UC Security Best Practices. September 25, 2008

(1)

UC

Security

Best

Practices

September 25, 2008

(2)

Abstract

Unified Communications (UC) offers the promise of facilitating an enterprise’s drive for business agility through the deployment of a cost‐effective communications and collaboration platform spanning its remotely located and mobile employees, its supply chain, its partner ecosystem and its customers.

Using a non‐technical approach, we take the Business Decision Maker (BDM) through best practices for securing multimedia UC.

The key to securing the UC solution requires considering voice, data, and video communications as a system, and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call management, applications, and endpoints. The solution should be layered, with multiple controls and protections at multiple network levels. This defense‐in‐depth approach minimizes the possibility that a single point of failure could compromise overall security. If a primary security layer is breached other defensive barriers are available to deter the attack. Such an approach has been considered best practice for data security since the first days of the Internet.

The bottom line is that confidentiality, integrity, and availability of critical multimedia resources must be ensured while maintaining the UC solution’s performance. Security features should be transparent to the user, standards‐based, simple to administer and cost‐effective. There is no one size fits all. Companies should examine UC security from a business perspective by defining goals, policies, and patterns of usage at the get‐go across all applications – data, VoIP, Instant Messaging (IM) and presence, Web and audio/video conferencing. Security policies for all media streams need to be aligned and properly balanced against business risks. We will follow this theme throughout the discussion.

(3)

UC

Security

Best

Practices

1. Introduction

Business agility has become the mantra for 21st Century success in an increasing global economy, and UC is a leading technology supporting its attainment by enabling organizations to embed communications and collaboration into business processes. Individual productivity gains, while showing improved performance without impact on process outcomes, are still unlikely to improve competitive positioning or the delivery of products and services. Contextual collaboration, on the other hand, across customers, employees, suppliers, the channel and among strategic partners will accelerate innovation, time‐to‐ market, information‐driven decision making, and create the cost efficiencies that define sought after best in class business agility.

Companies of all sizes are adopting unified communications and the collaboration capabilities it fosters to boost productivity and innovation, increase mobility and enhance flexibility.

Upon interviewing 315 network and telecommunications decision‐makers at European enterprises, Forrester1 finds that enterprise implementation of VoIP in Europe is firmly entering the mass adoption phase. Most enterprises (76%) are going down the IP PBX route — either installing the equipment on their own premises or contracting a managed service from a hosting center. UC is firmly on the agenda — 35% of firms say UC is a priority, and 18% have implemented some element of UC.

In that same context, , a Dimension Data2‐sponsored survey of 390 IT managers and 524 end‐users across 13 countries in the United States, Asia Pacific and Europe, Middle East and Africa found that most organizations have already invested in infrastructure technologies, with 37% of companies currently using IP telephony, followed by 36% using a video conferencing infrastructure. Although mobile VoIP is not widely used, an investment is on corporate agendas, in the next two years. The findings show that organizations view click‐to‐dial on desktops (52%), and presence (42%) as maturing technologies that will be routinely used in the corporate environment within two years. Moreover, The United States leads the way in IP telephony adoption (60%) with Middle East and Africa having the lowest penetration at 13%.

AMI‐Partners3 reports that small and medium businesses (SMBs) are gravitating towards UC without even realizing it. Based on its survey of 1500 companies, AMI finds that SMBs have a strategic interest in business continuity, enhanced connectivity, collaboration, mobility, and standardized IT infrastructure which are all foundational elements of a comprehensive UC portfolio.

1

The State Of Enterprise VoIP And Unified Communications Adoption In Europe: 2007, December 6, 2007, http://www.forrester.com/Research/Document/Excerpt/0,7211,43073,00.html.

2_Unified_{Communications}_Adoption_Outpaces_Expectations_,_August_20,_2007,

http://www.dimensiondata.com/NR/rdonlyres/CD1D2A10‐41FF‐412C‐932C‐

CAE4D964A7A9/7615/UNIFIEDCOMMUNICATIONSADOPTIONOUTPACESEXPECTATIONS1.pdf.

3_Driving_Unified_{Communications}_&_{Collaboration}_in_the_SMB_Market_–_the_Business_‐_Focused_Web2.0_,_October

(4)

Clearly, within the context of UC‐driven communications enabled business processes, converged voice and data IP networks are being entrusted to carry the essential functions of conducting business to and from the remote worker, the supply chain and the partner ecosystem. And in doing so these networks must be secured in a manner that:

 Complies with all applicable laws and regulations;  Prevents leaks of customer records;

 Protects intellectual property and proprietary information; and  Preserves corporate brands and reputations.

Yet according to an In‐Stat survey of IT professionals at 299 US businesses about their security plans for VoIP technology, “No mechanisms for securing VoIP had more than 50% penetration across all sizes of business,” says Victoria Fodale4, In‐Stat analyst.

Our purpose here is to set out, in non‐technical terms, best practices for securing UC.

The key to securing UC requires considering voice, data, and video communications as a system and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call management, applications, and endpoints. The solution should be layered, with multiple controls and protections at multiple network levels. This minimizes the possibility that a single point of failure could compromise overall security. If a primary security layer is breached other defensive barriers are available to deter the attack.

Now a UC network is complex, consisting as it does of a wide range of components and applications such as telephone handsets, conferencing units, mobile units, call managers, gateways, presence servers, routers, servers, firewalls, specialized protocols and applications linkages. The good news is that VoIP, IM, and video are all applications running on an IP network, and all of the security technologies and policies that companies have deployed for their data networks can be tuned to emulate the security level currently enjoyed by Public Switched Telephone Network (PSTN) users of Plain Old Telephone Service (POTS). In many cases, even if a concerted effort to deploy data network security has not been implemented, the technology likely already exists in your network if you have modern switches, routers and security appliances. In fact, taking a network‐centric approach will lead to improved manageability and deployment through reduced complexity and more efficient trouble shooting, which all lead to lower total cost of ownership.

