Network operators are expected to move to all-IP, converged networks by the end of this decade--with profound effects on their business models. "The communications evolution for service providers is based on delivering personalised, easy-to-use multimedia services that allows individuals to communicate naturally without restricting location, access type or media," say analysts at Yankee Group, in a research note. Operators have already seen how applications such as VoIP can hollow-out the traditional revenue streams. However, the impact that a truly converged IP network could have both in terms of the full suite of applications that will run across it--and in terms of the network security implications that much wider access could bring--is still unclear.
It isn't all about technology
Complex though the underlying technological issues are, everyone is agreed that some simple facts of life are key. "To be honest," says Ed Vonk, CEO of the EVUA, "security is awareness of where the risks are. Everyone is aware that the internet is risky, but not too many people know that fifty per cent of security breaches come from inside companies with, say, external contractors just downloading sensitive information." The use of USB 'sticks', forgetting to upgrade software, using a laptop without a firewall--all of these things provide challenges to corporate security that no network vigilance can overcome. "What needs to be done to secure an enterprise at a general level is well understood, but there is obviously a constant battle to keep up to date," says Tony Caine, vice president of marketing for Aventail in Europe
Vonk gives a sobering example of just how vulnerable data can be. Last year, apparently, a Dutch attorney was using his own PC for work on a major criminal investigation when the PC failed. In a hurry to continue with his work, and not particularly PC-savvy, the attorney put the 'old' machine out for the bin men. A passing taxi-driver spied it and, remarkably helpfully, took it for repair. Then he took it to the offices of the local newspaper. Within half an hour later of the attorney chucking the PC away, the press were merrily accessing the hard-drive. (By the way, if anyone has any handy scoops knocking around on an 'old' device somewhere, please feel free to flag down a passing taxi.)
Human nature is why most company security arrangements are a bit like an egg: hard on the outside and soft inside, suggests Randy Barr a security specialist with WebEx, the conference enablers. "With security, there is no-one in the world who can guarantee one hundred per cent," he says. Others agree--certainly no-one is sticking their neck out to give an SLA on security. Falk Bleyl, IPVPN product manager at Thus, argues that not being able to support a twenty-four hour service, which is the case with most small companies, leaves them open to attack. Human frailities such as needing sleep are, however, far from being the only issue.
Can you get the wagons in a circle?
"The network never really ends," says Joe Dauncey, lead security consultant at A & T. "Even if you have a firewall, things are going to get through. Soon, the network will connect all sorts of devices: mobiles, TVs, fridges, toasters--and security goes right down to the client.
No-one is suggesting that we could all become hostage to the whims of rogue waffle-makers, but the multiplicity of devices does have implications. "The more devices you have, the more interesting it is to target systems," argues Vincent Bieri security technology and marketing manager at Cisco Systems EMEA.
Traditional circuit-switched networks can certainly be tapped, but they are largely secure at least from the point of view that most threats posed require physical interference with the network. The fixed-line phone sitting on the hall table does not suffer from viruses, worms, or denial of service attacks. IP networks, however, face a host of issues.
"It is not just a case of protecting data in transit, but of connecting systems at the end of data streams," agrees Dauncey. He points out that the internet was designed as an open computing platform "that was its nature," he says. "A standard thing in academic environments during the early eighties was a "guest account"--meaning that people could stroll onto another network as a 'guest' with all the access rights of the 'host'. AT & T's aim in offering security is to "engineer the network to be a strong enforcer of policies," he says. Dauncey says that customers just want to get clean bandwidth--and are willing to pay for that. "We don't want this paradigm of buying protection against the things you are using. We don't want this to be the case for the network," he adds, arguing that if you can organise security properly on the network you don't have to do it anywhere else. "For MNCs, organising security on a server-by-server or data-centre-by-data-centre base is hugely expensive. [Our approach] can knock 35 per cent off the total cost of security," says Dauncey.
AT & T data mines IP traffic to show up any anomalous traffic patterns. A sudden surge in traffic toward one port, for example can indicate a distributed denial of service attack. It might be presumed that this is a minor threat, or at least one that really only applies to websites--such as online gambling sites--that generate enough money to attract the interest of organised crime. (Criminals can threaten to cripple gambling sites with a denial of service attack during, say, a major sporting event unless suitably rewarded for desisting ...) Websites and PCs are not the only IP devices threatened by DoS attacks, however.
In denial
"The main security issue with VoIP is distributed denial of service attack," says Barr. An IP phone can, apparently, be crippled by any IP device capable of sending it signalling messages at the rate of three calls a minute. Given this low hurdle, even less than fancy PCs can, in theory, bring down a VoIP system--something that could be more than inconvenient for many business users.
How pressing the issue is likely to become is suggested by the fact that the IEEE recently ran a workshop on VoIP security. "In contrast to PSTN, security and survivability have been great concern for deployment of this technology in government agencies and service provider networks. In addition, support for Voice over WLAN and mobility further complicates the security issues," the organizers noted dryly. Discussion topics included: 'VoIP Security and Quality of Service (QoS): Can They Coexist?' and 'DoS attacks on SIP infrastructures'. It does not appear to be a topic that will go away soon.
One of the vulnerabilities associated with phone systems is that they cannot simply be tucked away safely behind firewalls. They need to accept calls from all comers, known and trusted or not. Blending that openness with the necessary protection of a firewall environment is, apparently, still a challenge, though there are session controllers on the market with features like call gapping and admission control that aim to head off distributed denial of service attacks.
As the organisers of the VoIP security workshop point out, however, fixed line communications are not the only threat. Mobile data use is ramping up and VoIP will soon come to mobile phones. Aside from the issue of trying to ensure that people do not leave mobile devices stuffed with important corporate data in the back of taxis, the actual devices themselves can pose challenges. Different data devices, for example, use different mobile operating systems. "What we have seen, to date," says Aventail's Caine, "is that corporate applications have been running on Pocket PC. We have just started to see corporate access over the Symbian OS coming through". Aventail is, Caine says, currently going through the process of supporting Symbian devices.
Ouida Taaffe, features editor
(otaaffe@horizonhouse.co.uk)
written by Ouida Taaffe
COPYRIGHT 2005 Horizon House Publications, Inc.
COPYRIGHT 2005 Gale Group
