When voice was just voice, it did not pose a security risk to the data network…at least not directly. It could be argued that there is still potential to exploit the voice network for social engineering purposes that result in a compromised data network, but that is a semi-convoluted argument and not really the point of this post.
With VoIP alone, standard best practices suggest keeping the voice VLAN and the data VLAN separate so that a compromise of the voice network would not have any effect on the data network. However, we live in a converged world. Unified communications merges voice and data and requires that they all play nice on the same network. Where does that leave us? That leaves us with some new security concerns to be aware of and guard against.
This post from Nortel’s Voice Security Blog, in conjunction with Sipera Systems Chief Marketing Officer, Eric Winsborrow, provides some additional detail and illustrates some potential scenarios that could exploit a vulnerable VoIP system and lead to a compromise of the UC or data network.
If you have ever used a corporate phone system, you are probably familiar with the concept of dialing ’9′ to get an outside line. That allows employees to simply dial extensions to communicate internally, but still use the normal plain old telephone system for placing calls outside of the company. Typically you dial ’9′ which results in a second dial tone and then you can dial the phone number like usual.
One of the most low-tech forms of attack on a voice system is for an outside caller to ask to be transferred to extension ’9011′. The ’9′ initiates the outside line dial tone, and the ’011′ is the code to initiate an international direct dial phone call. Transferring a caller to extension ’9011′ enables that caller to place international phone calls that end up being charged to the company because they originate from your phone system. It doesn’t happen often, but it is low-tech enough that it still happens on occasion. Make sure your users, particularly receptionists or customer service representatives that answer incoming calls frequently, are aware of this toll fraud scam and are educated to never transfer anyone to extension ’9011′.
According to a recent Gartner Magic Quadrant report for Unified Communications, Microsoft, Cisco, and Nortel are the industry leaders in terms of both innovation and the ability to actually deliver that innovation to customers. Nortel and Microsoft have an intimate partnership through their ICA (Innovative Communications Alliance) relationship with Microsoft, and they work very closely together to ensure seamless interoperability of their unified communications products.
Cisco is another story. At one point Microsoft and Cisco made a very public showing of burying the proverbial hatchet and vowing to cooperate in the best interests of corporate customers and unified communications in general. That cooperation lasted right up until they started rolling out products at which time the mud-slinging began. Each declared their approach and solution superior and slammed the other.
Whether they want to admit it or not though, they are sort of forced to play nicely together (sort of like the nerd and the playground bully while the teacher is actually monitoring recess activities). Cisco is a dominant player in network infrastructure and VoIP communications. Microsoft has a virtual monopoly on the PC desktop and a significant share of the enterprise server market. There is a high probability that a prospective customer is already using Cisco networking in conjunction with their Microsoft Windows network, so that prospective customer may very well wish to continue that balance as they move forward into unified communications.
Thankfully for the prospective customer, Cisco Unified Communications Manager (CUCM) does integrate with the Microsoft Office Communications Server environment. It isn’t always pretty, but it works. Mike Stacy, a Director with Evangelyze Communications, provides an illustrated step-by-step guide to configuring direct SIP connectivity between the Cisco and Microsoft communications products.
Recently at VoiceCon Evangelyze Communications announced their SmartVoIP solution which enables customers to bridge Microsoft Office Communications Server and Microsoft’s small and medium business phone system, Response Point, to deliver unified communications to remote or branch office locations. Following on the heels of that release, Evangelyze Communications is also offering SmartChat.
Mike Stacy, a Director with Evangelyze Communications, explains in his blog what separates SmartChat from other live chat type applets found on web sites. “In addition to simple chat, SmartChat has capabilities for reporting on the browser history (“I see you were looking at sweaters on our website”), enabling co-browsing (automatically navigating the web visitor’s browser), integrating with Microsoft CRM, and adding audio/video or desktop sharing to the conversation. Best of all, you don’t need any additional software on either side of the conversation. Flash is required for audio/video, but most people on the web already have this anyway.”
In Stacy’s blog, he also mentions that Microsoft is conducting a case study based on SmartChat and the ability to tap into the Microsoft Office Communications Server in new and innovative ways that extend its unified communications capabilities.
While it is possible to build a Microsoft unified communications infrastructure using only private certificates generated internally, it greatly handicaps the effectiveness of the UC environment. In order to communicate with devices connected outside of the network- including laptops of employees in hotels or coffee shops, or mobile phones, as well as the ability to connect with vendors, customers, or partners- a 3rd-party trusted certificate is necessary.
Certificates are sold with expiration dates and must be renewed, which adds some administrative overhead. Someone has to track and monitor certificate expirations and make sure new certificates are purchase so that the unified communications network does not experience an interruption as a result of an expired certificate. Comodo has rolled out a new offering with a 3-year expiration that is also customized to deliver security benefits customized to the Microsoft Unified Communications environment.
According to this article, Comodo’s Microsoft UC certificates “enable administrative flexibility to secure client-server and server-server communications while supporting multiple Exchange and Office Communications 2007 services (e.g. Outlook Web Access, SMTP-TLS, Auto-Discovery, ActiveSync and Outlook Anywhere) – all with a single UC Certificate.”