The bottom line is that the confidentiality, integrity, and availability of critical multimedia resources must be ensured while maintaining the UC solution’s performance. Security features should be transparent to the user, standards‐based, simple to administer and cost‐effective. There is no one size fits all. Companies should examine UC security from a business perspective by defining goals, policies, and patterns of usage at the get‐go across all applications – data, VoIP, IM and presence, Web and audio/video conferencing. Security policies for all media streams need to be aligned and properly balanced against business risks. We will follow this theme throughout the discussion.

4_US_Businesses_Lag_In_Securing_VoIP,_In_‐_Stat_Press_Release_March_24,_2008,

http://www.instat.com/press.asp?ID=2271&sku=IN0804266CT.

(5)

2. UC

Security

–

Best

Practice

Recommendations

Below we will take the BDM through a non‐technical discussion of best practices for securing UC with emphasis on VoIP. Key security‐related terms will be aggregated for later reference in a glossary at the end of the white paper.

2.1Getting Started – Plan the Work and Work the Plan

A UC security strategy should be developed in the formalized context of enterprise risk management. Enterprise risk management is:

 A process, ongoing and flowing through an enterprise;  Affected by people at every level of an organization;  Applied in a strategy setting;

 Applied across the enterprise, at every level and unit, and includes taking an enterprise‐wide portfolio view of risk;

 Designed to identify potential events that, if they occur, will adversely affect the enterprise and the associated risk managed within the enterprise’s risk appetite;

 Able to provide reasonable assurance to enterprise management and board of directors; and  Geared to achievement of objectives in one or more separate but overlapping categories.

This is a collaborative cross‐organizational team effort requiring participation from many players representing the networking, security, telecom, legal and business sides of your organization. It’s also appropriate at the start of any UC project to involve your service provider security representatives and possibly a security consultant. In particular, ask your carrier how they can help you mitigate Distributed Denial of Service (DDoS) and “botnet” attacks.

The team’s first project step is to establish strategic objectives that are aligned with and support the enterprise’s mission, support compliance with applicable laws and regulations, and reflect

management’s appetite for risk. In carrying out its mission the team must be charged with effective use of resources, development and deployment of reliable reporting, ongoing monitoring and those security system optimization processes that will allow the enterprise to migrate over time to richer security implementations.

Performance of a security assessment comes next. Assessments identify security gaps so they can be managed effectively. From the security perspective everybody is under threat, but by varying degrees. Invite your project team to a brain storming session. Begin by posing questions such as:

 What kind of information are we holding?

 What would happen if somebody got a hold of that information?  What kind of legal and regulatory environments are we dealing with?  Whose presence status and location must be protected?

 What would happen if there was a UC system outage?  How visible a target do we consider ourselves to be?

Once you’ve drawn up a comprehensive list of threats, move on to assess: the interdependencies between the threats, the feasibility of each of the threats, the quantitative impact of each threat, and

(6)

finally a prioritization of mitigation actions for each of the potential threats. You must feel confident that you can acceptably manage and mitigate the risks to your corporate information, system operations, and continuity of essential operations when deploying UC technology.

Attacks on UC systems can be broadly categorized into the following five types: (1) Confidentiality (or privacy), which includes call eavesdropping, call recording and voicemail tampering; (2) Integrity (or authenticity), which includes registration hijacking, caller ID spoofing, and sound insertion; (3) Availability, which includes denial of service attacks, buffer overflow attacks, and malware; (4) Theft, which includes toll fraud (service theft) and data theft through masquerading data as voice and data network crossover attacks; and (5) Voice Spam, known as SPIT, which includes unsolicited calling, unified mailbox stuffing, and Vishing (voice phishing).

Categorization of VoIP Threats

Threat Type Examples Impact

Confidentiality  Eavesdropping  Call Recording  Voicemail tampering

 Leakage of sensitive or confidential information  Compromised corporate assets

 Identity theft  Blackmail Integrity (or Authenticity)  Registration hijacking  Caller ID spoofing  Sound Insertion

 Disruption and Chaos  Identity theft Availability  Denial of Service

 Buffer overflow attacks  Worms & Viruses

 Service Outages with impact on revenue and brand image  Extortion

 Lost productivity Theft  Service theft

oToll fraud  Data Theft

o Masquerading data as voice

o Data network x‐over attacks

 Excessive subscriber phone bills  Lost carrier revenues

 Loss of trade secrets, confidential data, etc.  Industrial espionage

SPIT  Unsolicited Calling  Mailbox stuffing  Vishing

 Reduced productivity and co‐op of system resources  Identity theft

 Financial loss

Confidentiality refers to the enterprise’s need to keep the non‐public customer/client/partner data that it possesses both secure and private. Regulatory compliance raises the stakes significantly in the quest for effective UC security. Examples of confidentiality threats are: call eavesdropping, call recording and voicemail tampering.

Measures such as Health Insurance Portability and Accountability Act (HIPAA), Sarbanes‐Oxley (SOX), European Basel II and the Gramm‐Leach‐Bliley Act (GLB) pose a range of potential legal and financial liabilities5. In addition, any findings of non‐compliance or failure to comply with the required disclosure of security breaches can yield adverse publicity and the loss of business and brand value. To

5_Other_legislation_and_regulations_include:_E_‐₉₁₁_laws_in₁₇_states,_security_breach_laws_in_more_than₃₄_states,

Federal Information Security Management Act (FISMA), Federal Financial Institutions Examination Council (FFIEC),

Supervisory Control and Data Acquisition (SCADA), Payment Card Industry Data Security Standard (PCI DSS) and the

Committee of Supporting Organizations (COSO) Enterprise Risk Management Framework.

