How Secure Is Your Unified Communications?

With most corporate currently in the process of readying unified communication(UC) services for mass deployment, it’s clear that UC is finally headed for prime time. However, the promise of mass UC consumption also increases the risk of widespread security violations, spawning a new sense of urgency to fill in potential security gaps now before hackers wreak havoc on corporate voice networks.

When voice and video converged on the data network, the fundamental principle of security for data network does not change. Layered security may not be the panacea for all security woes , but it is the foundation of all security principles.  With a UC installation, security measures will rely partially on existing IP security measures such as firewalls, while also deploying new measures specific to UC, such as SIP proxy or signal protocol encryption.

UC Awareness Firewall

In an IP security design, firewalls separate a trusted zone in which critical data might reside from the untrusted rest of the world.  Adding VoIP to the IP network requires that the firewall is “VoIP aware”. Because, VoIP protocols require two or more users to communicate through each other’s dynamically assigned media ports.  Although the signaling protocol uses known ports but media protocols use a range of ports that are negotiated during the call setup.  This can cause problems through the traditional firewall because the security team cannot open a specific port for all media traffic nor is it wise to open a range of ports for the media traffic.

Application Layer Gateway

Application Layer Gateway(ALG) are used in conjunction with traditional firewall though most of the major firewall vendors have embedded the ALG function  into their new range of firewall.  ALG review the VoIP signaling protocol for the agreed on port numbers and adding them into the firewall rules.  When the call ends, the ALG then removes the firewall rule from the firewall to stop any chance that the hole will be exploited.

ALG also come handy when the enterprise uses RFC1918 space in their internal network.  Unlike IP protocol where a traditional firewall does the network address translation and replace the IP header with a public internet address. This  does not work with UC services because they depend on the end user’s IP address to setup and send media stream.

ALG mediates this by rereading the VoIP signaling messages, rewriting the IP’s designated the user in RFC 1918 address space from the NAT IP. Thus, ALG is mandatory for all VoIP and UC deployment.

User Registration

Many VoIP services allow caller and recipient to register with an authoritative device before a call or UC applications setup and used. These can be a H323 gatekeeper or SIP proxy devices, but both to verify the user’s claimed identity before a UC applications allow possible critical data to flow to that user.  User registration can rely on existing authentication and authorization mechanisms to unify and streamline the process.

Encryption

Some enterprises who handles sensitive and critical information see the need to enable encryption on their UC deployment.   Typically, all IP ,soft phones and media gateways should support both signaling and media encryptions solution based on SSL or TLS.  Although there is a debate on the tradeoffs between performance and security of the VoIP networks, usually the drivers for encryption are protection sensitive information and compliance requirement.

Session Border Controllers

Some enterprise networks deploy a UC within the DMZ handles both signaling  and media control for all UC sessions that leave the enterprise network. These devices are called session border controllers(SBC).  SBC acts as a protocol middleman, allow different VoIP protocols to accept and setup calls between each other, e,g H323 to SIP and vice versa. SBC is also has the ability to inspect signaling and media packets for malicious use. This can help reduce the chances that a protocol vulnerability is abused or that a malicious application is sent over the media stream.

Conclusion

Deploying a UC network requires a great deal of preparation.  Addition to the complete review of the protocols and equipment should be completed before any device or application is deployed. Augment this with a layered security model that I spoke earlier,  the enterprise can feel confident in the trust level of the information crossing the network.  Network attacks and UC vulnerabilities are ever bombarding your network, thus, keeping vigilant and constant review of the security posture of your UC network is a mandatory exercise.