Unified communications (UC) security has a perception problem. Many enterprises shun consumer tools such as Skype over security concerns, yet few IT organizations are profoundly beefing up UC security on enterprise-class devices and endpoints—even though targeted attacks on VoIP infrastructure now account for as much as one-third of all global attacks, according to one estimate.
"I've never seen a secured deployment of VoIP [or] UC. It may exist, but I haven't spoken to or met anyone who's done one," said John Kindervag, senior analyst at Forrester Research, who dissected UC security vulnerabilities in a new research note, Dial "H" For Hack. "No one wants to encrypt the internal traffic, but they don't realize how easy it is to tap calls or UC feeds, and [UC security] really comes down to encryption."
Enterprises aren't demanding advanced UC security features, so traditional network security vendors aren't bothering to develop them, creating a chicken-and-egg scenario, Kindervag said. Vendors haven't added the processing power network security products need for filtering and encrypting real-time UC traffic because they fear customers won't want to pay more, he said.
That fear isn't unfounded. IT organizations devote so little to security already—often as little as 1% of the overall IT budget—that they are unlikely to invest in expensive but capable third-party UC security tools, Kindervag said. At the same time, UC pros are reluctant to deploy a UC vendor's built-in encryption based on Secure Real-Time Transport Protocol (SRTP) because many routers and switches often don't have the capacity to support them without degrading voice and video quality, he added.
The reason to [encrypt video conferencing traffic] is if you're compelled by law to make sure you've protected that traffic ... But for standard usage? Absolutely not.
Charles J. Kazilek
Director of Technology Integration and Outreach, School of Life Sciences, Arizona State University
"People will say, 'I will absolutely not encrypt because I'm more worried about call quality than I am security,' so who knows what [data] has been stolen?" Kindervag said. "[Most] of these things are financial issues. There's no technological challenge here ... [and] the real issue is mindset. Most people just don't care about security in general."
UC security not a priority unless compliance demands it
UC security and encryption is critical to Charles J. Kazilek—director of technology integration and outreach in the School of Life Sciences at Arizona State University—because the college uses Vidyo desktop video conferencing to partner with the Smithsonian Institution. The Smithsonian receives federal funding and therefore is subject to stricter compliance requirements.
The college is also evaluating desktop video's use in clinical settings, in conjunction with its medical school, which would require HIPAA compliance.
Encrypting video conferencing is a balancing act. Kazilek would lose a third of the available capacity on Vidyo's routers if he were to activate encryption. Instead of the standard 100 simultaneous sessions each device supports, he would be left with 70 simultaneous sessions per device. He plans to activate encryption only where regulatory compliance demands it.
"The reason to [encrypt video conferencing traffic] is if you're compelled by law to make sure you've protected that traffic or that kind of data. In the medical community or in the Department of Defense, that'd be very important," he said. "But for standard usage [in a university]? Absolutely not."
Michael Vassallo, senior network administrator at Somerville, N.J.,-based interior design firm Dancker, Sellew and Douglas, also sees no need to layer additional security onto his VoIP traffic beyond putting it on a private Multiprotocol Label Switching (MPLS) network—a move he acknowledged targets quality assurance more than UC security.
"In our particular … industry we do not have any concerns about putting voice on the network," Vassallo said. "But I could see where encryption of this information could be desired, [such as in organizations handling more] sensitive communications."
Hackers looking for victims who don't think about UC security
Many enterprises mistakenly believe their UC infrastructure and sessions are unattractive targets to hackers. Hackers depend on that misunderstanding, Kindervag said.
Hackers can use packet sniffers to capture and reconstruct VoIP or video calls on IP networks, but attacks are usually more financially motivated. Hackers often exploit vulnerabilities in UC infrastructure to sneak onto the network and access data such as credit card numbers, or to commit toll fraud.
Because of VoIP's growing ubiquity, IP telephony devices and endpoints are the most attractive targets for attacks on UC infrastructure, according to Adam Boone, vice president of marketing and product line management at Sipera Systems Inc., a third-party UC security vendor. Video conferencing is a less attractive target today because adoption hasn't peaked, but that is likely to change soon, he added.
"It actually began around the middle of 2010—the number of attacks against voice over IP and SIP infrastructure spiked to about 30% of all attacks," Boone said. "VoIP and unified communications infrastructure are now reaching critical mass, and because they're not protected as well as Web applications or email, they're now a target of attack."
Encryption isn't the only path to UC security
Encryption may be the best defense, but it is not the only UC security strategy for preventing attacks. Some network security devices can be reconfigured to boost UC security.
Network and UC managers falsely assume that segmenting traffic with virtual local area networks (VLANs) adds some degree of security, Kindervag said. In reality, VLANs function more like "yellow lines on the freeway" that provide instructions for what data streams the packets should follow. But they don't prevent them from swerving off onto another stream, he said.
"When phone and data were separate networks, you didn't really have to worry about this, but now that you've converged networks ... all of those packets are essentially intermingled," Kindervag said. "[A hacker] can craft a packet ... take off the VLAN tag in the header, replace it with the VLAN you want to go to and all the equipment sends it along. It's not that difficult, and hackers have been doing it for a long time."
Enterprises also rely too much on perimeter defense, such as intrusion prevention systems (IPS), assuming that external threats are their biggest worry. But in fact, half of attacks are inside jobs, and IPS should be deployed internally as well, Kindervag said. Internal firewalling can also prevent VLAN hopping, he said.
With the laundry list of UC security features on its UC-Sec appliance, Sipera takes an approach akin to unified threat management (UTM) devices—except with a decidedly Layer 7 slant and UC security focus. The appliance contains 14 core processors to handle the demands of scanning and encrypting real-time media, Boone said.
A typical toll fraudster tests out a reconnaissance attack by using software to find PBXs and call servers exposed to the Internet and place bogus calls in rapid succession to find vulnerabilities, he said. A firewall that isn't application-aware will only look for malformed packets. A UC security device should be smart enough to flag an attempt to connect to 50 extensions a second, Boone said.
Session border controller (SBC) vendors, such as Acme Packet and Sonus Networks, have also built similar features into their products to prevent telephony denial of service (TDoS) attacks and other application-layer attacks that exploit VoIP infrastructure.
Let us know what you think about the story; email: Jessica Scarpati, News Writer.