(7)

demonstrate full compliance with the security mandates your business must not only prevent malicious attacks from outside the organization, but also take necessary and prudent measures to protect against internal risks.

Integrity of information means that information remains unaltered by unauthorized users. That is, information cannot be changed in transit or at rest without being detected, and that malicious or unwanted data can be blocked, filtered, or otherwise kept away from both servers and users. Integrity threats include any event in which system functions or data may be corrupted, either accidentally or as a result of malicious actions. Misuse may involve legitimate users (i.e. insiders performing unauthorized operations) or intruders. Authentication provides a mechanism to verify that a user or client is

legitimate and has clearance for a given level of access. This is normally accomplished through the use of strong passwords that are centrally administered. Also, at the user level, company employees should be trained and assessed against high‐risk security behavior. Malicious integrity (or authenticity) threats take the form of registration hijacking, caller ID spoofing, and sound insertion.

Availability refers to the principle that data and services are available for use when needed. Availability is a critical part of overall security planning. Attacks exploiting vulnerabilities in the call management software or protocols may lead to deterioration or even denial of service, or functionality of the call server. In addition, special consideration should be given to E‐911 emergency services communications, because E‐911 automatic location service is not available with VoIP in some cases (for example

Microsoft Office Communications Server 2007).

2.2 Take a Multilayered Approach to Protecting Your Network Infrastructure

Securing the network perimeter, though absolutely necessary, is no longer sufficient. The growing internal threat, increasingly mobile workforce, more critical servers being placed on the network, and more attacks coming in on common ports have exploited flaws in the traditional firewall‐centric security solution. A more mature and enlightened market is evolving towards the notion of layered security solutions. The core network layer protection includes an application‐aware firewall and Intrusion Detection/Prevention Systems. Protection around the communications layer involves VoIP encryption. Perimeter security, as applied to UC solutions would infer that the voice network be segregated wherever possible, so that unwanted traffic between the voice and data network is constrained. Endpoint security must include mechanisms to control access to the devices. Password control policies must be enforced so that passwords are changed regularly and strong passwords always used.

2.2.1 Segregate Voice and Data Traffic on Separate VLANs

A basic technique for voice security is to assign voice and data on logically separate networks (Virtual LANs or VLANS) due to their different Quality of Service6 (QoS) and security requirements. In addition,

6

See Critical Success Factors in Design and Performance Management of UC Networks, March 2008,

http://www.ucstrategies.com/UC_Networks.aspx. An in‐depth discussion is provided of VoIP’s requirements for

both QoS, which concerns measurement of the treatment of the packets traversing a network including utilization,

(8)

traffic sent over the voice VLAN is not visible to insiders or outsiders connected to data VLANs, and data traffic cannot cross over to the voice VLAN. LAN Ethernet switches should be equipped with 802.1p prioritization so they can identify and prioritize traffic based on VLAN tags and support multiple queues. VLAN tagging ensures that data traffic from PC softphones takes a separate VLAN from voice traffic. Voice traffic is very delay‐sensitive and must be prioritized over data on these VLANs so that it gets through even during a network attack.

Establishing separate departmental voice VLANs will deter toll fraud by preventing employees from trying to use another department’s VLAN for toll calls to avoid increasing their own phone bills. It’s also good practice to segregate the management traffic on its own VLAN, together with host authentication, to minimize the likelihood of unwanted access to the call control servers.

When creating the VLAN, be sure to place its equipment behind separate firewalls. This practice will restrict traffic crossing VLAN boundaries and prevent viruses and other kinds of malware from spreading from clients to servers. When looking for firewall technology, be sure to examine products that support both leading standards: Session Initiation Protocol (SIP) and the International Telecommunication Union's H.323 protocol.

In conjunction with VLANs, companies can set up voice Access Control Lists (ACLs) for departments, workgroups, and individuals. Access control lists are an important part of the toolset a network administrator has at his/her disposal to monitor and control access into a VoIP network. ACLs on the networking layer can be used to prevent inbound data packets used in DoS attacks from entering the voice VLAN. ACLs are also instrumental in defending against eavesdropping and call interception by preventing voice traffic from crossing over to an untrusted portion of the network.

2.2.2 Authentication and Security Features such as IEEE 802.1x and Access Control Lists are not enough

It is important to understand that use of authentication and security features such as IEEE 802.1x and access control lists, while an integral part of an organization's threat defense policies, cannot prevent the data link layer attacks such as "Man‐in‐the‐middle" attacks using Gratuitous Address Resolution Protocol (GARP) and Dynamic Host Configuration Protocol (DHCP) server spoofing. These attacks exploit normal protocol processing such as a switch's ability to learn Media Access Control (MAC) addresses, end‐station MAC address resolution via ARP, or DHCP server IP address assignments.

DHCP server spoofing is prevented by defining trusted ports which can send DHCP requests and acknowledgements, and untrusted ports which can forward only DHCP requests. The Cisco Catalyst switch, for example, assumes that trusted ports are those that connect to either the DHCP server itself, or switched ports, such as uplinks, that in turn connect the switch to the rest of the network. This

management with its focus on the unique VoIP Quality of Experience (QoE) requirements associated with differing

business scenarios.

