Securing UC to ensure business continuity – best practices and other considerations
By Divesh Nathoo, pre-sales manager at Kathea
Unified Communications (UC) offers enterprises access to multiple benefits, as a result of the ability to conduct multiple communication tools over a single Internet Protocol (IP) network. However, the very nature of this IP network means that it is subject to the same security threats as the corporate network, whether it is run on the same pipe or not. When it comes to communication, Denial of Service and other malicious attacks could bring an organisation to its knees, so securing UC is of the utmost importance to business continuity. Some of the best practices around securing UC are understandably similar to those involved in securing any IP network, however there are certain unique characteristics of UC that need to be taken into account when it comes to developing and maintaining a best practice UC policy.
Firewalls and making sure UC devices work with them
The first step in securing UC, and indeed in securing any IP network, is to implement a robust firewall to stop attacks from penetrating the network. Most UC enabled devices are basically computers and have remote management capabilities, so it is considered best security practice to disable these capabilities if the device needs to be deployed outside of the corporate firewall. This closes any loopholes that attackers may attempt to take advantage of. As with any IT asset, UC devices should for preference be deployed behind the corporate firewall, as this provides the greatest levels of security.
However, because of the nature of UC, there are additional considerations to take into account here. A Session Border Controller (SBC) / firewall traversal (FT) system is required to enable media streams such as video to cross over the firewall without compromising security, by working with the firewall to ensure availability of video without exposing the UC infrastructure or corporate network to attack. Using a firewall with a UC SBC ensures that Internet-based attackers are not able to reach open ports and services on the UC infrastructure, such as those required for video, while at the same time enabling outside users, customers and business partners to make video calls to UC devices.
Assessing and managing systems for optimal security (and performance)
Security is not a static environment, and as such best practice recommends periodic scanning of UC devices for vulnerabilities and risks. This step is also critical when new UC devices are deployed onto an existing UC infrastructure, as it ensures holes are not opened up as a result of non-performance of simple tasks such as changing default configurations and passwords. Organisations should scan for vulnerabilities both inside and outside the firewall for a complete view of the potential threat landscape. This will alert administrators to missing patches, security misconfigurations and weaknesses that could be exploited from outside of the corporate network.
For the purposes of administration and security, UC devices, particularly video, should be treated as typical computing devices, and the same steps should be taken to manage and secure these as would be done for say, a server. Any unnecessary functions and unused services should be disabled, to provide fewer points of security failure as well as to optimise performance on services that are being utilised. A vulnerability scan will also help to highlight which services are open and reachable so a decision can be made on which services to enable or disable for optimal security and performance.
Auto-answer, meeting rooms and other UC idiosyncrasies
Videoconferencing endpoints have the ability to automatically answer incoming calls, which makes the system very easy to use but also has security implications that need to be understood if they are not to pose a threat.
If auto answer is disabled, it is not possible for an attacker to dial into a room without the active cooperation of a user in the room. A more open option is to enable auto answer and take mitigating actions, such as disabling the ability to control the far camera remotely, using a camera lens cover when the system is not in use, restricting calls allowed to only registered numbers, and monitoring and keeping a record of incoming calls. Obviously the most secure option is to disable auto answer, but in many cases this is not an option. Organisations need to strike a balance between security and the need to use this service.
Auto answer is a dial-in paradigm, where outside users call into a UC meeting room. There is also a dial-out use case where video devices can call a meeting room on a central control unit. This is a more secure architecture than dial-in, as there is no direct connection between two endpoints, which means that attackers cannot access the meeting room even if they connect to the call. This can be further extended into virtual meeting rooms, where all parties dial into a centralised location and not endpoint to endpoint, minimising the risks involved.
Remote access and mobility
One of the major benefits of UC is the ability to allow workers to access the same communications network from their home office, as well as to enable mobility on devices such as laptops, tablets and even smartphones. Any remotely deployed endpoint device, whether it is a UC device or a mobile device, needs to be protected in the same way as any other remote IT asset. Virtual Private Network (VPN) technology is the de facto standard for this, offering the most secure and easily managed method. Using a VPN, remotely deployed endpoints can be brought into the corporate firewall, and using the FT solution mentioned earlier, a full service can be offered.
Mobile devices offer unique risks, as they are not static systems and exist outside of corporate protection. Centralised management of mobile system video applications will help to ensure that security configurations are adequately in place. It is also recommended to ensure that antivirus, personal firewall and configuration assistance tools are installed on all mobile devices, along with a strategy to ensure automatic updates of mobile devices, and a remote wipe capability in case the device is lost or stolen.
Other security practices that apply
Authentication and user access control are critical aspects of securing any IP network, and UC is no different. User accounts should be set up and maintained, passwords should be changed from defaults, and good password policy should apply to ensure only authenticated users have access to the UC network. Eavesdropping is another aspect that needs to be taken care of, which works much the same way as intercepted data. Encrypting video streams and communications helps to eliminate this threat, and UC devices should be configured to use encryption wherever possible.
A call log should always be kept as a matter of practice, both of calls placed and calls received. This data should be analysed and scanned regularly to see if the UC system is being used unexpectedly, to unusual devices, at unusual times or when the room was not scheduled to be occupied. This can help to highlight malicious or unauthorised use of the system.
Finally, when devices reach end of life and must be disposed of, any sensitive corporate data should as a matter of course be wiped from devices. A factory reset prior to disposal will help to ensure that address books, call history, call logs and so on do not fall into the wrong hands, something which is elemental security best practice.
To end
Unified Communications has revolutionised the way organisations do business and opened up a whole new landscape of integrated, multi-channel communication. Along with this it also brings with it a host of security concerns and issues that need to be dealt with. However, these security concerns, once identified, are fairly straightforward to manage. By following best practices for securing UC infrastructure, and by treating these end points in the same fashion as organisations would treat computers, businesses can take advantage of the benefits of UC while ensuring security vulnerabilities are kept to a minimum.