A top concern is eavesdropping, or the unauthorized interception of VoIP, IM or other traffic. UC endpoints, whether desktops, laptops, or IP phones -- not really phones but rather computers with specialized user interfaces -- all connect to the data network, and can be tapped by compromising the network anywhere along the data route. Moreover it has become possible with hard or softphones, once they are compromised, to have their conferencing or handset/headset microphones activated without being taken off the hook. This enables remote eavesdropping on private conversations taking place in person, and often behind closed doors. Performing such compromises may not be easy, but the changing nature of security attacks -- from amateur to professional, from general to targeted -- means that these techniques will be developed and available to anyone for a price.
Vishing, the VoIP-enabled form of phishing, is a third category of security concern around unified communications. Applying the basic techniques of phishing to a new toolset, vishers use spoofed Caller ID or other call information to suggest that they are calling in an official capacity from corporate or vendor IT support, or a government agency, etc., in order to get recipients to reveal confidential information over the phone.
Denial of service is an attack method that has new and specific applications in the unified communications world. While it was virtually unknown with traditional telephony, with armies of compromised zombie PCs at their disposal, today's attacker can aim to disrupt the communications infrastructure at the desktop level by swamping or crashing phones. or at the gateway level by taking out the network nodes that interface an enterprise VoIP installation with the outside world. They can also attack call managers directly by using SIP or other protocols to crash the manager with an endless flood of valid but dishonest session requests.
Another security threat that is now an increased problem for unified communications is platform compromise. No longer an issue restricted to email systems and IM, attackers can now subvert applications on servers, desktops and handhelds, or by taking over an IP phone via UC protocols like SIP or SIMPLE. From there, malicious hackers can launch all manner of attacks, including stealthy information-gathering campaigns and more brazen attempts at further compromises, denial of service or vandalism.
Preventing unified communications vulnerabilities
The problem of securing unified communications spans servers, endpoints and network infrastructures, so the enterprise must deploy defenses at all levels -- something it should already be doing, and to which unified communications only adds more urgency.
Phones should be secured like other network devices: unused services (many IP phones have Web servers embedded, for example) should be shut down, unused ports disabled, and default management passwords changed. All management should be forced through authenticated and encrypted connections, if possible.
Firewalls, router access control lists, VLANs, port-level switch security and authenticated network access comprise some of the low-level strategies IT should deploy on the network to protect IP phones and/or desktops from each other.
Host- and network-based intrusion detection is also important, for traffic to and from clients and unified communications servers. Intrusion prevention systems (IPSes), where they can be made robust enough to manage unified communications traffic without adding insupportable latency, will be another key. Especially important will be IPS or proxy servers -- focused specifically on SIP and SIMPLE -- that can look deep inside unified communications network packets and examine the actual data being sent to see not only whether it is acceptable in format and length but also to spot ill-intended data using probabilistic analysis.
IT needs to attend to standard host-level security measures too, such as firewalls, antispyware and antivirus agents. Malicious hackers always seek out the path of least resistance, so compromising unified communications systems via servers or clients instead of direct assault on network traffic makes no difference.
In the end, although specific technologies like SIP proxies and firewalls are useful in securing unified communications, it is more important to take the deployment of unified communications as yet another impetus to a well-rounded, multi-level and multi-layer defense strategy for security across the enterprise infrastructure.
About the author:
John Burke is principal research analyst with Nemertes Research. With nearly two decades of technology experience, he has worked at all levels of IT, including end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect. He has worked at The Johns Hopkins University, The College of St. Catherine, and the University of St. Thomas.
This tip originally appeared on SearchSecurity.com.
This was first published in January 2008