Information Security News: How to keep your VoIP net safe

[InfoSec News <alerts () infosecnews org>]

http://www.computerweekly.com/Articles/2006/10/27/219441/How+to+keep+your+VoIP+net+safe.htm

By Boris Sedacca
27 October 2006

One of the major challenges in implementing a converged network is 
having a coherent security policy for the management and control of a 
system that is carrying voice, video and data.

Standards such as BS7799, the British Standard for information security 
management, and its international counterpart, ISO 27001, provide 
auseful checklist. BS7799 is a mature standard, having first been 
published in 1995, and it has recently had its third major revision. 
However, it is virtually useless without practical, prior knowledge of 
implementing network security.

Companies providing security management software include Cisco, 3Com, 
Avaya, Mitel, Siemens, Nortel and Microsoft, among others.

The challenge in securing a network that will allow businesses to 
collaborate is what led a group of IT security heads to form the Jericho 
Forum user group. This international circle of IT users and suppliers is 
focused on the development of open standards to enable secure and 
boundaryless information flows across organisations.

At Dresdner Kleinwort Bank in London - one of the Jericho Forum's 
members - the demand for converged networks is driven by cost reduction. 
Andrew Yeomans, the bank's vice-president for global information 
security, said, "Voice over IP services such as Skype offer obvious cost 
savings relative to mobile phone bills, particularly with respect to 
international roaming costs."

Once people start making free calls, the tariff structure for mobile 
phones will change. Yeomans predicted that over the next couple of years 
many telcos will move to a flat-rate charging structure. "There are some 
security issues and because we are a financial services provider, we 
have compliance regulations. One particular requirement is that all 
voice communication transactions by traders have to be recorded," he 
said.

"With normal VoIP communications, once you have set up the call, the 
communication is on a peer-to-peer link and there is no central service 
handling it. That means that you have to fiddle around with it to get 
the voice logging to take place.

"On the business continuity side, if everything is going onto the same 
network, we need some sort of back-up because, at the moment, if the 
data network goes down, you can still rely on the voice network, or vice 
versa."

Yeomans said mobile networks provide a certain element of business 
continuity. "We build in dual-redundancy in our networks." In the case 
of a disaster where a move to another site is required, it is quite 
difficult to cable up a new analogue voice network, but with a data 
network it is quite feasible to redirect all the calls over IP, Yeomans 
said.

However, wireless networking implies many security issues. Clearly the 
signals can be eavesdropped and jammed, Yeomans said. At Dresdner 
Kleinwort, there is some wireless networking but it is not used as part 
of its main converged network.

The bank moved to a single London office housing about 3,000 people, so 
has not had to face the same types of security problems as some of the 
larger financial services providers that run out of a number of offices.

As a result, Dresdner Kleinwort can switch the voice and multimedia 
services over fibre lines.

One problem of moving over entirely to a converged network is 
interoperability - whereas there are secure protocols available for 
convergent network technology, they are not open, and there are open 
protocols that are not secure.

For its internal network, Dresdner Kleinwort has gone for a Cisco 
proprietary set-up because it meets the needs of the business. The 
network can also expand to allow more business communications to come in 
from outside, providing VoIP over the internet rather than over the 
telephone network.

It is a challenge to design for security and interoperability. Yeomans 
said, "If you try to use a converged network over an existing one, you 
may come up against quality of service problems.

"You do not want your voice link to drop out if you are doing a large 
file transfer, for example. You have to find ways to segregate the 
traffic and to control the quality of the traffic at the network level."

But locking down the converged network to maintain high security is not 
always practical. Chris Whitwood, network manager at University College 
Falmouth, said, "We have been running a converged network for a number 
of years, and this has introduced some security nightmares."

The college began implementing voice across the network more than three 
years ago and started testing a year before that, so it was well versed 
in the kind of problems it could face.

"The first thing we did was to completely isolate the voice virtual Lan 
from the data virtual Lan, and to ensure that all our telephony devices 
were on the internal network only and could not be reached from the 
outside," said Whitwood.

The same applied to its call manager system. However, he realised the 
college would need to make the call manager visible from the outside, 
albeit in a protected manner.

"Users were requesting the ability to change their speed dials, call 
forwarding, and so on, when they were working from home. That meant 
setting up the virtual private network connections so that users could 
connect into the call managers through Cisco's Unified Personal 
Communicator software running on PCs," Whitwood said.

The college chose a proprietary converged network with Cisco, complete 
with security technology. "Being a Cisco proprietary solutions house 
gives us security and confidence, particularly when using a VPN 
concentrator," he said. "There are alternatives, but we took the view 
that if we do have security issues, there is only one supplier to go 
back to. Although cost is an issue, our primary concern is service."

Although Whitwood configured the network to support the college's own 
converged applications, it is clear that IT managers must also support 
applications that may not necessarily be part of corporate IT, such as 
Skype.

One of the problems with Skype, according to Dave Neild, network 
development service leader at the University of Leeds, is super node 
activity. If there is sufficient bandwidth available on a network, Skype 
may promote an unwitting user client to a super node, and that allows 
other traffic to go via the super node.

"Because we have quite a large number of overseas students, we do know 
that Skype is a popular application, so we would not wish to stop its 
use, but we may want to stop super node activity," said Neild.

Leeds is one of the largest universities in the UK. Of its 32,000 
students, 7,000 live in 18 network-connected halls of residence on and 
off campus. The halls link via 100mbps leased lines to Leeds' main 
campus network, which is based on Cisco Gigabit systems. The university 
previously relied exclusively on firewalls and anti-virus programs that 
were distributed to students.

But students did not install the anti-virus software, enabling worms and 
viruses to sneak into the network. System technicians would manually 
cleanse the systems and update their anti-virus software, a laborious 
and expensive process.

Bandwidth consumption was also a problem. Some students were downloading 
films and music illegally via file-sharing applications, prompting film 
companies to forward legal notices to the university that its students 
were breaking the law.

To tackle these issues, it selected TippingPoint to protect routers, 
switches, VoIP systems and other infrastructure components from targeted 
attacks.

Neild said, "TippingPoint systems control traffic by blocking or 
throttling unwanted file sharing." He pointed out that the product also 
stopped the attacks and all but eliminated the file downloads without 
affecting network performance.

"We can even monitor students who try to use VPNs for their downloads," 
he said. "By blocking peer-to-peer file sharing, the university stopped 
notices it receives from copyright holders. Administrators no longer 
have to bother with shutting down students' network ports to prevent 
improper downloads or contain viruses and worms to the residence halls.

"Moreover, by blocking illegal student downloads, the TippingPoint 
solution reduced bandwidth usage, in effect doubling the amount of 
bandwidth available to students for legitimate academic pursuits," said 
Neild.

What is clear is that converged network security needs to tackle both 
voice and data and whether data is copyrighted. Scott Nursten, founder 
of S2S, a security specialist and Cisco silver partner, believes that 
with more voice and video on the network, there will be more 
opportunities for industrial espionage and for leakage of confidential 
information.

"We are on the brink of seeing the next wave of attacks because people 
are not even looking at the risk of convergence," he said.

Many suppliers are bundling everything into one device on the edge of 
the network, which serves as a wide area network router, firewall, VPN 
termination point and voice router. However, as Nursten pointed out, it 
is quite easy to deploy these systems in the wrong way but still have 
them work.

* www.opengroup.org/jericho
* www.17799.com
* www.bsi-global.com/ICT/Security


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org