurityhasnotbeen implemented,thetechnologylikelyalreadyexistsinyournetworkifyouhavemodernswitches,routers andsecurityappliances.Infact,takinganetworkcentricapproachwillleadtoimprovedmanageability anddeploymentthroughreducedcomplexityandmoreefficienttroubleshooting,whichallleadto lowertotalcostofownership. Thebottomlineisthattheconfidentiality,integrity,andavailabilityofcriticalmultimediaresources mustbeensuredwhilemaintainingtheUCsolutionsperformance.Securityfeaturesshouldbe transparenttotheuser,standardsbased,simpletoadministerandcosteffective.Thereisnoonesize fitsall.CompaniesshouldexamineUCsecurityfromabusinessperspectivebydefininggoals,policies, andpatternsofusageatthegetgoacrossallapplicationsdata,VoIP,IMandpresence,Weband audio/videoconferencing.Securitypoliciesforallmediastreamsneedtobealignedandproperly balancedagainstbusinessrisks.Wewillfollowthisthemethroughoutthediscussion.
USBusinessesLagInSecuringVoIP,InStatPressReleaseMarch24,2008, http://www.instat.com/press.asp?ID=2271&sku=IN0804266CT.
4

2. UCSecurityBestPracticeRecommendations
BelowwewilltaketheBDMthroughanontechnicaldiscussionofbestpracticesforsecuringUCwith emphasisonVoIP.Keysecurityrelatedtermswillbeaggregatedforlaterreferenceinaglossaryatthe endofthewhitepaper. 2.1 GettingStartedPlantheWorkandWorkthePlan AUCsecuritystrategyshouldbedevelopedintheformalizedcontextofenterpriseriskmanagement. Enterpriseriskmanagementis: Aprocess,ongoingandflowingthroughanenterprise; Affectedbypeopleateverylevelofanorganization; Appliedinastrategysetting; Appliedacrosstheenterprise,ateverylevelandunit,andincludestakinganenterprisewide portfolioviewofrisk; Designedtoidentifypotentialeventsthat,iftheyoccur,willadverselyaffecttheenterpriseand theassociatedriskmanagedwithintheenterprisesriskappetite; Abletoprovidereasonableassurancetoenterprisemanagementandboardofdirectors;and Gearedtoachievementofobjectivesinoneormoreseparatebutoverlappingcategories. Thisisacollaborativecrossorganizationalteameffortrequiringparticipationfrommanyplayers representingthenetworking,security,telecom,legalandbusinesssidesofyourorganization.Itsalso appropriateatthestartofanyUCprojecttoinvolveyourserviceprovidersecurityrepresentativesand possiblyasecurityconsultant.Inparticular,askyourcarrierhowtheycanhelpyoumitigateDistributed DenialofService(DDoS)andbotnetattacks. Theteamsfirstprojectstepistoestablishstrategicobjectivesthatarealignedwithandsupportthe enterprisesmission,supportcompliancewithapplicablelawsandregulations,andreflect managementsappetiteforrisk.Incarryingoutitsmissiontheteammustbechargedwitheffectiveuse ofresources,developmentanddeploymentofreliablereporting,ongoingmonitoringandthosesecurity systemoptimizationprocessesthatwillallowtheenterprisetomigrateovertimetorichersecurity implementations. Performanceofasecurityassessmentcomesnext.Assessmentsidentifysecuritygapssotheycanbe managedeffectively.Fromthesecurityperspectiveeverybodyisunderthreat,butbyvaryingdegrees. Inviteyourprojectteamtoabrainstormingsession.Beginbyposingquestionssuchas: Whatkindofinformationareweholding? Whatwouldhappenifsomebodygotaholdofthatinformation? Whatkindoflegalandregulatoryenvironmentsarewedealingwith? Whosepresencestatusandlocationmustbeprotected? WhatwouldhappeniftherewasaUCsystemoutage? Howvisibleatargetdoweconsiderourselvestobe? Onceyouvedrawnupacomprehensivelistofthreats,moveontoassess:theinterdependencies betweenthethreats,thefeasibilityofeachofthethreats,thequantitativeimpactofeachthreat,and 5

 finallyaprioritizationofmitigationactionsforeachofthepotentialthreats.Youmustfeelconfident thatyoucanacceptablymanageandmitigatetheriskstoyourcorporateinformation,system operations,andcontinuityofessentialoperationswhendeployingUCtechnology. AttacksonUCsystemscanbebroadlycategorizedintothefollowingfivetypes:(1)Confidentiality(or privacy),whichincludescalleavesdropping,callrecordingandvoicemailtampering;(2)Integrity(or authenticity),whichincludesregistrationhijacking,callerIDspoofing,andsoundinsertion;(3) Availability,whichincludesdenialofserviceattacks,bufferoverflowattacks,andmalware;(4)Theft, whichincludestollfraud(servicetheft)anddatatheftthroughmasqueradingdataasvoiceanddata networkcrossoverattacks;and(5)VoiceSpam,knownasSPIT,whichincludesunsolicitedcalling,unified mailboxstuffing,andVishing(voicephishing). CategorizationofVoIPThreats
ThreatType
Confidentiality

Examples
Eavesdropping CallRecording Voicemailtampering Registrationhijacking CallerIDspoofing SoundInsertion DenialofService Bufferoverflowattacks Worms&Viruses Servicetheft o Tollfraud DataTheft o Masqueradingdataasvoice o Datanetworkxoverattacks UnsolicitedCalling Mailboxstuffing Vishing

Impact
Leakageofsensitiveorconfidentialinformation Compromisedcorporateassets Identitytheft Blackmail DisruptionandChaos Identitytheft ServiceOutageswithimpactonrevenueandbrandimage Extortion Lostproductivity Excessivesubscriberphonebills Lostcarrierrevenues Lossoftradesecrets,confidentialdata,etc. Industrialespionage

Integrity(or Authenticity) Availability

Theft

SPIT

Reducedproductivityandcoopofsystemresources Identitytheft Financialloss

Confidentialityreferstotheenterprisesneedtokeepthenonpubliccustomer/client/partnerdatathat itpossessesbothsecureandprivate.Regulatorycomplianceraisesthestakessignificantlyinthequest foreffectiveUCsecurity.Examplesofconfidentialitythreatsare:calleavesdropping,callrecordingand voicemailtampering. MeasuressuchasHealthInsurancePortabilityandAccountabilityAct(HIPAA),SarbanesOxley(SOX), EuropeanBaselIIandtheGrammLeachBlileyAct(GLB)posearangeofpotentiallegalandfinancial liabilities5.Inaddition,anyfindingsofnoncomplianceorfailuretocomplywiththerequireddisclosure ofsecuritybreachescanyieldadversepublicityandthelossofbusinessandbrandvalue.To

Otherlegislationandregulationsinclude:E911lawsin17states,securitybreachlawsinmorethan34states, FederalInformationSecurityManagementAct(FISMA),FederalFinancialInstitutionsExaminationCouncil(FFIEC), SupervisoryControlandDataAcquisition(SCADA),PaymentCardIndustryDataSecurityStandard(PCIDSS)andthe CommitteeofSupportingOrganizations(COSO)EnterpriseRiskManagementFramework.
5

 demonstratefullcompliancewiththesecuritymandatesyourbusinessmustnotonlypreventmalicious attacksfromoutsidetheorganization,butalsotakenecessaryandprudentmeasurestoprotectagainst internalrisks. Integrityofinformationmeansthatinformationremainsunalteredbyunauthorizedusers.Thatis, informationcannotbechangedintransitoratrestwithoutbeingdetected,andthatmaliciousor unwanteddatacanbeblocked,filtered,orotherwisekeptawayfrombothserversandusers.Integrity threatsincludeanyeventinwhichsystemfunctionsordatamaybecorrupted,eitheraccidentallyorasa resultofmaliciousactions.Misusemayinvolvelegitimateusers(i.e.insidersperformingunauthorized operations)orintruders.Authenticationprovidesamechanismtoverifythatauserorclientis legitimateandhasclearanceforagivenlevelofaccess.Thisisnormallyaccomplishedthroughtheuseof strongpasswordsthatarecentrallyadministered.Also,attheuserlevel,companyemployeesshouldbe trainedandassessedagainsthighrisksecuritybehavior.Maliciousintegrity(orauthenticity)threats taketheformofregistrationhijacking,callerIDspoofing,andsoundinsertion. Availabilityreferstotheprinciplethatdataandservicesareavailableforusewhenneeded.Availability isacriticalpartofoverallsecurityplanning.Attacksexploitingvulnerabilitiesinthecallmanagement softwareorprotocolsmayleadtodeteriorationorevendenialofservice,orfunctionalityofthecall server.Inaddition,specialconsiderationshouldbegiventoE911emergencyservicescommunications, becauseE911automaticlocationserviceisnotavailablewithVoIPinsomecases(forexample MicrosoftOfficeCommunicationsServer2007). 2.2TakeaMultilayeredApproachtoProtectingYourNetworkInfrastructure Securingthenetworkperimeter,thoughabsolutelynecessary,isnolongersufficient.Thegrowing internalthreat,increasinglymobileworkforce,morecriticalserversbeingplacedonthenetwork,and moreattackscominginoncommonportshaveexploitedflawsinthetraditionalfirewallcentricsecurity solution.Amorematureandenlightenedmarketisevolvingtowardsthenotionoflayeredsecurity solutions.ThecorenetworklayerprotectionincludesanapplicationawarefirewallandIntrusion Detection/PreventionSystems.ProtectionaroundthecommunicationslayerinvolvesVoIPencryption. Perimetersecurity,asappliedtoUCsolutionswouldinferthatthevoicenetworkbesegregated whereverpossible,sothatunwantedtrafficbetweenthevoiceanddatanetworkisconstrained. Endpointsecuritymustincludemechanismstocontrolaccesstothedevices.Passwordcontrolpolicies mustbeenforcedsothatpasswordsarechangedregularlyandstrongpasswordsalwaysused. 2.2.1SegregateVoiceandDataTrafficonSeparateVLANs Abasictechniqueforvoicesecurityistoassignvoiceanddataonlogicallyseparatenetworks(Virtual LANsorVLANS)duetotheirdifferentQualityofService6(QoS)andsecurityrequirements.Inaddition,
SeeCriticalSuccessFactorsinDesignandPerformanceManagementofUCNetworks,March2008, http://www.ucstrategies.com/UC_Networks.aspx.AnindepthdiscussionisprovidedofVoIPsrequirementsfor bothQoS,whichconcernsmeasurementofthetreatmentofthepacketstraversinganetworkincludingutilization, responsetime,latency(delays),delayvariation,packetloss,jitterandavailabilityandapplicationperformance
6

