VLAN

Security Concerns of UC Networks

When voice was just voice, it did not pose a security risk to the data network…at least not directly. It could be argued that there is still potential to exploit the voice network for social engineering purposes that result in a compromised data network, but that is a semi-convoluted argument and not really the point of this post.

With VoIP alone, standard best practices suggest keeping the voice VLAN and the data VLAN separate so that a compromise of the voice network would not have any effect on the data network. However, we live in a converged world. Unified communications merges voice and data and requires that they all play nice on the same network. Where does that leave us? That leaves us with some new security concerns to be aware of and guard against.

This post from Nortel’s Voice Security Blog, in conjunction with Sipera Systems Chief Marketing Officer, Eric Winsborrow, provides some additional detail and illustrates some potential scenarios that could exploit a vulnerable VoIP system and lead to a compromise of the UC or data network.

Is VoIP Ready for Mission-Critical Primetime?

For most businesses, VoIP offers a compelling business argument. Merging the voice network with the data network means only implementing one hardware and wiring infrastructure. VoIP systems are easier to administer and maintain that traditional PSTN phones. The list goes on and on.

VoIP is not without its issues though, one of which would be having all of your proverbial eggs in a single basket- the network. Hopefully an enterprise network is relatively stable, but you still have to consider the possibility of a complete network outage and what that does for communications. Certain fields- emergency response, medical care facilities, banking and finance, etc. - can not afford to be without communications even for a minute. A recent ZDNet article addressed some of these concerns.

There is no way to truly guarantee that communications will be available 100% of the time. However, if the weaknesses of the network and the VoIP communications are properly considered and addressed I believe that a very high availability can be achieved. The technologies and level of redundancy required to achieve that availability are costly though and add to the TCO (total cost of ownership) of the VoIP solution and impact the ROI (return on investment), possibly negating many of the VoIP advantages and making the case for VoIP a harder sell.

Regardless of the industry that VoIP is being implemented in, sound network security practices should be followed. For VoIP networks, segmenting VoIP traffic on separate VLAN’s and encrypting voice communications provide additional security. However, enterprises should also consider the potential for a network-wide outage making VoIP unavailable and have a written policy for how to handle critical communications in the event that such a catastrophe occurs.

VoIP Security: Don’t Be Complacent

One of the biggest problems with information security is that it is almost always reactive. The entire antivirus industry is built on a model where new threats are unleashed on the unprotected public first, then the antivirus vendors capture a sample and create a defense for the threat to add to the signatures their antivirus product can detect.

Unfortunately, it is easy to be complacent…until it isn’t. In other words, complacency only works until an attack catches you sleeping and you end up with catastrophic results. Security experts continue to talk about the potential threat of VoIP attacks, but the fact that no credible attack has been perpetrated (or at least reported) leads many to feel like these are just ’sky is falling’ predictions from security vendors with a product to sell.

To some degree that may be true, but VoIP administrators need to be diligent about understanding the potential security risks and strike a balance between paranoid and healthy skepticism. This report from Silicon.com provides a link to various tools capable of attacking a VoIP network which are currently available publicly- highlighting that the threat is real even if the attacks haven’t occurred.

It then goes on to talk about VoIP security. VoIP merges the communications network with the data network, making voice communications subject to the same sorts of threats and compromises that used to affect only data networks. Most of VoIP security rests in sound, best practices for network security. The article focuses on two additional measures though- using VLAN’s to segment VoIP communications and using encryption to ensure that VoIP communications data can not be understood by anyone who might intercept the data packets. 

Configuring VLAN’s

One of the ways to organize your network so that it is easier to manage and protect is to segment it into smaller, interconnected subnets. Using a virtual LAN, or VLAN, you can easily and conveniently set up separate subnets, and connect ports from various switches, or even separate buildings, so that they are a part of the same broadcast domain. You can learn more about the virtues of VLAN’s, as well as how to go about configuring them, by watching the Configuring VLAN’s screencast by David Davis on SearchNetworking.com

Projected Network Infrastructure Spending For 2008

What are your plans for your network infrastructure for 2008? Do you have a holiday wish list or some New Year’s resolutions regarding the technologies you want to implement or the changes you plan to make? TechTarget’s SearchNetworking site conducted a survey of over 1,200 respondents and they have published the results. Some of the key results are:

• 21.28% project an increase in their budget of more than 10%
• 7.26% of respondents said their networking budgets will decrease
• 8.34% claim that VoIP/data convergence is driving their budget increase

Check out Applications, convergence to boost network spending for the complete results. You can read it just out of curiosity, or maybe you can use the survey results to help prove your case to management and get your budget requests approved.

LAN Security: What Hackers Don’t Want You To Know

This blog is titled “Connectivity” because it deals with all aspects and issues of network connectivity. That includes how to ensure your network connectivity is secure and available, and how to make sure that malicious attackers can not intercept or disrupt your network connectivity. Do you know what ARP Poisoning is? How about a multicast storm? Have you heard of Spanning Tree Protocol or VLAN Trunking Protocol hacks? Do you know how to protect your network from them? Networkworld.com recently hosted a chat session with Christopher Paggen and Eric Vyncke, authors of LAN switch security: What hackers know about your switches, which covers a wide range of security issues and the authors’ advice and tips for how to lock your network down and protect against these (and other) threats. Read LAN switch security: what the hackers know that you don’t to see what the authors have to say.