The seven deadliest attacks on Unified Communications do not need to be fatal. However, they do require multiple approaches. First, here is the list as developed by Dan York. If you want to see details, please visit the Wednesday blog or read his book, the "Seven Deadliest Unified Communications Attacks".
1) The Ecosystem Expansion exposes voice and video applications to the same security challenges as data.
2) Insecure Endpoints
4) Control Channel vulnerability
5) SIP Trunking and PSTN Interconnection requires authentication
7) The end of geographical limits for potential victimization
In addition to practices that an IT Department should be imposing on users, such as strong passwords, periodic changing of passwords, restricting various Internet activity, approving/certifying software, etc., IT departments should also consider the use of Enterprise Session Border Controllers (E-SBC).
An E-SBC will provide a strong firewall but also offer additional features. Steve Johnson, President Ingate Systems, summarizes the role of an E-SBC as follows:
· Normalize the SIP signaling so that the IP-PBX at the customer site and the service provider's network are fully compatible.
· Resolve NAT traversal issues to enable the adoption of SIP, SIP Trunking and full Unified Communications by securely permitting SIP signaling and related media to traverse the firewall.
· Provide security through deep packet inspection (DPI) a powerful way to protect not just SIP traffic, but also the network.
· Provide control through authentication of the user/IP PBX with the carrier network.
Enable disaster recovery in the event a customer's main office goes down, the E-SBC can reroute SIP traffic to a secondary office to keep business up and running.
· Deliver Quality of Service by ensuring that mission-critical voice calls have priority over other Internet traffic, and that call quality remains high.
· Provide Encryption which is inherent in the SIP protocol and when used between two sites minimizes any opportunity for unrelated parties to intercept the call.
· Provide Intrusion Detection/Prevention to detect denial of service (DoS) attacks based on SIP, and to block malicious SIP signaling packets designed to attack certain SIP phones, servers or other devices on the enterprise LAN.
Alan Percy, Director Market Develop of AudioCodes, also adds Interoperability between an IP PBX an ITSP, such as Broadvox, to the above list. According to Alan in SIP Trunking and the Increasing Importance of the E-SBC," An E-SBC eliminates this issue (interoperability) by implementing a back-to-back user agent, essentially terminating one SIP session (using one set of rules) and establishing another session (with a different set of rules), interconnecting previously incompatible systems."
Share this with your VARs, agents, customers and prospects. It may be the wild, wild, wild west out there, but there are a few sheriffs in town.
See you Monday.