 trafficsentoverthevoiceVLANisnotvisibletoinsidersoroutsidersconnectedtodataVLANs,anddata trafficcannotcrossovertothevoiceVLAN.LANEthernetswitchesshouldbeequippedwith802.1p prioritizationsotheycanidentifyandprioritizetrafficbasedonVLANtagsandsupportmultiplequeues. VLANtaggingensuresthatdatatrafficfromPCsoftphonestakesaseparateVLANfromvoicetraffic. VoicetrafficisverydelaysensitiveandmustbeprioritizedoverdataontheseVLANssothatitgets throughevenduringanetworkattack. EstablishingseparatedepartmentalvoiceVLANswilldetertollfraudbypreventingemployeesfrom tryingtouseanotherdepartmentsVLANfortollcallstoavoidincreasingtheirownphonebills.Itsalso goodpracticetosegregatethemanagementtrafficonitsownVLAN,togetherwithhostauthentication, tominimizethelikelihoodofunwantedaccesstothecallcontrolservers. WhencreatingtheVLAN,besuretoplaceitsequipmentbehindseparatefirewalls.Thispracticewill restricttrafficcrossingVLANboundariesandpreventvirusesandotherkindsofmalwarefromspreading fromclientstoservers.Whenlookingforfirewalltechnology,besuretoexamineproductsthatsupport bothleadingstandards:SessionInitiationProtocol(SIP)andtheInternationalTelecommunication Union'sH.323protocol. InconjunctionwithVLANs,companiescansetupvoiceAccessControlLists(ACLs)fordepartments, workgroups,andindividuals.Accesscontrollistsareanimportantpartofthetoolsetanetwork administratorhasathis/herdisposaltomonitorandcontrolaccessintoaVoIPnetwork.ACLsonthe networkinglayercanbeusedtopreventinbounddatapacketsusedinDoSattacksfromenteringthe voiceVLAN.ACLsarealsoinstrumentalindefendingagainsteavesdroppingandcallinterceptionby preventingvoicetrafficfromcrossingovertoanuntrustedportionofthenetwork. 2.2.2AuthenticationandSecurityFeaturessuchasIEEE802.1xandAccessControlListsare notenough ItisimportanttounderstandthatuseofauthenticationandsecurityfeaturessuchasIEEE802.1xand accesscontrollists,whileanintegralpartofanorganization'sthreatdefensepolicies,cannotprevent thedatalinklayerattackssuchas"Maninthemiddle"attacksusingGratuitousAddressResolution Protocol(GARP)andDynamicHostConfigurationProtocol(DHCP)serverspoofing.Theseattacksexploit normalprotocolprocessingsuchasaswitch'sabilitytolearnMediaAccessControl(MAC)addresses, endstationMACaddressresolutionviaARP,orDHCPserverIPaddressassignments. DHCPserverspoofingispreventedbydefiningtrustedportswhichcansendDHCPrequestsand acknowledgements,anduntrustedportswhichcanforwardonlyDHCPrequests.TheCiscoCatalyst switch,forexample,assumesthattrustedportsarethosethatconnecttoeithertheDHCPserveritself, orswitchedports,suchasuplinks,thatinturnconnecttheswitchtotherestofthenetwork.This
managementwithitsfocusontheuniqueVoIPQualityofExperience(QoE)requirementsassociatedwithdiffering businessscenarios.

 thwartsmalicioususersactingasanetworkDHCPserverandsendingoutincorrectaddressesunderthe pretenseofbeingthedefaultgateway,andinterceptingdatatraffic.Inaddition,byinterceptingallDHCP messageswithintheVLAN,theswitchcanactmuchlikeasmallsecurityfirewallbetweenusersandthe DHCPserver,buildingabindingtablecontainingclientIPaddress,clientMACaddress,port,andVLAN number. BeforeanendpointcantalktoanotherendpointitmustmakeanARPrequesttomaptheIPaddressto theMACaddress.Themosteffectivewayforanattackertoeavesdropaconnectionistospoofthe defaultgatewaybysendingagratuitousARPreplycontainingtheIPaddressofthedefaultgatewayto otherdevicesontheLAN.ThegratuitousARPpacketcausesthedevicestooverwritetheoldentrywith thenewone,effectivelymakingtheattackerthenewdefaultgatewayforthosedevices.Theattacker canuseIPforwardingtorelaythetrafficbetweenthedevicesandthedefaultgatewaywithouttheother devicesbeingawareofwhatishappening. GARPattackscanbepreventedthroughDynamicARPInspection(DAI),whichhelpstoensurethatthe accessswitchrelaysonly"valid"ARPrequestsandresponses.DAIinspectsallARPsandcomparesthem totheDHCPBindingtable.IfARPdoesnotmatchthebindingtabletheportsareshutdown. Theincreasingtrendtowardstheuseofsoftphoneclientsposesaproblemforarchitecturesthatrely purelyonVLANseparationandaccesscontrollists.Inthesedeploymentsthevoicecapabledevicesare notonlyonthePhoneVLANbutalsoonthedataVLANsincethesoftclientsareapplicationsthat operateonausersdesktop.Withtheincreasedadoptionofunifiedcommunicationsapplicationssuch aspresenceandinstantmessagingthistrendislikelytogrow.Theimpactofthesoftclientisthatit becomesdifficulttodistinguishbetweenagenuinedesktopthathasalegitimatevoicesoftclientanda roguedevice.AccesscontrollistsarestatelessandcanonlyfilterIPaddressesandports.WithIPvoice protocols,suchasSIP,negotiatetheporttobeusedinavoicecallfromawiderangeofports(16384to 32767foraudio).Accesscontrollistsmustopenupthisentirerangeasitisimpossiblefortheaccess controllisttopredictwhichportswillbeused,resultinginarangeofexposedportsthatattackerscan useforreconnaissance.Tomitigatethisthreat,anewgenerationofproxydevices,oftenintegratedwith unifiedcommunicationsawarefirewalls,isprovidingservicesforsecureVLANtraversalforsoftclients. Oftenenforcingdeviceauthenticationtoprotectthecallcontrolinfrastructurefromrogueendpoints andthenmanipulatingthesignalingtoforcethemediathroughatrusteddeviceinthenetwork,these proxyservicescanenableenterprisestobuildsecurelyupontheirexistingVLANandACLbased architectures.TheCiscoAdaptiveSecurityAppliance5500Series(ASA)forexamplehasbeenenhanced tosupportthisfunctionality 2.2.3ProtecttheApplicationPlatformwithSecureManagementBestPractices Protecttheintegrityofmanagementsystems.SegregatemanagementtrafficonitsownVLAN. Useamultileveladministrationpermissionsconstruct.Organizationsmustdefineadministratorsroles andrestrictthefunctionstheycanuse.Readonlyprivilegesareassignedtomostadministrators, reservingreadwriteprivilegesforafewtrustedindividuals.

