Beware of UC Security Threats
Unified communications opens up your VoIP network to new avenues of collaboration, including instant messaging, video, business applications and e-mail. And that opens up your network to new avenues of attack.
While the biggest actual threats to VoIP networks remain attacks to the underlying IP network infrastructure, UC opens up new angles of attack by creating connections between VoIP networks and corporate data networks.
Typically, most corporate deployments these days try to segregate VoIP as much as possible, creating islands that protect the voice network by broadly restricting access for devices unnecessary to supporting calls, says Ted Ritter, an analyst with Nemertes Research.
Unified communications changes all that. "With UC, by definition you are opening up your infrastructure and focusing on collaboration, reaching outside the enterprise to trading partners and customers," Ritter says.
Eavesdropping, altering conversations, stealing phone access to commit toll fraud and flooding targeted extensions with calls -- all of which were possible before -- become easier, he says.
Don't Ignore Basic IP-Network Attacks
In reality, however, few of these theoretical VoIP-specific attacks have occurred in the wild, says David Endler chairman of Voice Over IP Security Alliance and senior director of security research at Tipping Point. Endler has co-authored a book about such attacks called "Hacking VoIP Exposed", but acknowledges that the basic step of protecting the IP network that underpins VoIP is still the best protection.
"People may tend to look at some of the sexier types of attacks out there to prevent them -- things such as eavesdropping or impersonation or caller ID spoofing -- the truth is the most prevalent threat right now is the very basic network-level type of attacks," Endler says.
Still, businesses deploying VoIP should be aware of security cracks that UC can open up, says Stuart McLeod, the course director for IT training firm Global Knowledge who teaches its VoIP security courses. "Security is always about having as many layers of obstacles as possible between the hacker and his goals. We lose a couple once you move to unified communications," he says.
For example, UC may introduce the use of softphone clients on PCs, which can cause trouble, says Jason Ostrom the director of Viper Labs, the security research arm of Sipera, a vendor that specializes in VoIP security. With an eye toward testing business VoIP networks, Ostrom develops VoIP-specific attacks in his lab, automates existing attacks and makes them more sophisticated.
He says the Microsoft Office Communications Server client and Cisco Communicator softphone client for call-center applications can be potential sites for attack, particularly from insiders. They could break into the data virtual LAN via the clients, which have listening voice services to tap into the VoIP VLAN, he says.
Also, UC applications live on the voice VLAN that are tied into LDAP and Active Directory servers, creating another exposure for the data network. "User passwords and corporate data can be stolen through the voice VLAN," Ostrom says.
Risk assessment is essential to making decisions about defending VoIP tied to UC, says Paul Kocher, president and chief scientist at Cryptography Research, a data security consultancy. UC represents a series of sophisticated integration points with applications that can create other risks, but not all of them are urgent, he says.
For example, within UC software, programs can be configured to trigger phone calls, but that's not a major problem. "There are potential eavesdropping scenarios or the application could be corrupted to call the wrong phone number," Kocher says. "But those aren't the types of things you lie awake at night and worry about."
It's possible to defend these networks, Ritter says, but the increased complexity means that more corporate business units need to be involved at a higher level than was required for standalone VoIP.