Amid all the excitement surrounding the unification of our communications technologies, the issue of security sometimes gets lost in the shuffle. Maybe some are assuming that the threats are the "same old, same old" that plague those same communications methods in their more stand-alone forms. But it's that and more.
A unified system, while providing more convenience and ease of use, also provides attackers with a larger attack surface that contains multiple points of vulnerability. Just as networked computers are more vulnerable than stand-alone systems, unified communications systems allow for the spread of attacks more readily than do stand-alone communications systems.
Some seem to see UC as little more than "VoIP on steroids," and security has long been an overlooked and/or underplayed concern in VoIP marketing. Let's look at some of the biggest threats facing UC deployments, discuss some of the questions companies should be asking, and learn what steps they should be taking as they move their organizations' communications systems toward unification.
Processing voice, video, and presence services in a unified environment requires sophisticated software running on high-end servers or appliances. By their very nature, these services connect to a variety of networks and run many standardized protocols that knowledgeable attackers can exploit.
UC management and VoIP software
Cisco's Unified Communications Manager (formerly Cisco CallManager) is just one example of this type of product. It handles call processing for up to 60,000 users and supports a broad range of Session Initiation Protocol (SIP) applications.
Last month, Cisco released a security advisory and patch for a heap overflow vulnerability in the Certificate Trust List provider. An unauthenticated remote user could use the vulnerability to execute arbitrary code or create a denial-of-service (DoS) attack in certain versions of the product.
According to the Secunia Web site (which tracks security vulnerabilities in a broad range of products), Microsoft hasn't received any reports of vulnerabilities in its flagship UC product, Office Communications Server 2007 (OCS). However, it's probably only a matter of time.
Meanwhile, Asterisk, the popular open source IP PBX solution, had a total of 15 security vulnerabilities reported in 2007 and one so far in 2008. (Patches are available for all vulnerabilities.)
SIP, the foundation of many UC solutions, is not inherently secure. Its open architecture exposes it to exploits that can result in DoS, eavesdropping, packet spoofing, and replay attacks.
Of course, when it comes to UC, VoIP is only part of the picture. At one time, instant messaging was primarily a problem for home computer users; many businesses banned the use of IM programs.
However, as part of a unified communications strategy, IM has gained legitimacy as a business tool - and found use not only on the desktop but from handheld computers and smart phones as well. And it brings with it many security issues that companies need to address when deploying it in a business environment.
The goal of a unified communications strategy is interoperability. Toward that end, IM programs are becoming standardized and more interoperable with one another. That's more convenient for users, but standardization is also a boon to potential attackers, creating a larger attack surface for them to exploit.
In order to function effectively for business purposes, IM programs have become much more than mere chat vehicles. Most IM clients support file sharing, and many also support audio and video conversations.
That means more protocols to exploit and more avenues through which to pass malicious code. Viruses, Trojans, and worms can pass through the IM network just as easily as through e-mail and malicious Web sites.
E-mail poses several security issues. In addition to the possibility of interception and divulgence of the message content, we have to worry about attachments containing viruses, Trojans, or other malicious code, HTML mail with embedded active content, links to malicious Web sites, and more. With unified communications, e-mail messages may also contain attachments that contain our voice mail messages or faxes, making these vulnerable to interception as well.
UC security solutions
First and foremost, it's essential to keep all software involved in the UC solution updated. This includes the UC management software, various components of the UC solution — including the clients — and the underlying operating systems.
Encryption is another important step in securing communications; even if someone intercepts the communications data, encryption makes sure the content of messages remains secure. E-mail, IM, and voice communications can all use encryption, and you can encrypt VoIP transmissions with Secure RTP.
Configure SIP proxies and gateways to prevent flooding with inauthentic packets. In addition, you can use HTTP Digest authentication with many SIP-enabled phones to authenticate messages and ensure no one has tampered with them in transit. SIP can use CSeq and Call-ID headers to encrypt and sequence messages to prevent replay attacks.
IM management software such as QED Connect's IM Manager can log and archive instant messages for security and regulatory compliance, it can monitor for keywords that might signal a security breach, and it can alert administrators if it detects those words or phrases in instant messages.
Secure MIME (S/MIME) is a standardized solution for encrypting e-mail, supported by popular e-mail client software such as Outlook. You can also use other third-party encryption solutions such as PGP. Unified communications certificates, such as those issued by Entrust, can enhance e-mail security and enable mechanisms such as SMTP over TLS in Exchange 2007.
Unified communications presents new opportunities for organizations, making it easier to stay in touch with coworkers, customers, vendors, and other essential business colleagues. Unfortunately, this convenience and integration also present new opportunities for attackers, providing them with additional points of attack and the ability to spread those attackers further.
In their enthusiasm and eagerness to reap the benefits of UC, some companies aren't stopping to consider the security ramifications of a new UC deployment. Awareness of the threats and a plan for addressing them can make the difference between a successful transition to UC — and one that creates more problems than it solves.
Want to stay on top of emerging trends in the convergence of e-mail, VoIP, IM, and video conferencing systems? Automatically sign up for our free Unified Communications newsletter, delivered each Monday!
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.