 Validateadministratorsandtheirpermissionspriortoallowingthemmanagementaccesstovoice applications.Requireadministratorstologinataphysicalinterfacedifferentfromthecallprocessing interface,andonethatisnotaccessibletomostpeople.Administratorsareallowedaccesstothe managementinterfaceonlyafterbeingauthenticatedandauthorizedforthetask.Centrally administeredstrongpasswordsareaneededhere. Encryptmanagementtraffictopreventinterceptionoreavesdropping.UseIPSecurity(IPsec)orSecure Shell(SSH)forallremotemanagementandauditingaccess.Ifpractical,avoidusingremotemanagement atallandperformIPPBXaccessfromaphysicallysecuresystem. Maintaindetailedaudittrailsbyloggingsecurityalerts,errors,trafficmonitoring,etc.Withsystem eventlogging,administratorsareawareofandabletoquicklyrespondtoissuesthatcouldcompromise networkintegrityorusersecurity. Hardenoperatingsystems.OnceUCsecurityisestablishedyoumustbeevervigilanttodeployonly thosefeaturesinyourUCproductsthatareconsistentwithyourUCsecuritypolicy.Workstations, servers,anddesktopIPphonestypicallyarrivefromthevendorinstalledwithamultitudeof developmenttoolsandutilities,which,althoughbeneficialtothenewuser,alsoprovidepotentialback dooraccesstoanorganization'ssystems.Therefore,removeofallnonessentialtools,utilities,andother systemsadministrationoptions,anyofwhichcouldbeusedtoeaseahacker'spathtoyoursystems.This actionenforcesthepolicythatonlyauthorizedpeoplecanaccessandchangeinformationpertainingto theUCsystem.Thenensurethat:(1)allappropriatesecurityfeaturesareactivatedandconfigured correctly,and(2)thatpatchmanagementsystemsroutinelypassoutantiXsoftwareandoperating systemupdates. 2.2.4VirtualPrivateNetworks(VPNs)ProvideaSecurePathwayforCommunicationwith RemoteWorkers VPNshaveabuiltinencryptionfeaturethatenablessecureconnectivitywithbranchofficesand businesspartnersthatareunreachablebyprivatenetworks.EvenroadwarriorscanlogintotheVPN fromtheirPCs.VPNscreatelogicaltunnelsbetweentwoendpointsthatallowfordatatobesecurely transmittedbetweenthenodes.AnencryptedVPNtunnelprovidesnetwork,data,andaddressing privacybyscramblingdatasothatonlythedesignatedpartiesunderstandit.Thissecurestheidentities ofboththeendpointsandprotectstheVoIPtrafficflowingacrossdifferentnetworkcomponentsonthe corporateLANasifitwereonaprivatenetwork.VoiceandvideoenabledVPNtechnology,availablein manyroutersandsecurityappliances,encryptsvoiceaswellasdatatrafficusingIPsecorAES. Encryptionisperformedinhardwaresothatfirewallperformanceisnotaffected. TheIPsecESP(EncapsulatingSecurityPayloadprotocol)tunnelisaspecifickindofVPNusedtotraverse theInternetinaprivatemanner.IPsecisthestandardencryptionsuitefortheInternetProtocolandwill befullysupportedinIPv6.InESPTunnelMode,IPsecprotectsboththedataandtheidentitiesofthe endpoints.Whileprovidingstrongsecurity,IPsecdoesrequiresignificantefforttosupportdedicated clientsoneachmachineauthorizedtoconnectremotelytothenetwork.Forthisreason,ithasbecome increasinglycommonforIPsectobeusedtoprotectvoicetrafficbetweenenterprisesitesaspartofa sitetositeVPN,whileSSLhasbecomemorecommonforremoteaccessVPNrequirements.Inaddition, 10

 withIPsec,makingstructuralchanges,addingnewlocations,orconnectingwithadditionalnetworks involvesafairamountofconfigurationworkaseachroutermustbeconfiguredtounderstandallthe otherroutersinthenetwork.Thiscanbeasignificantmaintenanceheadacheiftherearemany locationsinvolved.Asaresultofthisadministrativeburden,somevendorshaveadaptedIPsecVPN architecturestoenableremotesitestodynamicallyqueryandbuildnewsitetositeconnectionswithout requiringeachsitetobepreconfiguredwithalistofalltheotherpotentialpeersinthenetwork.This scalabilityandmanageabilityenhancementalsoallowsenterprisestobuildamoreflexibleencryption architecture.Inaddition,movingfromhubandspoketopologiestomoredirect,spoketospokedesigns, providesamoresuitableplatformforvoiceserviceswithminimizedlatencyandjitter. SSL(SecureSocketLayer)tunnelVPNs,onceviewedasacomplementtotheIPsecVPN,haveevolvedas adirectcompetitorasitprovidessimplifieddeploymentforremoteaccessVPN.Asoriginallyconceived, thistypeofSSLVPNallowedausertouseatypicalWebbrowsertosecurelyaccessmultiplenetwork servicesthroughatunnelthatisrunningunderSSL.TheSSLVPNis,today,themostappropriate applicationlayerVPNtechnology.SSLVPNsprovideclientlessaccessonaperapplicationbasisthat enablesthegranularsecurityneededtosupportbusinessproductivitybyrestrictingapplicationaccess toonlythosewithatrueneedforaccess.Moreover,startingwithabrowsersession,WAN managers/administratorsmayofferaccesschoicesrangingfromcompletelyportableclientless connectionsthroughthinclientmanagedsessionswithdownloadablesecurityfeaturesandapplication specificservicestofullnetworkconnectivity(includingrouting)thatemulatestraditionaltunnelVPNs, suchasIPsec.Thebrowsercanbeeliminatedthroughtheuseofamanuallyinstalledclient,while maintainingconnectivitybenefits.AdditionalSSL,UserDatagramProtocol(UDP),andIPsectunnels, actingasnetworklayerVPNs,canbeopeneddynamically,asneeded,toimproveQoSforperformance sensitiveapplications,suchasVoIP. VPNisnottheonlyoptionforprovidingconfidentialitytoIPvoicestreams.AccessEdgegatewayscan encryptSessionInitiationProtocol(SIP)callsignalingtraffictoprotectagainsteavesdroppingand supportserverauthenticationforremoteusersandfederated7sites.Thisistypicallyachievedthrough TransportLayerSecurity(TLS)encryptionforsignalingmessagesandSecureRealTimeProtocol(SRTP) forprotectingthevoicemedia.AccessEdgegatewaysandvoiceawarefirewallscanalsoperform filteringtasks,suchasblockingtrafficfromuntrustedaddresses. Morelikelythannot,enterpriseswillbefederatingacrossdifferentvendorsUCenvironmentsinorder toleverageUCenabledbusinessprocessproductivityenhancementsacrosstheirsupplychain, hopefullywithwellthoughtoutsecuritysolutions.Ifnotdonewell,sensitiveinformationsentoverthe publicInternetwillmakeeasytargetstotheevergrowinghackerthreat.ThesidebaroverviewsCiscos AdaptiveSecurityAppliance(ASA)5500Seriesfeatureswhichsupportsecurefederatedpresence.

TrustedremoteOCSsites(called"federated"sites)thatconnectovertheInternethaveaccessedgeserversin theirperimeternetworkstoenablesecurecallcontrolandvoiceandvideotransmissionacrossanorganization's firewall.

7

11

SidebarCiscoUCPerimeterSecurityServices
TheCiscoASA5500SeriesAdaptiveSecurityApplianceisahighperformance,multifunctionsecurity appliancefamilydeliveringconvergedfirewallwithapplicationlayerandprotocolawareinspection services,IPS,networkantiXandURLfiltering,SSL/IPsecVPNservices,encryptedtrafficinspection, presencefederationandbothremoteworkerhardphoneandmobilephoneproxyservices.TheASAisa keycomponentoftheCiscoSelfDefendingNetwork.Amongitsdifferentiatingfeaturesare: ASAprovidessecurityandinspectioncapabilityforCiscoapplications(Presence,Unity,MeetingPlace), andthirdpartyapplicationslikeMicrosoftOCS.AnyCiscoUCcommunicationsencryptedwithSRTP/TLS canbeinspectedbyCiscoASA5500AdaptiveSecurityAppliances: o Maintainsintegrityandconfidentialityofcallwhileenforcingsecuritypolicythroughadvanced SIP/SCCPfirewallservices o TLSsignalingisterminatedandinspected,thenreencryptedforconnectiontodestination (leveragingintegratedhardwareencryptionservicesforscalableperformance) o DynamicportisopenedforSRTPencryptedmediastream,andautomaticallyclosedwhencall ends ASAenablesinterenterprisepresencecommunicationsbetweenCiscoandMicrosoftpresenceservers andendpoints ASAphoneproxyisateleworkersolutionthatterminatesSRTP/TLSencryptedremoteendpoints offeringbenefitofsecureremoteaccesswithouttheneedforarouterattheremoteworkerssite. Withintheenterprise,theASAphoneproxycanbeusedforvoice/dataVLANtraversalinthefollowing manner: o Allcommunicatororiginatingfromsoftclientsmustbeproxied o SoftclientcommunicationisrestrictedtospecificVLANonASA o CiscoASAperformsinspectionontrafficandopensmediaportdynamicallyforsoftclients Asamobilityproxy,theASAterminatesTLSsignalingfromCiscoUnifiedMobileCommunicatortoCisco UnifiedMobilityserverandenforcessecuritypolicies.TheASAisamandatorycomponentofCiscos mobilityarchitectureandreplacesCiscoMobilityProxy.