(9)

thwarts malicious users acting as a network DHCP server and sending out incorrect addresses under the pretense of being the default gateway, and intercepting data traffic. In addition, by intercepting all DHCP messages within the VLAN, the switch can act much like a small security firewall between users and the DHCP server, building a binding table containing client IP address, client MAC address, port, and VLAN number.

Before an endpoint can talk to another endpoint it must make an ARP request to map the IP address to the MAC address. The most effective way for an attacker to eavesdrop a connection is to spoof the default gateway by sending a gratuitous ARP reply containing the IP address of the default gateway to other devices on the LAN. The gratuitous ARP packet causes the devices to overwrite the old entry with the new one, effectively making the attacker the new default gateway for those devices. The attacker can use IP forwarding to relay the traffic between the devices and the default gateway without the other devices being aware of what is happening.

GARP attacks can be prevented through Dynamic ARP Inspection (DAI), which helps to ensure that the access switch relays only "valid" ARP requests and responses. DAI inspects all ARPs and compares them to the DHCP Binding table. If ARP does not match the binding table the ports are shut down.

The increasing trend towards the use of softphone clients poses a problem for architectures that rely purely on VLAN separation and access control lists. In these deployments the voice capable devices are not only on the Phone VLAN but also on the data VLAN since the soft clients are applications that operate on a user’s desktop. With the increased adoption of unified communications applications such as presence and instant messaging this trend is likely to grow. The impact of the soft client is that it becomes difficult to distinguish between a genuine desktop that has a legitimate voice soft client and a rogue device. Access control lists are stateless and can only filter IP addresses and ports. With IP voice protocols, such as SIP, negotiate the port to be used in a voice call from a wide range of ports (16384 to 32767 for audio). Access control lists must open up this entire range as it is impossible for the access control list to predict which ports will be used, resulting in a range of exposed ports that attackers can use for reconnaissance. To mitigate this threat, a new generation of proxy devices, often integrated with unified communications aware firewalls, is providing services for secure VLAN traversal for soft clients. Often enforcing device authentication to protect the call control infrastructure from rogue endpoints and then manipulating the signaling to force the media through a trusted device in the network, these proxy services can enable enterprises to build securely upon their existing VLAN and ACL based

architectures. The Cisco Adaptive Security Appliance 5500 Series (ASA) for example has been enhanced to support this functionality

2.2.3 Protect the Application Platform with Secure Management Best Practices

Protect the integrity of management systems. Segregate management traffic on its own VLAN.

Use a multilevel administration permissions construct. Organizations must define administrators’ roles

and restrict the functions they can use. Read‐only privileges are assigned to most administrators, reserving read‐write privileges for a few trusted individuals.

(10)

Validate administrators and their permissions prior to allowing them management access to voice

applications. Require administrators to log in at a physical interface different from the call‐processing

interface, and one that is not accessible to most people. Administrators are allowed access to the management interface only after being authenticated and authorized for the task. Centrally administered strong passwords are a needed here.

Encrypt management traffic to prevent interception or eavesdropping. Use IP Security (IPsec) or Secure

Shell (SSH) for all remote management and auditing access. If practical, avoid using remote management at all and perform IP PBX access from a physically secure system.

Maintain detailed audit trails by logging security alerts, errors, traffic monitoring, etc. With system

event logging, administrators are aware of and able to quickly respond to issues that could compromise network integrity or user security.

Harden operating systems. Once UC security is established you must be ever vigilant to deploy only

those features in your UC products that are consistent with your UC security policy. Workstations, servers, and desktop IP phones typically arrive from the vendor installed with a multitude of

development tools and utilities, which, although beneficial to the new user, also provide potential back‐ door access to an organization's systems. Therefore, remove of all nonessential tools, utilities, and other systems administration options, any of which could be used to ease a hacker's path to your systems. This action enforces the policy that only authorized people can access and change information pertaining to the UC system. Then ensure that: (1) all appropriate security features are activated and configured correctly, and (2) that patch management systems routinely pass out “anti‐X” software and operating system updates.

2.2.4 Virtual Private Networks (VPNs) Provide a Secure Pathway for Communication with Remote Workers

VPNs have a built‐in encryption feature that enables secure connectivity with branch offices and business partners that are unreachable by private networks. Even road warriors can log in to the VPN from their PCs. VPNs create logical “tunnels” between two endpoints that allow for data to be securely transmitted between the nodes. An encrypted VPN tunnel provides network, data, and addressing privacy by scrambling data so that only the designated parties understand it. This secures the identities of both the endpoints and protects the VoIP traffic flowing across different network components on the corporate LAN as if it were on a private network. Voice and video‐enabled VPN technology, available in many routers and security appliances, encrypts voice as well as data traffic using IPsec or AES.

Encryption is performed in hardware so that firewall performance is not affected.

The IPsec ESP (Encapsulating Security Payload protocol) tunnel is a specific kind of VPN used to traverse the Internet in a private manner. IPsec is the standard encryption suite for the Internet Protocol and will be fully supported in IPv6. In ESP Tunnel Mode, IPsec protects both the data and the identities of the endpoints. While providing strong security, IPsec does require significant effort to support dedicated clients on each machine authorized to connect remotely to the network. For this reason, it has become increasingly common for IPsec to be used to protect voice traffic between enterprise sites as part of a site to site VPN, while SSL has become more common for remote access VPN requirements. In addition,

(11)

with IPsec, making structural changes, adding new locations, or connecting with additional networks involves a fair amount of configuration work as each router must be configured to understand all the other routers in the network. This can be a significant maintenance headache if there are many locations involved. As a result of this administrative burden, some vendors have adapted IPsec VPN architectures to enable remote sites to dynamically query and build new site to site connections without requiring each site to be pre‐configured with a list of all the other potential peers in the network. This scalability and manageability enhancement also allows enterprises to build a more flexible encryption architecture. In addition, moving from hub and spoke topologies to more direct, spoke to spoke designs, provides a more suitable platform for voice services with minimized latency and jitter.

