Unified Communications Security Is Different
Irwin Lazar, Nemertes Research's Vice President for Communication and Collaboration Research, writes at Network World about three security concerns unique to unified communications. The first is that the transition to Session Initiation Trunking (SIP) means that the entire platform is IP-based. In more traditional setups, the different protocols used by the corporate UC network and the legacy public switched telephone network (PSTN) acted, in Lazar's words, as a "firebreak.” In an all IP-network, special care must be taken since a successful invasion can give the bad guys the run of the entire network.
The other two threats are eavesdropping – finding and listening to the unencrypted packets that comprise a VoIP call – and the dangers of interconnection between corporate IP-based networks and SIP and voice peering services. At TMCNet, Erik Linask writes a story largely based on the opinions of Maloff NetResults principal Joel Maloff, discussing the latent dangers of VoIP.
Lazar offers a good list. At a higher level, it is important to understand that UC is different for two reasons. The first is that the platform includes all, or most, of an organization's communications tools. That offers great advantages – there wouldn't be a UC industry if not – but also great risks. A security breach can take down much more than a single service.
The other difference is that crackers can attack not only the applications themselves – VoIP, IM, etc. – but the interstitial web of connectivity that binds them together on the platform. Lazar's post discuss things that are at this level.
In August, I spoke with Dan York, the CTO of Voxeo Corp. and the author of "The Seven Deadliest Unified Communications Attacks." York clearly was on the same page as Lazar. He told me, among other things, that UC security issues have grown more complex for a number of reasons, including the wide dispersion of end points and the complex chain of applications and system components.