12

 2.2.5FirewallsandIntrusionDetection/PreventionSystems VoIPreadyfirewallsareessentialcomponentsintheVoIPnetworkandshouldbeusedalongwith stateoftheartintrusiondetectionandpreventionsystems. Firewallsworkbyblockingtrafficdeemedtobeinvasive,intrusive,orjustplainmaliciousfromflowing throughthem.Theyprovideacentrallocationfordeployingsecuritypolicies,andwhenproperly deployedinsurethatnotrafficcanenterorexittheLANwithoutfirstbeingfilteredbythefirewall.An advancedfirewallwithstatefulpacketfilteringkeepstrackofthestateofnetworkconnections(such asTransportControlProtocol(TCP)streamsandUDPcommunicationtravellingacrossit.)Thefirewallis programmedtodistinguishbetweenlegitimatepacketsfordifferenttypesofconnections.Onlypackets matchingaknownconnectionstatewillbeallowedbythefirewall;otherswillberejected.Stateful filteringcangrantordenynetworkaccessbasedontimeofday,application,IPaddress,portrangeand otherattributes.ObservingnormaltrafficpatternsandthenapplyingappropriaterulescansetMedia andsignalratelimits. Ifpossible,afirewallwithapplicationfilteringshouldbeutilized.Applicationfilteringisanextensionto statefulpacketinspection.Whereasstatefulpacketinspectioncandeterminewhattypeofprotocolis beingsentovereachport,applicationlevelfilterslookatwhataprotocolisbeingusedfor.Application layerfirewallssupportmultipleapplicationproxiesonasinglefirewall.Theproxiessitbetweenthe clientandserver,passingdatabetweenthetwoendpoints.Suspiciousdataisdroppedandtheclient andservernevercommunicatedirectlywitheachother.Becauseapplicationlevelproxiesare applicationaware,theproxiescanmoreeasilyhandlecomplexprotocolslikeH.323andSIP,whichare usedforVoIPandvideoconferencing.Often,bydeployingprotocolconformanceinunified communicationsawarefirewalls,enterprisescanmitigatemanyofthevulnerabilitiespostedagainstthe leadingcallcontrolplatforms.Thisisbecausethevulnerabilitiesareoftenexploitedbysending malformedpacketsthatcanadverselyimpactthecallcontrolsystem.Byapplyingarigorousprotocol conformancepolicy,thesemalformedpacketscanbefilteredwithinthenetworkratherthanattemptto bedealtwithbythetargetmachine. CorenetworklayerprotectionincludesIntrusionDetectionandPreventionSystems(IDS/IPS) technologies,whichcomplimentfirewallsbyestablishingsensorsrunningonindependenthardware platformsthroughoutthenetwork.Thesesensorsmonitortrafficforunwarrantedbehaviorortraffic patterns,andrespondaccordinglybasedonpreestablishedrules.Malicioustrafficisidentifiedthrough comparisonagainsttypicaltrafficbehaviorassociatedwithalistofknownattacks.Basedonnetwork intelligence,youcanadjustandtuneforthenumberandtypesofchecksperformedonspecificnetwork segmentsorassets.NetworkIntrusionPreventiondiffersfromfirewallsinthattheyusealistofknown signaturestoidentifyattemptstoexploitknownvulnerabilities.Incontrast,firewallsapplypolicywhich controlaccessandselectivelyappliessecurityservices. HostIDS/IPStechnologiesserveasimilarpurposeastheirnetworkcounterparts,butresideassoftware onahostmachine(serverorclient)presentwithinthenetwork.Theevergrowingmobileworkforce, continuingincreaseinthenumberofattackvectorstargetingtheactualhostmachine,andgrowthin deploymentofSSLVPNsolutionsinmanyorganizationsaredrivingadoptionofhostbasedproducts. 13

 Traditionalnetworkbasedproducts,forexample,cannotdecryptthetrafficonthelineandthe potentialforcertainattacksispassedtothehostdirectly.Currently,customersareexpanding deploymentscenariostoincludeallmissioncriticalapplicationanddataservers,wirelessaccesspoints, VPNaccesspoints,andremotemachines.Additionally,therearemanycomplianceissuesthatcanonly bemeasuredbyanagentonthehostdeployingpredefinedandcustomizedbehaviorbasedprotections. SinceaHostIPS(HIPS)securityagentinterceptsallrequeststothesystemitprotects,ithascertain prerequisites:itmustbeveryreliable,mustnotnegativelyimpactperformance,mustnotblock legitimatetrafficandshouldbecentrallymanagedforefficientreportingandauditingofactivities.Host IDS/IPStechnologyalsoincludesfileintegrity,DDoSprotection,authenticationandOShardening. AsanexampleoftheofferingsinthiscompetitiveareawetakeabrieflookattheCiscoSecurityAgent (CSA)whichusesbehavioralanomalydetectiontoprovidepowerfulendpointprotectionagainstday zerothreats.CSAusesnosignatures,reducingthepressuretoupdatesystems,whilekeepingthehost coveredduringtheshrinkingvulnerabilitywindow.CSAskeyfeaturesare: Zeroupdateprotectionbasedonoperatingsystemandapplicationbehavior Controlofcontentafterdecryptionorbeforeencryption(e.g.,SSL,IPsec) AccesscontrolforI/Odevicesbasedonprocess,networklocationandfilecontent Centralizedmanagementandmonitoringofevents SelfDefendingNetworkinteractionwithsuchsolutionsasASA,NetworkAccessControl,IPS, QoS,Monitoring,Analysis,andResponseSystems,etc. 2.2.6UseVoIPnetworkencryption Firewalls,gateways,andothersuchdevicescanhelpkeepintrudersfromcompromisinganetwork.But unlesstheVoIPnetworkisencrypted,anyonewithphysicalaccesstotheofficeLANcouldpotentially tapintotelephoneconversations8.Moreover,firewalls,gatewaysandsuchdontprotectvoicepackets traversingtheInternet.Encryptionattheprotocollevelisnecessarytodefeateavesdroppingattacks. TransportLayerSecurity(TLS)andIPsecaretwomainencryptionmethods.Bothprotocolsaimtokeep unauthorizedpartiesfrominterferingwithorlisteningtocalls,andtheyarealmostimpossibleto manipulateexternally. Toinstallmultipleencryptionlayers,useSecureRealTimeProtocol(SRTP)atthecommunicationslayer formediaencryptionandTLSforsignaling.Encryptingtheactualcontentofcommunicationsbetween users(mediaencryption)preventseavesdroppingintoprivatematters,whetherthecommunicationis voice,videoorIM.Signalingencryptionpreventsillicitmonitoringortamperingofthesignalingthat directsnetworkoperations,suchascallsetupandrouting,serviceperformance,eventrecording,billing, etc.Nonetheless,ifyouuseencryptionitsimperativetohaveinplaceasolutionthatterminatesand inspectsUCcommunicationsencryptedwithSRTP/TLS,thenreencryptsthemediaandsignalingfor connectiontoitsdestination.Withoutsuchinspection,malicioustrafficcouldentertheorganization.
YoumightnotneedtrafficencryptedattheLAN,butyoucertainlywillwanttoencryptitattherouterasit traversestheWAN.Seriouslyconsidersecuritysolutionsthatoffertheflexibilitytohaveeitherencryptionoffthe handsetorencryptioninbulkovertheWANlinks.
8

14

 Authenticationandencryptionwithoutinspectioncangiveafalsesenseofsecurity.Thisisparticularly valuableinacontactcenterwhereyourequireencryptedcallingbetweentheservicerepresentative andthecustomer,butyouwanttoallowsupervisoryinterceptforqualitycontrolpurposes GatewaysandswitchesshoulduseIPsecorSSHinsteadofothercleartextprotocolsastheremote accessprotocol.Ifwebbasedinterfaceisprovided,SecureHyperTextTransportProtocol(HTTPS)should replaceHTTP.Ifpractical,avoidusingremotemanagementatallanddoIPPBXaccessfromaphysically securesystem. VoiceoverWirelessLAN(VoWLAN)trafficmaybesecuredwiththesametechniquesusedtoprotect wirelessdatatraffic.TheWiFiProtectedAccessprogramversion2(WPA2)andIEEEstandard802.11i bothsupporttheAdvancedEncryptionStandard(AES),whichprovidesU.S.governmentlevelprotection. Withencryptionkeysizesofupto256bits,AESisconsideredextremelysecure. 2.2.7MaintainAdequatePhysicalSecurityandPowerBackup Evenifencryptionisused,physicalaccesstoUCserversandgatewaysmayallowanattackertoperform trafficanalysisorcompromisesystems.Adequatephysicalsecurityshouldbeinplacetorestrictaccess toUCcomponents.Physicalsecuritiesmeasures,includingbarriers,locks,accesscontrolsystems,and guards,arethefirstlineofdefense.Youmustmakesurethatthepropercountermeasuresareinplace tomitigatethebiggestrisks,suchasinsertionofsniffersorothernetworkmonitoringdevices. Installationofasniffercouldresultinnotjustdata,butallvoicecommunicationsbeingintercepted. Inaddition,allowforsufficientpowerbackupandtheabilitytorolloveryourvoicecallstothePSTN shouldyourIPWANexperienceanoutage. 2.2.8UseNetworkAccess/AdmissionControl(NAC) AccordingtoWikipedia,NetworkAccess(orAdmission)Controlisanapproachtocomputernetwork securitythatattemptstounifyendpointsecuritytechnology(suchasantivirus,hostintrusion prevention,andvulnerabilityassessment),userorsystemauthentication,andnetworksecurity enforcement. NetworkComputing(NWC)9identifiesfivetechnologyfunctionsthatareacceptedandexpectedaspart ofaNACproduct,basedoninterviewswith303NWCreadersdirectlyinvolvedindeployingor evaluatingnetworkaccesscontrol,andreviewsofvendorcollateral: 1. Preconnecthostpostureassessment 2. Hostquarantineandremediation 3. Networkaccesscontrolbasedonuseridentity 4. Networkresourcecontrolbasedonidentityandpolicy 5. Ongoingthreatanalysisandcontainment.
9

NACVendorsSquareOff,NetworkComputingMagazine,July6,2006,pp.5564, http://i.cmpnet.com/nc/1713/graphics/1713f3_file.pdf

