Over the last year or two, unified communications has become more and more common. As with any other IT technology,...
the more mainstream unified communications becomes, the greater will be the need to secure it. As it stands right now, products and mechanisms exist for securing unified communications -- but it seems to me that unified messaging security is being largely ignored.
From what I have been able to gather through observation and by talking to other network administrators at various trade shows, a lot of administrators seem to be oblivious to the need for specialized unified messaging security, and therefore they work to secure unified communications networks in the same way that they would secure any other IP-based network. Some of the administrators that I have talked to have done enough telephony work over the past few years to understand some of the specialized security needs associated with VoIP, but they view unified communications as simply an extension of VoIP rather than as a collection of networking technologies -- each with its own individual security needs.
I believe that the key to securing unified communications is to treat each aspect -- VoIP, IM, presence, peer-to-peer collaboration -- as a separate entity and address its specific security implications individually, even though there will almost certainly be some convergence between some of the various technologies.
Obviously, there is no way that I can possibly address all of the individual security considerations within the limits of an article, or even within a series of articles. Instead, my goal is to help you to think about some of the security issues that are unique to unified communications (UC).
I have to be honest and tell you that I was not going to mention malware prevention in this article, much less lead off with it. After all, right now there are no UC-specific viruses or Trojans that I am aware of. Even so, I believe that malware prevention is critical to maintaining the system's integrity.
Today, most viruses and Trojans seem to target Web browsers and email clients. Malware that targets IM does exist, however. I think that it's only a matter of time before we start seeing viruses designed to target VOIP or video calls -- or maybe Trojans that tamper with presence information. I admit that I don't have a crystal ball, but those are my predictions.
Another issue that I wonder about is that some UC products offer end users a Web interface. Since so many viruses and Trojans already target Web browsers, it isn't a big stretch to think that a virus may someday be designed to target specific UC-related applications through a Web browser. Sure, these types of viruses probably wouldn't be able to harm the UC servers, because they are attacking the client rather than the server, but they could theoretically intercept or disrupt communications.
Instant messaging works well if it is implemented in a controlled manner -- but left unchecked instant messaging can pose a huge threat to security -- especially if users are allowed to download and install their own instant messaging (IM) software.
Some of the threats posed by IM involve inbound viruses and spam, and the potential to disclose sensitive information. In some organizations, it is also necessary to consider the regulatory compliance issues associated with IM. For example, some organizations may be required to archive instant messages.
Earlier, I mentioned that there are security issues related to UC that go far beyond those of normal IP networks. Nowhere is this more obvious than with IM. Many IM applications are specifically designed to circumvent an organization's security. For example, many IM applications are designed to search for open firewall ports and use any open port, rather than IM traffic being bound to a specific port. Likewise, an IM client may communicate with any number of IM servers. Public IM servers make a practice of routinely changing their IP addresses to prevent organizations from being able to block them at the IP address level.
As if this weren't enough, the protocols used by IM applications are constantly evolving, which may introduce new vulnerabilities.
Most of the issues that I have talked about in this section don't really apply to corporate IM deployments, because most corporate deployments use their own internal IM server, and the IM clients are deployed in a controlled and consistent manner. The dangers that I have spoken of come into play when clients are allowed to download and install their own IM software, or when the network administrators don't really understand the security implications of installing IM software.
The biggest security risks associated with VoIP are eavesdropping and the possibility of a data network being exploited using weaknesses in a VoIP-related protocol. The potential for eavesdropping that VoIP presents is unprecedented. We tend to think of eavesdropping as listening in on a phone conversation, but if a hacker were able to intercept a data stream in the right location, he could capture the packets flowing across the wire and later use them to eavesdrop. In doing so, he would not be limited to listening to a replay of a single phone conversation but rather could have access to every conversation that was going on during the packet capture.
Right now, the best thing that IT professionals can do to protect themselves against VoIP-related exploits is to encrypt VoIP traffic. That way, if VoIP packets are intercepted, the calls are still protected against eavesdroppers.
Web filtering doesn't really have anything directly to do with unified messaging security, but I still believe that it is critical to an organization's overall health. I have already talked about how applications like unified messaging and peer-to-peer networking can pose security threats, but it is important to realize that these threats are not related solely to applications that are installed by the IT department.
Without the proper constraints in place, it is easy for users to download and install their own IM or peer networking software and install it on their workstations. This can lead to a number of potential security issues, ranging from malware infections to accidental disclosure of information. The only way to protect against the threats caused by unauthorized applications is to lock down the users' workstations to prevent unauthorized software from being installed and to use Web filtering to block any websites that pose known threats to security. I certainly don't want to turn this article into a commercial, but there is a company called Bit9 that makes an excellent desktop lockdown product called Parity.
If you work in a regulated industry, it is critical for you to consider how UC will affect your company's regulatory compliance. Compliance rules can change drastically once UC is introduced. For example, I have heard stories of companies implementing Microsoft's Unified Messaging for Exchange and then suddenly being required to archive voice messages and faxes that are added to the users' mailboxes. From an architectural standpoint, it isn't a big deal to archive these additional data types, but the volume of disk space that may be required is certainly a consideration.
Unfortunately, I can't even come close to talking about all of the various security issues related to UC within the space that's allotted to me. However, I hope that I have at least given you an idea of how security needs can change once various forms of UC are introduced onto a network.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.
Blog: UC provides new attack vectors