SSL (Secure Socket Layer) tunnel VPNs, once viewed as a complement to the IPsec VPN, have evolved as a direct competitor as it provides simplified deployment for remote access VPN. As originally conceived, this type of SSL VPN allowed a user to use a typical Web browser to securely access multiple network services through a tunnel that is running under SSL. The SSL VPN is, today, the most appropriate application‐layer VPN technology. SSL VPNs provide clientless access on a per‐application basis that enables the granular security needed to support business productivity by restricting application access to only those with a true need for access. Moreover, starting with a browser session, WAN

managers/administrators may offer access choices — ranging from completely portable clientless connections through thin‐client‐managed sessions with downloadable security features and application‐ specific services to full network connectivity (including routing) that emulates traditional tunnel VPNs, such as IPsec. The browser can be eliminated through the use of a manually installed client, while maintaining connectivity benefits. Additional SSL, User Datagram Protocol (UDP), and IPsec tunnels, acting as network layer VPNs, can be opened dynamically, as needed, to improve QoS for performance‐ sensitive applications, such as VoIP.

VPN is not the only option for providing confidentiality to IP voice streams. Access Edge gateways can encrypt Session Initiation Protocol (SIP) call signaling traffic to protect against eavesdropping and support server authentication for remote users and federated7 sites. This is typically achieved through Transport Layer Security (TLS) encryption for signaling messages and Secure Real Time Protocol (SRTP) for protecting the voice media. Access Edge gateways and voice aware firewalls can also perform filtering tasks, such as blocking traffic from untrusted addresses.

More likely than not, enterprises will be federating across different vendors’ UC environments in order to leverage UC‐enabled business process productivity enhancements across their supply chain, hopefully with well thought out security solutions. If not done well, sensitive information sent over the public Internet will make easy targets to the ever‐growing hacker threat. The sidebar overviews Cisco’s Adaptive Security Appliance (ASA) 5500 Series features which support secure federated presence.

7_Trusted_remote_OCS_sites_(called_"federated"_sites)_that_connect_over_the_Internet_have_access_edge_servers_in

their perimeter networks to enable secure call control and voice and video transmission across an organization's

(12)

Sidebar

–

Cisco

UC

Perimeter

Security

Services

The Cisco ASA 5500 Series Adaptive Security Appliance is a high‐performance, multifunction security appliance family delivering converged firewall with application‐layer and protocol‐aware inspection services, IPS, network anti‐X and URL filtering, SSL/IPsec VPN services, encrypted traffic inspection, presence federation and both remote worker hard phone and mobile phone proxy services. The ASA is a key component of the Cisco Self‐Defending Network. Among its differentiating features are:

 ASA provides security and inspection capability for Cisco applications (Presence, Unity, MeetingPlace), and third party applications like Microsoft OCS. Any Cisco UC communications encrypted with SRTP/TLS can be inspected by Cisco ASA 5500 Adaptive Security Appliances:

o Maintains integrity and confidentiality of call while enforcing security policy through advanced SIP/SCCP firewall services

o TLS signaling is terminated and inspected, then re‐encrypted for connection to destination (leveraging integrated hardware encryption services for scalable performance)

o Dynamic port is opened for SRTP encrypted media stream, and automatically closed when call ends

 ASA enables inter‐enterprise presence communications between Cisco and Microsoft presence servers and endpoints

 ASA phone proxy is a teleworker solution that terminates SRTP/TLS‐encrypted remote endpoints offering benefit of secure remote access without the need for a router at the remote worker’s site. Within the enterprise, the ASA phone proxy can be used for voice/data VLAN traversal in the following manner:

o All communicator originating from soft clients must be “proxied”

o Soft client communication is restricted to specific VLAN on ASA

o Cisco ASA performs inspection on traffic and opens media port dynamically for soft clients

 As a mobility proxy, the ASA terminates TLS signaling from Cisco Unified Mobile Communicator to Cisco Unified Mobility server and enforces security policies. The ASA is a mandatory component of Cisco’s mobility architecture and replaces Cisco Mobility Proxy.

(13)

2.2.5 Firewalls and Intrusion Detection/Prevention Systems

VoIP‐ready firewalls are essential components in the VoIP network and should be used along with state‐of‐the‐art intrusion detection and prevention systems.

Firewalls work by blocking traffic deemed to be invasive, intrusive, or just plain malicious from flowing through them. They provide a central location for deploying security policies, and when properly deployed insure that no traffic can enter or exit the LAN without first being filtered by the firewall. An advanced firewall with “stateful packet filtering” keeps track of the state of network connections (such as Transport Control Protocol (TCP) streams and UDP communication travelling across it.) The firewall is programmed to distinguish between legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected. Stateful filtering can grant or deny network access based on time of day, application, IP address, port range and other attributes. Observing normal traffic patterns and then applying appropriate rules can set Media and signal rate limits.