15

 Mostindividualssurveyedwerefocusedontwomainpainpoints:identifyingandpolicinguseraccessto thenetwork,andeliminatingthreatsbroughtontothenetworkbyinfectedhosts.Thesepainpoints reflectthefactthatmanyorganizationshaveissueswithnoncorporateassetsconnectingtotheir network,suchasemployeeowneddevicesordevicesbroughtinbyguestsandvisitors.Discovering whenthesedevicesconnecttothenetworkandlimitingtheiraccessbasedoncorporatepolicyisan ongoingchallenge.ThesedevicesaretypicallynotmanagedbycentralITpatchmanagementtools. Thebottomlineisthatwhileestablishingresponsiblecomputingguidelines,requiringuser authentication,andpassingoutantivirussoftwareandoperatingsystemupdatesthroughpatch managementsystemsarenecessarysecuritysteps,theyarenotsufficient.Theaddedstepofusingthe networktoenforcepoliciesensuresthatincomingdevicesarecompliant.Those judgedtobe vulnerable andnoncompliantare quarantinedorgivenlimitedaccessuntiltheyreachcompliance.Dependingon vendor,NACpoliciescanpermit,deny,prioritize,ratelimit,tag,redirect,andauditnetworktraffic basedonuseridentity,timeandlocation,devicetype,andotherenvironmentalvariables. RegulatorycomplianceisakeydriverinNACdemandaccordingtotheNetworkComputingsresearch. Theirsurveyshowsthat96percentofrespondentsindicatedtheyaregovernedbyatleastone governmentorindustryregulation,andmanyCEOsandCTOsaremandatingthedeploymentofNAC. Solutionsthatcouplewithidentitymanagementgreatlyimproveaccountability.

16

3. SummaryofUCSecurityBestPractices
Thedriveforbusinessagilityisspurringcompaniesofallsizestoadoptunifiedcommunicationsasa primaryvectorforenhancedcommunicationandcollaborationcapabilitiesamongremotelylocatedand mobileemployees,itssupplychainandpartnerecosystem,andwithcustomers.Thesebenefits, however,donotcomewithoutrisks.IntroductionofanIPbasedUCcommunicationsandcollaboration solutionintroducesanarrayofnewvulnerabilitiesintotheenterprise,andagrowingnumberof maliciousprogramsareexploitingtheseweaknesses. ThegoodnewsisthatVoIPandIMareapplicationsrunningonanIPnetwork,andallofthesecurity technologiesandpoliciesthatcompanieshavedeployedfortheirdatanetworkscanbetunedto emulatethesecuritylevelcurrentlyenjoyedbyPSTNusersofPOTS.Inmanycases,evenifaconcerted efforttodeploydatanetworksecurityhasnotbeenimplemented,thetechnologylikelyalreadyexistsin yournetworkifyouverecentlypurchasedaswitchorrouter. ThekeytosecuringtheUCnetworkrequiresconsideringvoice,data,andvideocommunicationsasa systemandimplementingamultilayered,uniformlyapplieddefenseconstructforthesystem infrastructure,callmanagement,applications,andendpoints.Thesolutionshouldbelayered,with multiplecontrolsandprotectionsatmultiplenetworklevels.Thisminimizesthepossibilitythatasingle pointoffailurecouldcompromiseoverallsecurity.Ifaprimarysecuritylayerisbreached,other defensivebarriersareavailabletodetertheattack. Insummary,bestpracticesentail: TreatthedevelopmentofaUCsecurityprogramasacollaborativecrossorganizationalproject. Involveyourcarrierandanoutsidesecurityconsultantifnecessary.Bottomline,plantheworkand worktheplan.Thefirststepistoperformasecurityassessment.Assessmentsidentifysecuritygaps sotheycanbemanagedeffectively.Anyactionableriskassessmentneedsfivekeyfactors consideredacomprehensivelistofthreats,theinterdependenciesbetweenthethreats,the feasibilityofeachofthethreats,thequantitativeimpactofeachthreat,andfinallyaprioritizationof mitigationactionsforeachofthepotentialthreats.Youmustfeelconfidentthatyoucanacceptably manageandmitigatetheriskstoyourcorporateinformation,systemoperations,andcontinuityof essentialoperationswhendeployingUCsystems. Andremember,thereisnoonesizefitsall.CompaniesshouldexamineUCsecurityfromabusiness perspectivebydefininggoals,policies,andpatternsofusageatthestartacrossallapplications data,VoIP,IMandpresence,Web,andaudio/videoconferencing.Securitypoliciesforallmedia streamsneedtobealigned,andcompliancewithapplicablelawsandregulationsmustbeproperly implementedandproperlybalancedagainstbusinessrisks.Onlythencancostsbereconciledwith benefits.Infact,takinganetworkcentricapproachwillleadtoimprovedmanageabilityand deploymentthroughreducedcomplexityandmoreefficienttroubleshooting,whichallleadtolower totalcostofownership.Theflexibilityofthisapproachwillsimplifymigrationovertimetoricher securityimplementations,ifrequiredbylegal/regulatoryrequirements,changeinriskappetite,or growingsophisticationandmaliciousnessofhackerattacks. 17

 BalancingSecuritySolutionCostagainstRiskofSecurityBreach AreaofProtection
Infrastructure

LowSecurityCost& Risk
Separatevoice/data VLANS BasisnetworklayerACLs TrafficPrioritizedwith QoSontheNetwork

MediumSecurityCost &Risk
Statefulinspection firewalls Networkratelimiting (Switch/Router/Firewall) IDSmonitoring DynamicARPinspection DHCPsnooping

HighSecurityCost& Risk
Appawarefirewallwith w/TLSProxyfor inspectionofencrypted traffic 802.1xforallendpoints NACw/hostedIPS IPSmonitoring& prevention Scavengerclassless thanbesteffortqueuing foranomalous,peerto peer&entertainment traffic Centralizednetwork adminforauthentication &authorization TLSSignaling&SRTP mediaencryption AdvOSHardening IPSec/TLS&SRTP gateways IPSec/TLS&SRTPtoapps

CallManagement

Applications(IncludesToll Fraud)

Endpoints

Approvedantivirus Patches Strongadmincredential policy StandaloneHIPSsecurity agent Approvedantivirus Patches Strongadmincredential policy Confcalldropw/ initiatorsdeparture StandaloneHIPSsecurity agent DisableGratuitousARP onphones Signedfirmware& configurations DisablePCvoiceVLAN access

Multileveladmin ManagedHIPSsecurity agent

Forcedaccountcodes Dialingfilters ManagedHIPSsecurity agent

X.509CertificatesinIP phones SSLVPNforremote accesssoftphones PhoneProxyforremote IPphones

TLSSignaling&SRTP mediaencryption Encryptedconfiguration files ManagedHIPSsecurity agent(softphone)

Assignvoiceanddataonlogicallyseparatenetworks(VLANS)duetotheirdifferentQoSandsecurity requirements.MakesureyourEthernetswitchesareequippedwith802.1pprioritizationsotheycan identifyandprioritizetrafficbasedonVLANtagsandsupportmultiplequeues. 18

 Protecttheintegrityofmanagementsystems.SegregatemanagementtrafficonitsownVLAN.Use encryption,administratoraccesscontrol,andactivitylogging. UseVPNstoprovideasecurepathwayforcommunicationwithremoteworkers.AVPNsbuiltin encryptionfeatureenablessecureconnectivitywithbranchofficesandbusinesspartnersthatare unreachablebyprivatenetworks.VoiceandvideoenabledVPN(V3PN)technology,availablein manyroutersandsecurityappliances,encryptsvoiceaswellasdatatrafficusingIPsecorAES. Encryptionisperformedinhardwaresothatfirewallperformanceisnotaffected. ImplementVoIPreadyfirewallscapableofhandlingthelatencysensitiveneedsofvoicetraffic.Such firewallsproviderichgranularcontrols,protocolconformancechecking,protocolstatetracking, securitychecks,andNATservices.TheseareessentialcomponentsintheVoIPnetwork.Ifpossible,a firewallwithapplicationfilteringshouldbeutilized.Applicationfilteringisanextensiontostateful packetinspection.Whereasstatefulpacketinspectioncandeterminewhattypeofprotocolisbeing sentovereachport,applicationlevelfilterslookatwhataprotocolisbeingusedfor.Inaddition, stateoftheartintrusiondetectionandpreventionsystemsshouldalsobeinstalled. UseVoIPnetworkencryption.TLSandIPsecaretwomainencryptionmethods.Makesureyour firewallcanprovidefortheinspectionofencryptedvoicetraffic. ApplyadequatephysicalsecuritytorestrictaccesstoVoIPcomponents.Evenifencryptionisused, physicalaccesstoVoIPserversandgatewaysmayallowanattackertodotrafficanalysisor compromisethesystems.Physicalsecuritiesmeasures,includingbarriers,locks,accesscontrol systems,andguardsarethefirstlineofdefense.Inaddition,allowforsufficientpowerbackupand theabilitytorolloveryourvoicecallstothePSTNshouldyourIPWANexperienceanoutage. ImplementNetworkAccess(orAdmission)Controlinordertounifyendpointsecuritytechnology (suchasantivirus,hostintrusionprevention,andvulnerabilityassessment),userorsystem authenticationandnetworksecurityenforcementsothatnetworkaccessiscontingenton compliancewithestablishedsecuritypolicies. Traineveryoneintheenterpriseontheirresponsibilityforexecutingenterpriseriskmanagementin accordancewithestablisheddirectivesandprotocols.

