Like you didn't have enough to worry about with voice over IP security, the rise of video in the enterprise means you have another application-layer security problem to consider as you upgrade your networks.That was the two-pronged message I got when I spoke recently with Adam Boone, VP of marketing at Sipera, which is one of the better-established and innovative security companies in this space. Going back several years now, Sipera developed what was essentially an intrusion detection system (IDS) tailored for voice traffic, and subsequently established its VIPER Lab, which does primary research on security vulnerabilities.
Sipera made several announcements at VoiceCon in both the voice and video security areas. The first announcement was Avaya interoperability for Sipera's UC-Sec appliance, which provides security for teleworkers. Adam explained that UC-Sec sits in the enterprise DMZ and acts as a proxy, supplying encryption, authentication and policy enforcement, NAT traversal and firewalling. This provides security across untrusted networks (i.e., the Internet) for enterprises whose remote sites/workers receive services from a central IP-PBX.
At VoiceCon, Sipera also announced a customer, BCI (Banco de Credito e Inversiones) of Chile, which is using Sipera for a central-site deployment as a means of securing SIP trunks and policing traffic to the core voice system, to provide secure multi-channel contact for customers.
Obviously, if a bank is going to offer multimedia contact, it has to be secure. But I wondered if there really are voice-targeted attacks, with unique signatures, that can be detected in the same way that data attacks can.
"There are VOIP specific, UC specific attacks that we detect, that a data IDS cannot," Adam Boone said. An example is anything that involves a pattern of calling or behavior, and Adam singled out a type of attack called "call walking," which he described as an attack that tries to find a modem to exploit or to execute a denial of service. The attack "walks" from one extension to the next, flooding the network with calls. To defeat it, you need to be able to detect that this pattern of behavior is going on.
Sipera also announced a tool that's specially tailored to help monitor security on Microsoft Office Communications Server (OCS) deployments. The new OCS Assessment Tool (OAT)can test an OCS deployment and check it for compliance with Microsoft's recommended security configuration. It also monitors for the aforementioned "call walking" attacks and SIP flood attacks against OCS users.
OAT is a free tool produced by VIPER Lab, as are Sipera's Video monitoring tools, UCSniff2.0 and VideoJak. UCSniff eavesdrops, captures and records videoconferencing, and VideoJak can perform a targeted denial of service attack against video systems. Just as we're seeing network management and performance vendors start to pay attention to video, it makes sense that a security company like Sipera is turning its attention that way as well. Security and network management are both trailing issues, things that enterprises tend to devote serious attention to only after initial deployments are well under way and the problems become clear, either as a prospect or even a reality.
In general, the big problem that Sipera is seeing, according to Adam Boone, is that 95% of vulnerabilities are related to improper use of encryption. Sipera advocates that encryption be used at all times with VOIP, but some users turn it off because they're concerned about taking a performance hit with encryption enabled.
A more serious challenge is that encryption can defeat troubleshooting, since you can't see the packets in their original form. The best practice for troubleshooting is to turn off encryption for the brief period while you're doing the troubleshooting, then immediately turn it back on, according to Adam Boone.