If possible, a firewall with application filtering should be utilized. Application filtering is an extension to stateful packet inspection. Whereas stateful packet inspection can determine what type of protocol is being sent over each port, application‐level filters look at what a protocol is being used for. Application‐ layer firewalls support multiple application proxies on a single firewall. The proxies sit between the client and server, passing data between the two endpoints. Suspicious data is dropped and the client and server never communicate directly with each other. Because application‐level proxies are

application‐aware, the proxies can more easily handle complex protocols like H.323 and SIP, which are used for VoIP and videoconferencing. Often, by deploying protocol conformance in unified

communications aware firewalls, enterprises can mitigate many of the vulnerabilities posted against the leading call control platforms. This is because the vulnerabilities are often exploited by sending

malformed packets that can adversely impact the call control system. By applying a rigorous protocol conformance policy, these malformed packets can be filtered within the network rather than attempt to be dealt with by the target machine.

Core network layer protection includes Intrusion Detection and Prevention Systems (IDS/IPS) technologies, which compliment firewalls by establishing sensors running on independent hardware platforms throughout the network. These sensors monitor traffic for unwarranted behavior or traffic patterns, and respond accordingly based on pre‐established rules. Malicious traffic is identified through comparison against typical traffic behavior associated with a list of known attacks. Based on network intelligence, you can adjust and tune for the number and types of checks performed on specific network segments or assets. Network Intrusion Prevention differs from firewalls in that they use a list of known signatures to identify attempts to exploit known vulnerabilities. In contrast, firewalls apply policy which control access and selectively applies security services.

Host IDS/IPS technologies serve a similar purpose as their network counterparts, but reside as software on a host machine (server or client) present within the network. The ever growing mobile workforce, continuing increase in the number of attack vectors targeting the actual host machine, and growth in deployment of SSL‐VPN solutions in many organizations are driving adoption of host based products.

(14)

Traditional network‐based products, for example, cannot decrypt the traffic on the line and the potential for certain attacks is passed to the host directly. Currently, customers are expanding

deployment scenarios to include all mission critical application and data servers, wireless access points, VPN access points, and remote machines. Additionally, there are many compliance issues that can only be measured by an agent on the host deploying predefined and customized behavior‐based protections. Since a Host IPS (HIPS) security agent intercepts all requests to the system it protects, it has certain prerequisites: it must be very reliable, must not negatively impact performance, must not block

legitimate traffic and should be centrally managed for efficient reporting and auditing of activities. Host IDS/IPS technology also includes file integrity, DDoS protection, authentication and OS hardening.

As an example of the offerings in this competitive area we take a brief look at the Cisco Security Agent (CSA) which uses behavioral‐anomaly detection to provide powerful endpoint protection against day‐ zero threats. CSA uses no signatures, reducing the pressure to update systems, while keeping the host covered during the shrinking vulnerability window. CSA’s key features are:

 Zero update protection based on operating system and application behavior  Control of content after decryption or before encryption (e.g., SSL, IPsec)

 Access control for I/O devices based on process, network location and file content  Centralized management and monitoring of events

 Self‐Defending Network interaction with such solutions as ASA, Network Access Control, IPS, QoS, Monitoring, Analysis, and Response Systems, etc.

2.2.6 Use VoIP network encryption

Firewalls, gateways, and other such devices can help keep intruders from compromising a network. But unless the VoIP network is encrypted, anyone with physical access to the office LAN could potentially tap into telephone conversations8. Moreover, firewalls, gateways and such don’t protect voice packets traversing the Internet. Encryption at the protocol level is necessary to defeat eavesdropping attacks. Transport Layer Security (TLS) and IPsec are two main encryption methods. Both protocols aim to keep unauthorized parties from interfering with or listening to calls, and they are almost impossible to manipulate externally.

To install multiple encryption layers, use Secure Real Time Protocol (SRTP) at the communications layer for media encryption and TLS for signaling. Encrypting the actual content of communications between users (media encryption) prevents eavesdropping into private matters, whether the communication is voice, video or IM. Signaling encryption prevents illicit monitoring or tampering of the signaling that directs network operations, such as call setup and routing, service performance, event recording, billing, etc. Nonetheless, if you use encryption it’s imperative to have in place a solution that terminates and inspects UC communications encrypted with SRTP/TLS, then re‐encrypts the media and signaling for connection to its destination. Without such inspection, malicious traffic could enter the organization.

8

You might not need traffic encrypted at the LAN, but you certainly will want to encrypt it at the router as it

traverses the WAN. Seriously consider security solutions that offer the flexibility to have either encryption off the

handset or encryption in bulk over the WAN links.

(15)

Authentication and encryption without inspection can give a false sense of security. This is particularly valuable in a contact center where you require encrypted calling between the service representative and the customer, but you want to allow supervisory intercept for quality control purposes

Gateways and switches should use IPsec or SSH instead of other clear‐text protocols as the remote access protocol. If web‐based interface is provided, Secure HyperText Transport Protocol (HTTPS) should replace HTTP. If practical, avoid using remote management at all and do IP PBX access from a physically secure system.

Voice over Wireless LAN (VoWLAN) traffic may be secured with the same techniques used to protect wireless data traffic. The Wi‐Fi Protected Access program version 2 (WPA2) and IEEE standard 802.11i both support the Advanced Encryption Standard (AES), which provides U.S. government level protection. With encryption key sizes of up to 256 bits, AES is considered extremely secure.

2.2.7 Maintain Adequate Physical Security and Power Backup

Even if encryption is used, physical access to UC servers and gateways may allow an attacker to perform traffic analysis or compromise systems. Adequate physical security should be in place to restrict access to UC components. Physical securities measures, including barriers, locks, access control systems, and guards, are the first line of defense. You must make sure that the proper countermeasures are in place to mitigate the biggest risks, such as insertion of sniffers or other network monitoring devices.

Installation of a sniffer could result in not just data, but all voice communications being intercepted.