PictoriallyyoursecureUCinfrastructurewilllooklikethis.

19

SecureUCSolution
RegionalOffice
Security Agent(HIPS) Call Mgmt FraudProtection(dialplans) PortSecurity Router/GW VLANs DPS/IPS NAC Secure transport (VPN) Antivirus Call Mgmt

IPWAN Internet
PrivateAddresses

Application firewall

Headquarters

Encryption

IPWAN
Router/GW

MobilityProxy

AuthenticatedRouting

BranchOffice
PhoneProxy

RoadWarrior Telecommuter

20

AbouttheAuthors
PaulRobinson,PhD DavidYedwab FoundingPartners
Market Strategy and Analytics Partners LLC

www.mktstrategyanalytics.com MarketStrategyandAnalyticsPartnerscustomdesignsmarketingandsalesstrategiesthatare consistentwithclientcorecompetencies,marketfocusandcompetitiveenvironment,andcoupled withoperationalizedgotomarketplansacrossthevaluechaintoensureeliminationofbottlenecks andcompleteconsiderationofendtoendfinancials.Ourclientsincludeequipmentandsoftware providers,serviceprovidersandinformationintenseenterprises.

21

 GlossaryofKeyVoIPSecurityTerms Acronym Term ACL Definition

AccessControlList TheAccessControlListisafilewhichacomputersoperatingsystemusesto determinetheusers'individualaccessrightsandprivilegestofolders/ directoriesandfilesonagivensystem.InanACLbasedsecuritymodel,whena subjectrequeststoperformanoperationonanobject,thesystemfirstchecks thelistforanapplicableentryinordertodecidewhetherornottoproceed withtheoperation.AkeyissueinthedefinitionofanyACLbasedsecurity modelisthequestionofhowaccesscontrollistsareedited.Foreachobject; whocanmodifytheobject'sACLandwhatchangesareallowed. AES Advanced AESisablockcipheradoptedasanencryptionstandardbytheU.S.government EncryptionStandardasofMay2002.Ithasbeenanalyzedextensivelyandisnowusedworldwide,as wasthecasewithitspredecessor,theDataEncryptionStandard(DES). Application Anapplicationisaprogramorgroupofprogramsdesignedforendusers. Applicationssoftware(alsocalledenduserprograms)includesdatabase programs,wordprocessors,andspreadsheets.Figurativelyspeaking, applicationssoftwaresitsontopofsystemssoftwarebecauseitisunabletorun withouttheoperatingsystemandsystemutilities. ApplicationFiltering Applicationfilteringisanextensiontostatefulpacketinspection.Stateful packetinspectioncandeterminewhattypeofprotocolisbeingsentovereach port,whileapplicationlevelfilterslookatwhataprotocolisbeingusedfor. Applicationlayerfirewallssupportmultipleapplicationproxiesonasingle firewall.Theproxiessitbetweentheclientandserver,passingdatabetween thetwoendpoints.Suspiciousdataisdroppedandtheclientandservernever communicatedirectlywitheachother.Becauseapplicationlevelproxiesare applicationaware,theproxiescanmoreeasilyhandlecomplexprotocolslike H.323andSIP,whichareusedforVoIPandvideoconferencing. ApplicationLayer Thislayersendsandreceivesdataforparticularapplications,suchasDomain NameSystem(DNS),HyperTextTransferProtocol(HTTP),andSimpleMail TransferProtocol(SMTP). Separateapplicationsecuritycontrolsmustbe establishedforeachapplication;thisprovidesaveryhighdegreeofcontroland flexibilityovereachapplicationssecurity,butitmaybeveryresourceintensive. Whileapplicationlayercontrolscanprotectapplicationdata,theycannot protectTCP/IPinformationsuchasIPaddressesbecausethisinformationexists atalowerlayer. ALP/ALG ApplicationLevel Anapplicationlevelgateway,alsoknownasapplicationproxyorapplication Proxy/Gateway levelproxy,isanapplicationprogramthatrunsonafirewallsystembetween twonetworks.Whenaclientprogramestablishesaconnectiontoadestination service,itconnectstoanapplicationgateway,orproxy.Theclientthen negotiateswiththeproxyserverinordertocommunicatewiththedestination service.Ineffect,theproxyestablishestheconnectionwiththedestination behindthefirewallandactsonbehalfoftheclient,hidingandprotecting individualcomputersonthenetworkbehindthefirewall.Thiscreatestwo 22

 connections:onebetweentheclientandtheproxyserverandonebetweenthe proxyserverandthedestination.Onceconnected,theproxymakesallpacket forwardingdecisions.Sinceallcommunicationisconductedthroughtheproxy server,computersbehindthefirewallareprotected. ARP AddressResolution AddressResolutionProtocolisadatalinklayernetworkprotocol,whichmapsa Protocol networklayerprotocoladdresstoadatalinklayerhardwareaddress.Ahostin anEthernetnetworkcancommunicatewithanotherhost,onlyifitknowsthe Ethernetaddress(MACaddress)ofthathost.ThehigherlevelprotocolslikeIP useadifferentkindofaddressingscheme(likeIPaddress)fromthelowerlevel hardwareaddressingschemelikeMACaddress.ARPisusedtogettheEthernet addressofahostfromitsIPaddress.ARPisextensivelyusedbyallthehostsin anEthernetnetwork. Botnet BotnetorStorm TheStormbotnetorStormwormbotnetisaremotelycontrollednetworkof BotnetAttack "zombie"computers(or"botnet")thathasbeenlinkedbytheStormWorm,a Trojanhorsespreadthroughemailspam.Somehaveestimatedthatby September2007theStormbotnetwasrunningonanywherefrom1millionto 50millioncomputersystems.TheStormbotnetwasfirstidentifiedaround January2007,withtheStormwormatonepointaccountingfor8%ofall malwareonMicrosoftWindowscomputers. BufferOverflow Abufferoverflowoccurswhenaprogramorprocesstriestostoremoredatain Attack abuffer(temporarydatastoragearea)thanitwasintendedtohold.Since buffersarecreatedtocontainafiniteamountofdata,theextrainformation whichhastogosomewherecanoverflowintoadjacentbuffers,corruptingor overwritingthevaliddataheldinthem.Inbufferoverflowattacks,theextra datamaycontaincodesdesignedtotriggerspecificactions,ineffectsending newinstructionstotheattackedcomputerthatcould,forexample,damagethe user'sfiles,changedata,ordiscloseconfidentialinformation. CallerIDspoofing CallerIDspoofingisthepracticeofcausingthetelephonenetworktodisplaya numberontherecipient'scallerIDdisplaywhichisnotthatoftheactual originatingstation;thetermiscommonlyusedtodescribesituationsinwhich themotivationisconsiderednefariousbythespeaker. CallHijack Anattackreferstoasituationwhereoneoftheintendedendpointsofthe conversationisexchangedwiththeattacker. CallManagers Callmanagersarerequiredtosetupcalls,monitorcallstate,handlenumber translation,andprovidebasictelephonyservices.Callmanagersalsohandle signalingfunctionsthatcoordinatewithmediagateways,whicharethe interfacebetweentheVoIPnetworkandthepublicswitchedtelephone network(PSTN). DataLinkLayer Thislayerhandlescommunicationsonthephysicalnetworkcomponents.The bestknowndatalinklayerprotocolisEthernet.Securitycontrols here are suitableforprotectingaspecificphysicallink,suchasadedicatedcircuit betweentwobuildingsoradialupmodemconnectiontoanISP.Becauseeach physicallinkmustbesecuredseparately,datalinklayercontrolsgenerallyare notfeasibleforprotectingconnectionsthatinvolveseverallinks,suchas 23

 connectionsacrosstheInternet. DDoS DistributedDenial Adistributeddenialofserviceattackoccurswhenmultiplecompromised ofService systemsfloodthebandwidthorresourcesofatargetedsystem,usuallyoneor morewebservers.Thesesystemsarecompromisedbyattackersusingavariety ofmethods.MalwarecancarryDDoSattackmechanisms;oneofthemorewell knownexamplesofthiswasMyDoom.ItsDoSmechanismwastriggeredona specificdateandtime.ThistypeofDDoSinvolvedhardcodingthetargetIP addresspriortoreleaseofthemalwareandnofurtherinteractionwas necessarytolaunchtheattack. DynamicHostConfigurationProtocolisaprotocolusedbynetworkeddevices DynamicHost (clients)toobtainvariousparametersnecessaryfortheclientstooperateinan Configuration IPnetwork.Byusingthisprotocol,systemadministrationworkloadgreatly Protocol decreases,anddevicescanbeaddedtothenetworkwithminimalornomanual configurations. DenialofService Anattackonacomputersystemornetworkthatcausesalossofserviceto users,typicallythelossofnetworkconnectivityandservicesbyconsumingthe bandwidthofthevictimnetworkoroverloadingthecomputationalresourcesof thevictimsystem. Eavesdropping Theinterceptingandreadingofmessagesandconversationsbyunintended recipients.InVoIP,eavesdroppingisanattackgivinganattackertheabilityto listenandrecordprivatephoneconversations. Endpoint Anendpointisasourceand/orreceivingsideofmediasuchasaudioorvideo. ExamplesofendpointsareaPCrunninganaudio/videocommunication applicationorasoftphone.Anendpointcanalsobeanautomateddevice,such asavoiceorunifiedcommunicationsmailbox.Theendpointalsoterminatesa signalingprotocol,suchasSIPorH.323,andmaybecontrollablefromsome applicationthroughanapplicationprograminterface(API). Fuzzing Functionalprotocoltestingalsocalledfuzzingisapopularwayoffindingbugs andvulnerabilities.Fuzzinginvolvescreatingdifferenttypesofpacketsfora protocolwhichcontaindatathatpushestheprotocolsspecificationstothe pointofbreakingthem.Thesepacketsaresenttoanapplication,operating system,orhardwaredevicecapableofprocessingthatprotocol,andtheresults arethenmonitoredforanyabnormalbehavior(crash,resourceconsumption, etc.). Gateway Agatewayisanodeonanetworkthatservesasanentrancetoanother network.Inenterprises,thegatewaynodeoftenactsasaproxyserveranda firewall.Thegatewayisalsoassociatedwithbotharouter,whichuseheaders andforwardingtablestodeterminewherepacketsaresent,andaswitch, whichprovidestheactualpathforthepacketinandoutofthegateway. HostAuthentication Ahostkeyisusedbyaservertoproveitsidentitytoaclientandbyaclientto verifya"known"host.Hostkeysaredescribedaspersistent(theyarechanged infrequently)andareasymmetricmuchlikethepublic/privatekeypairs discussedaboveinthePublickeysection.IfamachineisrunningonlyoneSSH server,asinglehostkeyservestoidentifyboththemachineandtheserver. 24

