Network Communications News (NCN) NCN-Sept2017 - Page 43

KNOW HOW over t h e s a m e IP net wo r k a s d ata a pplic at io ns , a nd m ove d into t h e clo u d , t h e c y b e r- at ta c k s u r fa c e g row s . Wh at m o s t p e o p l e d o n’ t rea lis e is t h at U C a p p l ic at io ns a re p ro ne to t h e s a m e t y p e of data s e c u r it y at ta c k s t h at h ave been p l a gu ing b u s ine s s e s fo r ma n y y e a r s . UC applications differ from their pure data-based counterparts because they are real-time applications that use the Session Initiation Protocol (SIP) for signalling between UC stacks and endpoints. Real- time communications and data communications also have different requirements. For example, if you drop a packet while downloading a website, you can just send another packet. But if you drop a word in a real-time voice conversation, you can’t re-insert it into the conversation later on. These different requirements are important to security, because most companies rely on data- based security devices, such as firewalls, as their primary line of defence. However, firewalls simply weren’t designed for the more complex SIP-based communications. Using a traditional data firewall is fine to protect things like deep packet inspection and threat intelligence. But even the most advanced next- generation firewalls don’t have the awareness or statefullness to protect complex SIP services. As a result, enterprises turn off certain security features, such as SIP ALG, to accommodate scaling of real- time voice and video. This, in turn, creates new security holes. What do these holes open a network up to? UC’s three primary cyber threats are denial of service, toll fraud and data exfiltration. Theft of service, voice phishing, telephony denial- of-service (TDoS) attacks and eavesdropping are also risks that IT managers need to consider. Session border controller (SBC) are the first step to protecting your network. SBCs include features such as media transcoding and SIP interworking that make UC applications work better. They also act as a sophisticated firewall designed specifically for real-time communications. SBCs provide security features such as media and signalling encryption, back- to-back user agents, network topology hiding and grey/ blacklisting designed specifically for SIP communications. But SBCs and firewalls should not be treated as separate security entities and an SBC is not a firewall replacement. SBCs and firewalls need be thought of as co-network defenders, sharing information across an enterprise, data and policies. This would mean that as every SBC and firewall detects an attack, they could immediately blacklist the source IP address and phishing and DDoS attacks could be halted. With SBCs and firewalls working holistically and sharing security information together, the security of the whole network would be greatly increased. Furthermore, a network should be able to become smarter over time. SBCs shouldn’t be ‘dumb’ sentries. They should leverage behavioural analytics to help drive customised and dynamic policies for your enterprise to more accurately identify anomalous and suspicious traffic, and safely quarantine that traffic until a determination can be made. IHS predicts that the number of UC and voice over Internet Protocol network (VoIP) subscribers in the cloud will reach over 75 million by 2020. Growing together with this are cyber-attacks over SIP protocol, which can cost companies hundreds of thousands of dollars. In fact, toll fraud is even higher than credit card fraud. Although there is no one solution that is going to completely secure the enterprise, in terms of UC, SBCs and firewalls working together are a good start. The problem is over one-third of all enterprises (37%) that have SIP trunks coming into their business do not have an SBC in place to secure those communications. So, if you are moving your unified communications to SIP or the cloud, remember to consider an SBC and firewall combination for a truly unified and secure experience. For further information visit: September 2017 | 43