In addition, allow for sufficient power backup and the ability to rollover your voice calls to the PSTN should your IP WAN experience an outage.

2.2.8 Use Network Access/Admission Control (NAC)

According to Wikipedia, Network Access (or Admission) Control is an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement.

Network Computing (NWC)9 identifies five technology functions that are accepted and expected as part of a NAC product, based on interviews with 303 NWC readers directly involved in deploying or

evaluating network access control, and reviews of vendor collateral: 1. Pre‐connect host posture assessment

2. Host quarantine and remediation

3. Network access control based on user identity

4. Network resource control based on identity and policy 5. Ongoing threat analysis and containment.

9_NAC_Vendors_Square_Off_,_Network_Computing_Magazine,_July_6,_2006,_pp.55_‐_64,

http://i.cmpnet.com/nc/1713/graphics/1713f3_file.pdf

(16)

Most individuals surveyed were focused on two main pain points: identifying and policing user access to the network, and eliminating threats brought onto the network by infected hosts. These pain points reflect the fact that many organizations have issues with non‐corporate assets connecting to their network, such as employee‐owned devices or devices brought in by guests and visitors. Discovering when these devices connect to the network and limiting their access based on corporate policy is an ongoing challenge. These devices are typically not managed by central IT patch management tools.

The bottom line is that while establishing responsible computing guidelines, requiring user authentication, and passing out anti‐virus software and operating system updates through patch management systems are necessary security steps, they are not sufficient. The added step of using the network to enforce policies ensures that incoming devices are compliant. Thosejudged to bevulnerable and noncompliant arequarantined or given limited access until they reach compliance. Depending on vendor, NAC policies can permit, deny, prioritize, rate‐limit, tag, re‐direct, and audit network traffic based on user identity, time and location, device type, and other environmental variables.

Regulatory compliance is a key driver in NAC demand according to the Network Computing’s research. Their survey shows that 96 percent of respondents indicated they are governed by at least one

government or industry regulation, and many CEOs and CTOs are mandating the deployment of NAC. Solutions that couple with identity management greatly improve accountability.

(17)

3. Summary

of

UC

Security

Best

Practices

The drive for business agility is spurring companies of all sizes to adopt unified communications as a primary vector for enhanced communication and collaboration capabilities among remotely located and mobile employees, its supply chain and partner ecosystem, and with customers. These benefits,

however, do not come without risks. Introduction of an IP‐based UC communications and collaboration solution introduces an array of new vulnerabilities into the enterprise, and a growing number of malicious programs are exploiting these weaknesses.

The good news is that VoIP and IM are applications running on an IP network, and all of the security technologies and policies that companies have deployed for their data networks can be tuned to emulate the security level currently enjoyed by PSTN users of POTS. In many cases, even if a concerted effort to deploy data network security has not been implemented, the technology likely already exists in your network if you’ve recently purchased a switch or router.

The key to securing the UC network requires considering voice, data, and video communications as a system and implementing a multilayered, uniformly applied defense construct for the system infrastructure, call management, applications, and endpoints. The solution should be layered, with multiple controls and protections at multiple network levels. This minimizes the possibility that a single point of failure could compromise overall security. If a primary security layer is breached, other

defensive barriers are available to deter the attack.

In summary, best practices entail:

 Treat the development of a UC security program as a collaborative cross‐organizational project. Involve your carrier and an outside security consultant if necessary. Bottom line, plan the work and work the plan. The first step is to perform a security assessment. Assessments identify security gaps so they can be managed effectively. Any actionable risk assessment needs five key factors

considered – a comprehensive list of threats, the interdependencies between the threats, the feasibility of each of the threats, the quantitative impact of each threat, and finally a prioritization of mitigation actions for each of the potential threats. You must feel confident that you can acceptably manage and mitigate the risks to your corporate information, system operations, and continuity of essential operations when deploying UC systems.

And remember, there is no one size fits all. Companies should examine UC security from a business perspective by defining goals, policies, and patterns of usage at the start across all applications – data, VoIP, IM and presence, Web, and audio/video conferencing. Security policies for all media streams need to be aligned, and compliance with applicable laws and regulations must be properly implemented and properly balanced against business risks. Only then can costs be reconciled with benefits. In fact, taking a network‐centric approach will lead to improved manageability and

deployment through reduced complexity and more efficient troubleshooting, which all lead to lower total cost of ownership. The flexibility of this approach will simplify migration over time to richer security implementations, if required by legal/regulatory requirements, change in risk appetite, or growing sophistication and maliciousness of hacker attacks.

(18)

Balancing Security Solution Cost against Risk of Security Breach Area of Protection Low Security Cost & Risk Medium Security Cost & Risk High Security Cost & Risk

Infrastructure  Separate voice/data

VLANS

 Basis network layer ACLs  Traffic Prioritized with

QoS on the Network

 Stateful inspection

firewalls

 Network rate limiting

(Switch/Router/Firewall)  IDS monitoring

 Dynamic ARP inspection  DHCP snooping

 App aware firewall with

w/ TLS Proxy for

inspection of encrypted

traffic

 802.1x for all endpoints  NAC w/ hosted IPS  IPS monitoring &

prevention

 Scavenger class “ less

than best effort queuing”

for anomalous, peer‐to‐

peer & entertainment

traffic

 Centralized network

admin for authentication

& authorization

Call Management  Approved antivirus  Patches

 Strong admin credential

policy

 Standalone HIPS security

agent

 Multi‐level admin  Managed HIPS security

agent  TLS Signaling & SRTP media encryption  Adv OS Hardening  IPSec/TLS & SRTP gateways

Applications (Includes Toll

Fraud)