DHCP

DoS

 HostauthenticationguardsagainsttheManintheMiddleattack. IP TheInternetProtocol(IP)isadataorientedprotocolusedforcommunicating dataacrossapacketswitchedinternetwork.IPisanetworklayerprotocolin theInternetprotocolsuiteandisencapsulatedinadatalinklayerprotocol(e.g., Ethernet).Asalowerlayerprotocol,IPprovidestheserviceofcommunicable uniqueglobaladdressingamongstcomputers. IPSecurity IPsecisthestandardencryptionsuitefortheInternetProtocolandwillbefully supportedinIPv6.IPsecenforcesdataconfidentialitybyencryptingpackets beforetransmission.Ithelpsensuretheintegrityofdatabyauthenticating packets,andvalidatestheoriginofdatabyauthenticatingthesourceofpackets thatarereceived.Finally,IPseccanhelppreventattacksbyidentifyingagedor duplicatepackets. TheMediaAccessControldatacommunicationprotocolisasublayerofthe datalinklayer.Itprovidesaddressingandchannelaccesscontrolmechanisms thatmakeitpossibleforseveralterminalsornetworknodestocommunicate withinamultipointnetwork,typicallyaLANormetropolitanareanetwork (MAN). Maninthemiddle Anattackinwhichanattackerisabletoread,insertandmodifyatwill, messagesbetweentwopartieswithouteitherpartyknowingthatthelink betweenthemhasbeencompromised. MeanOpinionScoreMeanOpinionScore(MOS)istheaverageoftheopinionsexpressedbyagroup ofsubjectspresentedwithasamplestimulus,e.g.avoicesample.Subjects expresstheiropinionagainsta5pointscale,e.g.:excellent(5),good(4),fair(3), poor(2),bad(1).Objectivemeasurementmethodsattempttopredicthuman opiniontoprovideanumericalindicationoftheperceivedqualityofreceived mediaaftercompressionand/ortransmission. NetworkAddress NATisapowerfultoolthatcanbeusedtohideinternalnetworkaddressesand Translation enableseveralendpointswithinaLANtosharethesame(external)IPaddress. NATsalsoindirectlycontributetosecurityforaLAN,makinginternalIP addresseslessaccessiblefromthepublicInternet.Thus,allattacksagainstthe networkmustbefocusedattheNATrouteritself.Likefirewalls,thisprovides securitybecauseonlyonepointofaccessmustbeprotected,andtherouterwill generallybefarmoresecurethanaPCdirectlyconnectedtotheInternet(less likelihoodofopenports,maliciousprograms,etc.). NetworkLayer Thislayerroutespacketsacrossnetworks.InternetProtocol(IP)isthe fundamentalnetworklayerprotocolforTCP/IP.Othercommonlyused protocolsatthenetworklayerareInternetControlMessageProtocol(ICMP) andInternetGroupManagementProtocol(IGMP).Security controlsatthis layerapplytoallapplicationsandarenotapplicationspecific,soapplications donothavetobemodifiedtousethecontrols.However,networklayer controlsprovidelesscontrolandflexibilityforprotectingspecificapplications thantransportandapplicationlayercontrols.Networklayercontrolscan protectboththedatawithinpacketsandtheIPinformationforeachpacket. 25 InternetProtocol

IPsec

MAC

MITM

MOS

NAT

 AProxyImpersonationattacktricksthevictimintocommunicatingwitha rogueproxysetupbytheattacker.Onceanattackerimpersonatesaproxy,he hascompletecontrolofthecall. ProxyServer Aproxyserverisaserver(acomputersystemoranapplicationprogram)which servicestherequestsofitsclientsbyforwardingrequeststootherservers.A clientconnectstotheproxyserver,requestingsomeservice,suchasafile, connection,webpage,orotherresource,availablefromadifferentserver.The proxyserverprovidestheresourcebyconnectingtothespecifiedserverand requestingtheserviceonbehalfoftheclient.Aproxyservermayoptionally altertheclient'srequestortheserver'sresponse,andsometimesitmayserve therequestwithoutcontactingthespecifiedserver.Inthiscase,itwould 'cache'thefirstrequesttotheremoteserver,soitcouldsavetheinformation forlater,andmakeeverythingasfastaspossible. PublicSwitched Thepublicswitchedtelephonenetworkisthenetworkoftheworld'spublic TelephoneNetwork circuitswitchedtelephonenetworks,inmuchthesamewaythattheInternetis thenetworkoftheworld'spublicIPbasedpacketswitchednetworks.Originally anetworkoffixedlineanalogtelephonesystems,thePSTNisnowalmost entirelydigitalandnowincludesmobileaswellasfixedtelephones.ThePSTNis largelygovernedbytechnicalstandardscreatedbytheITUT,anduses E.163/E.164addresses(knownmorecommonlyastelephonenumbers)for addressing. QualityofService Inthefieldsofpacketswitchednetworksandcomputernetworking,thetraffic engineeringtermQualityofService,abbreviatedQoS,referstoresource reservationcontrolmechanismsratherthantheachievedservicequality. QualityofServiceistheabilitytoprovidedifferentprioritytodifferent applications,users,ordataflows,ortoguaranteeacertainlevelof performancetoadataflow.QoSmechanismsimplementedintheIPdata networkarekeytoprovidinghighqualityVoIPconnections. Qualityof EnduserQualityofExperienceisdeterminedbytheperformanceofboththe Experience networkandthecommunicationsapplication.InthecaseofVoIPQoEis determinedbytheperformanceoftheIPNetwork(todeliverthepackets acrossthenetwork)andapplicationlevelfactorssuchas;echo,speechlevel, delay,noiselevel,andspeechdistortion.Effectiveandperformance managementmustaccountforbothnetworkandapplicationperformance. RateLimiting RatelimitingorratecontrolisusedtomaintainfairnessinInternetbandwidth allocationtoensuretheeffectivemanagementoflimitednetworkresource. Italsocanlimittheeffectofattacksthattrytooverwhelmthenetwork. Registration Registrationhijackinghappenswhenanattackerreplacesthelegitimate hijacking registrationofthevictimwithhisaddress.Theattackcausesallincomingcalls forthevictimtobesenttotheattackersaddress. RealTimeTransportTheRealtimeTransportProtocol(orRTP)definesastandardizedpacket Protocol formatfordeliveringaudioandvideoovertheInternet.Itwasdevelopedbythe 26 Proxy impersonation

