Encryption

Is VoIP Ready for Mission-Critical Primetime?

For most businesses, VoIP offers a compelling business argument. Merging the voice network with the data network means only implementing one hardware and wiring infrastructure. VoIP systems are easier to administer and maintain that traditional PSTN phones. The list goes on and on.

VoIP is not without its issues though, one of which would be having all of your proverbial eggs in a single basket- the network. Hopefully an enterprise network is relatively stable, but you still have to consider the possibility of a complete network outage and what that does for communications. Certain fields- emergency response, medical care facilities, banking and finance, etc. - can not afford to be without communications even for a minute. A recent ZDNet article addressed some of these concerns.

There is no way to truly guarantee that communications will be available 100% of the time. However, if the weaknesses of the network and the VoIP communications are properly considered and addressed I believe that a very high availability can be achieved. The technologies and level of redundancy required to achieve that availability are costly though and add to the TCO (total cost of ownership) of the VoIP solution and impact the ROI (return on investment), possibly negating many of the VoIP advantages and making the case for VoIP a harder sell.

Regardless of the industry that VoIP is being implemented in, sound network security practices should be followed. For VoIP networks, segmenting VoIP traffic on separate VLAN’s and encrypting voice communications provide additional security. However, enterprises should also consider the potential for a network-wide outage making VoIP unavailable and have a written policy for how to handle critical communications in the event that such a catastrophe occurs.

VoIP Security: Don’t Be Complacent

One of the biggest problems with information security is that it is almost always reactive. The entire antivirus industry is built on a model where new threats are unleashed on the unprotected public first, then the antivirus vendors capture a sample and create a defense for the threat to add to the signatures their antivirus product can detect.

Unfortunately, it is easy to be complacent…until it isn’t. In other words, complacency only works until an attack catches you sleeping and you end up with catastrophic results. Security experts continue to talk about the potential threat of VoIP attacks, but the fact that no credible attack has been perpetrated (or at least reported) leads many to feel like these are just ’sky is falling’ predictions from security vendors with a product to sell.

To some degree that may be true, but VoIP administrators need to be diligent about understanding the potential security risks and strike a balance between paranoid and healthy skepticism. This report from Silicon.com provides a link to various tools capable of attacking a VoIP network which are currently available publicly- highlighting that the threat is real even if the attacks haven’t occurred.

It then goes on to talk about VoIP security. VoIP merges the communications network with the data network, making voice communications subject to the same sorts of threats and compromises that used to affect only data networks. Most of VoIP security rests in sound, best practices for network security. The article focuses on two additional measures though- using VLAN’s to segment VoIP communications and using encryption to ensure that VoIP communications data can not be understood by anyone who might intercept the data packets. 

Is Endpoint Security Replacing Network Security?

There have been rumors for some time that the network perimeter is dead. More users are relying on laptop computers connected over wireless networks, or via VPN from a hotel or coffee shop. Users have mobile phones that connect to network resources, and various methods of portable data storage- USB flash drives, mobile phones, digital cameras, MP3 players. If anyone can connect from anywhere and data is coming and going, it becomes virtually impossible to say what is ‘inside’ the network perimeter, and what is ‘outside’ the network perimeter. If all of that is true, should network security even be an issue? Why not declare a time of death, focus on endpoint security solutions and forget about the network? Read The Future of Network Security at Computerworld for a deeper look at this issue, as well as why the rumors of the death of network security might be exaggerated.

Cisco and EMC Encrypt SANs

Beth Pariseau, a News Writer for SearchStorage.com, reports that Cisco and EMC have agreed to partner on encrypting SAN data, and that the two companies “announced that Cisco’s encryption keys will be compatible with EMC’s RSA Key Manager, though Cisco also plans to offer its own key management application.” For complete details of the partnership and the products that are affected or being introduced to facilitate the SAN encryption, read Beth’s article: Cisco, EMC partner on SAN encryption.