Sipera Viper Labs has developed a new VoIP security tool called UCSniff. UCSniff monitors VoIP communications and identifies weaknesses or holes in VoIP security which could potentially be exploited by an attacker. As this Dark Reading article points out, the tool will not identify whether an attack has occurred, or if there are any active exploits. It is a penetration testing and vulnerability scanning tool which will help VoIP and security administrators proactively scan their VoIP networks to verify integrity or identify areas that need to be secured.
VoIPshield, a VoIP security solutions company based in Ottawa, Canada, recently discovered vulnerabilities affecting the RTP (Real-time Transport Protocol), a standard data format used for delivery of audio and instant messaging packets over the Internet. Microsoft Office Communications Server 2007, Microsoft Office Communicator, and Microsoft Windows Live Messenger.
This excerpt from the VoIPshield press release explains the issue further: “Most of the attention in enterprise VoIP/UC security has been paid to the control channel, where SIP and other signalling protocols are used,” said Ken Kousky, CEO of security research and analysis firm IP3 and advisor to the VoIP Lab at Illinois Institute of Technology. “Until now, the media stream has been largely ignored by the security community as a source of malicious activity. But attacks from these vectors have the potential to be dangerously persistent and widespread.”
There are an estimated 250 million computers running at least one of these applications. If exploited, the discovered vulnerabilities could result in a DoS (denial-of-service) attack that impacts not just the affected application, but the entire computer system. VoIPshield’s research and disclosure are specific to the Microsoft products mentioned, but they note that these same protocols are used elsewhere and that other VoIP and communications applications are likely impacted by similar vulnerabilities in the media delivery channel.
Many companies are exploring and implementing unified communications. One problem that has faced certain industries though is how to deal with scattered branch offices. Industries like banking, insurance, investing, real estate, and more often have a central headquarters, and several remote branch locations. With no way to bridge the unified communications solution from the headquarters to the branch, the branch offices generally fend for themselves and implement separate communications systems. That leads to a variety of issues related to administration, compliance, costs, etc.
Now there is a simple, cost-effective solution. At VoiceCon 2008 in San Francisco this week, Evangelyze Communications unveiled their new offering- SmartVoIP. Joe Schurman, Founder and CEO of Evangelyze Communications, introduced the solution which integrates Microsoft’s Response Point communications system for small and medium businesses with the more robust Office Communications Server and enterprise class unified communications.
“We are incredibly proud of this achievement and the opportunity that this solution brings to organizations with remote and branch office communications needs. Through the power of VoIP and using our joint collaborative integration service, we are now able to connect offices globally in a scalable manner, leveraging our innovative services and Quintum’s breadth of scalable gateway devices. As a Microsoft Gold Certified Partner who has achieved the Unified Communications competency Voice specialization, our customers are assured they are hiring a qualified vendor to deploy Microsoft’s latest unified communications voice technologies,” said Schurman.
What’s better than purchasing, deploying, configuring, administering and maintaining the various hardware and software components of a complete unified communications solution? Well, when I put it like that, what isn’t better?? It sounds like a lot of effort and not much fun. The return is good though assuming that users are provided with the knowledge and skills to realize the improved efficiency and productivity possible…but I digress.
What’s better than doing it all yourself? Letting someone else do it. For certain applications and for certain types of organizations, software-as-a-service (SaaS) makes tremendous sense. The SaaS vendor takes on the hardware expense. The SaaS vendor manages deployment, configuration, administration and maintenance. The expert administrator is paid by the SaaS vendor. The SaaS vendor stays on top of cutting edge technology and ensures that the solution is patched and updated as needed. All you have to do is pay the SaaS vendor and enjoy using your unified communications tools.
Unified Communications is a booming business. But, so is SaaS. According to an article on TMCNet regarding the market for UC via SaaS, “the Radicati Group predicts that yearly sales will rise from today’s $6.9 billion dollars up to $28.7 billion dollars.” If that estimate is correct, companies that provide unified communications solutions should explore delivering via the SaaS model, and companies looking to invest in unified communications might want to take a hard look at the SaaS option.
If you are going to build an ‘all-in-one’ security appliance, you also need to adapt with the times and add functionality to keep up with new attacks and technologies. Otherwise, organizations will end up with a UTM (unified threat management) solution, plus a mengerie of one-off solutions that undermine the purpose of having UTM protection in the first place.
WatchGuard is keeping up with the pace of technology, evolving their UTM appliance into an XTM (extensible threat management) appliance. In addition to standard enterprise security measures such as deep packet inspection (DPI) firewalls, spam blocking, URL and content filtering, anti-virus protection and intrusion prevention and detection systems (IPS/IDS), WatchGuard’s XTM 1050 includes protection for VoIP networks and VoIP communications.
According to their press release “WatchGuard recognizes that as more enterprise and mid-market businesses adopt VoIP, they open themselves to a new series of VoIP protocol exploits. By utilizing a host of high security technologies, including network address translation, port obfuscation, and SIP and H.323 proxies, the WatchGuard XTM 1050 becomes an ideal security appliance to thwart would-be attackers of VoIP and network systems.” You can read more about the XTM 1050 and the evolution of UTM security in this ITBusinessEdge article.