PSTN

QoS

QoE

RTP

 AudioVideoTransportWorkingGroupoftheIETFandfirstpublishedin1996as RFC1889.RTPdoesnotprovidemechanismstoensuretimelydeliveryof packets.TheyalsodonotgiveanyQualityofService(QoS)guaranteessoQoS needstobeprovidedbysomeothermechanism. SessionBorder SBCsarededicatedappliancesthatofferoneormoreofthefollowingservices Controller toaVoIPperimeter:Firewall/NATtraversal,CallAdmissionControl,Service LevelAgreementmonitoring,supportforlawfulintercept,andprotocol interworking. Scavengerclass ScavengerclassorlessthanBestEffortqueuingisastrategyusedkeep queuing criticalapplicationsavailableduringDoSattacks.Thefirststepindeploying ScavengerclassQoSistoprofileapplicationstodeterminewhatconstitutesa normalvs.abnormalflow.Applicationtrafficexceedingthisnormalratewillbe assignedtoaminimalbandwidthqueueforcingittobesquelchedtovirtually nothingduringperiodsofcongestion,butallowingittobeavailableif bandwidthisnotbeingusedforbusinesspurposes,suchasmightoccurduring offpeakhours.Applicationsassignedtothisclasshavelittleornocontribution totheorganizationalobjectivesoftheenterpriseandaretypically entertainmentorientedinnatureincludingpeertopeermediasharing applications. SessionInitiation SIPisanapplicationlayercontrol(signaling)protocolforcreating,modifying, Protocol andterminatingsessionswithoneormoreparticipants.Itcanbeusedtocreate twoparty,multiparty,ormulticastsessionsthatincludeInternettelephone calls,multimediadistribution,andmultimediaconferences.ItisbasedonIETF RFC3261.ItiswidelyusedasasignalingprotocolforVoiceoverIP,alongwith H.323,MGCPandotherprotocols. SoundInsertion SoundInsertionisanattackthatwillinsertthecontentsofasoundfileintoan existingRTPstream.TheapproachistorecordunencryptedRTPstreamsof someone'sconversationsandbuildupavocabularyforthatperson.Youwould thenassembleyourinjectionphrasefromthatperson'spriorconversationsand thenwaitfortherightmomenttoinjectit.Thisdoes,ofcourse,requirea somewhatsignificantamountofwork,networkaccessandthepropertiming. StatefulPacket Statefulpacketinspectionisafirewallarchitecturethatworksatthenetwork Inspection layer.Unlikestaticpacketfiltering,whichexaminesapacketbasedonthe informationinitsheader,statefulinspectiontrackseachconnectiontraversing allinterfacesofthefirewallandmakessuretheyarevalid.Astatefulinspection firewallalsomonitorsthestateoftheconnectionandcompilestheinformation inastatetable.Becauseofthis,filteringdecisionsarebasednotonlyon administratordefinedrules(asinstaticpacketfiltering)butalsooncontextthat hasbeenestablishedbypriorpacketsthathavepassedthroughthefirewall. SpamoverInternet VoIPspamisunsolicitedandunwantedbulkmessagesbroadcastoverVoIPto Telephony anenterprisenetworksendusers.ThesehighvolumebulkcallsroutedoverIP areoftenverydifficulttotraceandhavetheinherentcapacityforfraud, unauthorizedresourceuse,andprivacyviolations.

SBC

SIP

SPI

SPIT

27

 Spoofing SRTP Aspoofingattack,incomputersecurityterms,referstoasituationinwhichone personorprogramisabletomasqueradesuccessfullyasanother. SecureRealtime SRTPprovidesaframeworkforencryptionandmessageauthenticationofRTP andRTCPstreams.Itcanprovideconfidentiality,messageauthenticationand Protocol replayprotectionforaudioandvideostreams.SRTPachieveshighthroughput andlowpacketexpansion.ItisindependentofaspecificRTPstack implementationandofaspecifickeymanagementstandard,butMultimedia InternetKeying(MIKEY)hasbeendesignedtoworkwithSRTP. SecureShell SecureShellorSSHisanetworkprotocolthatallowsdatatobeexchangedover asecurechannelbetweentwocomputers.Encryptionprovidesconfidentiality andintegrityofdata.SSHusespublickeycryptographytoauthenticatethe remotecomputerandallowtheremotecomputertoauthenticatetheuser,if necessary. Transmission TransmissionControlProtocolisoneofthecoreprotocolsoftheInternet ControlProtocol protocolsuite.Itisthetransportprotocolthatmanagestheindividual conversationsbetweenwebserversandwebclients.TCPdividestheHTTP messagesintosmallerpieces,calledsegments,tobesenttothedestination client.Itisalsoresponsibleforcontrollingthesizeandrateatwhichmessages areexchangedbetweentheserverandtheclient. TransportLayer Thislayerprovidesconnectionorientedorconnectionlessservicesfor transportingapplicationlayerservicesbetweennetworks.Thetransportlayer canoptionallyassurethereliabilityofcommunications.TransmissionControl Protocol(TCP)andUserDatagramProtocol(UDP)arecommonlyusedtransport layerprotocols. Security controlsatthislayercanprotectthedatainasingle communicationssessionbetweentwohosts.Themostfrequentlyused transportlayercontrolisSSL,whichmostoftensecuresHTTPtrafficbutisalso usedtoimplementVPNs.Tobeused,transportlayercontrolsmustbe supportedbyboththeclientsandservers. BecauseIPinformationisaddedat thenetworklayer,transportlayercontrolscannotprotectit. TLSanditspredecessorSSLarecryptographicprotocolsthatprovidesecure TransportLayer SecurityandSecure communicationsontheInternetforsuchthingsaswebbrowsing,email, Internetfaxing,instantmessagingandotherdatatransfers.Thereareslight SocketsLayer differencesbetweenSSLandTLS,buttheyaresubstantiallythesame. UserDatagram UserDatagramProtocolisoneofthecoreprotocolsoftheInternetprotocol Protocol suite.UsingUDP,programsonnetworkedcomputerscansendshortmessages sometimesknownasdatagramstooneanother.UDPdoesnotguarantee reliabilityororderinginthewaythatTCPdoes.Datagramsmayarriveoutof order,appearduplicated,orgomissingwithoutnotice.Avoidingtheoverhead ofcheckingwhethereverypacketactuallyarrivedmakesUDPfasterandmore efficient,atleastforapplicationsthatdonotneedguaranteeddelivery.Time sensitiveapplicationsoftenuseUDPbecausedroppedpacketsarepreferableto delayedpackets.CommonnetworkapplicationsthatuseUDPinclude:the DomainNameSystem(DNS),streamingmediaapplicationssuchasIPTV,Voice overIP(VoIP),TrivialFileTransferProtocol(TFTP)andonlinegames. 28

SSH

TCP

TLS/SSL

UDP

 VGW AVoiceGatewayisusedastheconnectingpointbetweenaVoIPsystemand thePSTNorotherlegacyequipmentsuchas,analogphones.Thusitisusedto convertfromIPtotraditionalanalogordigitalformatstoprovidesconnections suchas,FXS,FXO,PRI,T1,orothertypesofports.Voicegatewayscanbe implementedindedicateddevicesorareoftenimplementedinrouters. Vishing VishingisthecriminalpracticeofusingsocialengineeringandVoIPtogain accesstoprivatepersonalandfinancialinformationfromthepublicforthe purposeoffinancialreward.Thetermisacombinationof"voice"andphishing. VirtualLANs VLANssegregatedifferentareasofthesamenetwork,forexample,separatinga companysclientrecordserversfromitspublicWebserversorseparatingIP phonesfromPCsandsoftphones(PCsequippedtoperformlikeIPphones). VLANscontrolthepropagationoftrafficbetweennetworkcomponents, creatingalogicalseparationevenwherethereisnophysicalseparation. VoiceoverInternet VoiceoverInternetProtocolisaprotocoloptimizedforthetransmissionof Protocol voicethroughtheInternetorotherpacketswitchednetworks,typicallyasan RTPstream.VoIPisoftenusedabstractlytorefertotheactualtransmissionof voice(ratherthantheprotocolimplementingit).VoIPisalsoknownasIP Telephony,Internettelephony. Voiceovermisconfiguredinternettelephonyreferstotheattachmentofa Voiceover packetsniffertotheVOIPnetworksegmentinordertointerceptvoicetraffic. misconfigured VoMITisfreelyavailableovertheInternet. internet telephony VirtualPrivate AVPNisavirtualnetwork,builtontopofexistingphysicalnetworks,whichcan Network provideasecurecommunicationsmechanismfordataandotherinformation transmittedbetweennetworks.BecauseaVPNcanbeusedoverexisting networks,suchastheInternet,itcanfacilitatethesecuretransferofsensitive dataacrosspublicnetworks.Thisisoftenlessexpensivethanalternativessuch asdedicatedprivatetelecommunicationslinesbetweenorganizationsorbranch offices.VPNscanalsoprovideflexiblesolutions,suchassecuring communicationsbetweenremotetelecommutersandtheorganizations servers,regardlessofwherethetelecommutersarelocated.AVPNcanevenbe establishedwithinasinglenetworktoprotectparticularlysensitive communicationsfromotherpartiesonthesamenetwork. WideAreaNetwork WideAreaNetwork(WAN)isacomputernetworkthatcoversabroadarea (i.e.,anynetworkwhosecommunicationslinkscrossmetropolitan,regional,or nationalboundaries.ThelargestandmostwellknownexampleofaWANisthe Internet.WANsareusedtoconnectLANsandothertypesofnetworkstogether, sothatusersandcomputersinonelocationcancommunicatewithusersand computersinotherlocations.ManyWANsarebuiltforoneparticular organizationandareprivate. IEEEstandard WPAandWPA2Authentication&Encryptionfor802.11Securityare 802.11i standardsbasedsecuritysolutionsfromtheWiFiAlliancethataddressesthe vulnerabilitiesinnativeWLANsandprovidesenhancedprotectionfrom 29 VoiceGateway

VLAN

VoIP

VoMIT

VPN

WAN

WPA2

 targetedattacks.WPAwasdesignedtoaddresstheweaknessesofWEP.Itisa subsetof802.11i(theratifiedIEEEstandardforWLANsecurity)andconsistsof anauthenticationmechanism(802.1Xorpresharedkeys)andencryption mechanism(TemporalKeyIntegrityProtocol(TKIP),asdefinedin802.11i,which canbesupportedinsoftwarebyproductsthatsupportWEP).WPA2isthe secondgenerationofWPAsecurityfromtheWiFiAlliancethatsupportseither 802.1Xorpresharedkeysauthenticationmechanismbutalsosupports AdvancedEncryptionStandards(AES). Awormisatypeofvirusprogramthatpropagatesitselfoveranetwork, reproducingitselfasitgoes.

Worm

30