 Approved antivirus  Patches

 Strong admin credential

policy

 Conf call drop w/

initiator’s departure  Standalone HIPS security

agent

 Forced account codes  Dialing filters

 Managed HIPS security

agent

 IPSec/TLS & SRTP to apps

Endpoints  Disable Gratuitous ARP

on phones  Signed firmware &

configurations  Disable PC voice VLAN

access

 X.509 Certificates in IP

phones

 SSL VPN for remote

access softphones  Phone Proxy for remote

IP phones

 TLS Signaling & SRTP

media encryption  Encrypted configuration

files

 Managed HIPS security

agent (softphone)

 Assign voice and data on logically separate networks (VLANS) due to their different QoS and security requirements. Make sure your Ethernet switches are equipped with 802.1p prioritization so they can identify and prioritize traffic based on VLAN tags and support multiple queues.

(19)

 Protect the integrity of management systems. Segregate management traffic on its own VLAN. Use encryption, administrator access control, and activity logging.

 Use VPNs to provide a secure pathway for communication with remote workers. A VPN’s built‐in encryption feature enables secure connectivity with branch offices and business partners that are unreachable by private networks. Voice and video‐enabled VPN (V3PN) technology, available in many routers and security appliances, encrypts voice as well as data traffic using IPsec or AES. Encryption is performed in hardware so that firewall performance is not affected.

 Implement VoIP‐ready firewalls capable of handling the latency‐sensitive needs of voice traffic. Such firewalls provide rich granular controls, protocol conformance checking, protocol state tracking, security checks, and NAT services. These are essential components in the VoIP network. If possible, a firewall with application filtering should be utilized. Application filtering is an extension to stateful packet inspection. Whereas stateful packet inspection can determine what type of protocol is being sent over each port, application‐level filters look at what a protocol is being used for. In addition, state‐of‐ the‐art intrusion detection and prevention systems should also be installed.

 Use VoIP network encryption. TLS and IPsec are two main encryption methods. Make sure your firewall can provide for the inspection of encrypted voice traffic.

 Apply adequate physical security to restrict access to VoIP components. Even if encryption is used, physical access to VoIP servers and gateways may allow an attacker to do traffic analysis or compromise the systems. Physical securities measures, including barriers, locks, access control systems, and guards are the first line of defense. In addition, allow for sufficient power backup and the ability to rollover your voice calls to the PSTN should your IP WAN experience an outage.

 Implement Network Access (or Admission) Control in order to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement so that network access is contingent on compliance with established security policies.

 Train everyone in the enterprise on their responsibility for executing enterprise risk management in accordance with established directives and protocols.

(20)

Secure

UC

Solution

Router/GW Router/GW Call Mgmt Call Mgmt Telecommuter Branch Office Headquarters Regional Office IP WAN Security Agent (HIPS) VLAN’s Port Security Private Addresses Antivirus Encryption

Fraud Protection (dial plans)

Secure transport (VPN) DPS/IPS Phone Proxy

Internet

Road Warrior Mobility Proxy IP WAN Authenticated Routing Application firewall NAC

(21)

About

the

Authors

Paul Robinson, PhD David Yedwab Founding Partners www.mktstrategy‐analytics.com

Market Strategy and Analytics Partners custom designs marketing and sales strategies that are consistent with client core competencies, market focus and competitive environment, and coupled with operationalized go‐to‐market plans across the value chain to ensure elimination of bottlenecks and complete consideration of end‐to‐end financials. Our clients include equipment and software providers, service providers and information intense enterprises.

Market Strategy and Analytics Partners LLC

(22)

Glossary of Key VoIP Security Terms

Acronym Term Definition

ACL Access Control List The Access Control List is a file which a computer’s operating system uses to determine the users' individual access rights and privileges to folders /

directories and files on a given system. In an ACL‐based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether or not to proceed with the operation. A key issue in the definition of any ACL‐based security model is the question of how access control lists are edited. For each object; who can modify the object's ACL and what changes are allowed.

AES Advanced

Encryption Standard

AES is a block cipher adopted as an encryption standard by the U.S. government as of May 2002. It has been analyzed extensively and is now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).

Application An application is a program or group of programs designed for end users. Applications software (also called end‐user programs) includes database programs, word processors, and spreadsheets. Figuratively speaking,

applications software sits on top of systems software because it is unable to run without the operating system and system utilities.

Application Filtering Application filtering is an extension to stateful packet inspection. Stateful packet inspection can determine what type of protocol is being sent over each port, while application‐level filters look at what a protocol is being used for. Application‐layer firewalls support multiple application proxies on a single firewall. The proxies sit between the client and server, passing data between the two endpoints. Suspicious data is dropped and the client and server never communicate directly with each other. Because application‐level proxies are application‐aware, the proxies can more easily handle complex protocols like H.323 and SIP, which are used for VoIP and videoconferencing.

Application Layer This layer sends and receives data for particular applications, such as Domain Name System (DNS), HyperText Transfer Protocol (HTTP), and Simple Mail Transfer Protocol (SMTP). Separate application security controls must be established for each application; this provides a very high degree of control and flexibility over each application’s security, but it may be very resource‐intensive. While application layer controls can protect application data, they cannot protect TCP/IP information such as IP addresses because this information exists at a lower layer.

ALP/ALG Application Level

Proxy/Gateway

An application level gateway, also known as application proxy or application‐

level proxy, is an application program that runs on a firewall system between

two networks. When a client program establishes a connection to a destination service, it connects to an application gateway, or proxy. The client then

negotiates with the proxy server in order to communicate with the destination service. In effect, the proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. This creates two