VirtualPBX Guest Blog: Best Practices In Securing Unified Communications
For our Partner Blog Series we like to highlight the relationships we have with our peers and business partners from across all areas of the telecommunications industry. We know that when it comes to relationships, the whole really is greater than the sum of the parts. That’s why we want to share with you the wisdom, experience, and perspective of the companies we work with.
For this edition of the VirtualPBX Partner Blog Series, we tap into the decades of network security experience of Sorell Slaymaker from Unified IT Systems. Sorell is an expert in the areas of risk assessment, network configuration, and general data security best practices in the cloud communications space. He has written extensively on these topics and today contributes the following guidelines for securing unified communications.
Best Practices In Securing Unified Communications
Unifed Communications (UC) applications can be the hardest to secure within an enterprise. UC clients, APIs, and services need a full security suite to ensure an enterprise stays secure. Too many enterprises attempt to apply standard application security measures to UC applications, which limit what users can do and still leaves enterprises exposed to the complex UC security challenges. Security managers and architects understand standard web applications, but not all the nuances of UC, and UC managers and architects lack the sophisticated security understanding.
Framing the Challenges of UC Security
One example is when Cisco’s Webex reported a critical security vulnerability that needed an immediate patch. An authenticated, remote attacker could execute arbitrary code on a targeted system due to insufficient input validation by the Cisco WebEx clients. The risks to a company if their UC system(s) is not secure include:
- Loss of Data – UC is more than voice and video, there is a lot of data associated with Web conferencing and file sharing.
- Back Doors – Bad actors can bypass standard security controls to gain access to private networks.
- User Tracking – Using Meta-data regarding the communication to track who is talking to whom, when, and where, even if the media is encrypted.
- Blackmail – Recording private conversations and threating to make the information public.
Increasingly Common Risks
UC combines telephony, video, chat, email, and presence together into one unified communications system. As the technology has become more complex and more accessible from the public internet, the security threat has increased. In many ways, it’s easier than ever to attack business communications. Companies must be diligent to protect their communications as they are vital to business operations.
Companies formerly relied on their internal network being secure and required external users to use a VPN solution to get in. This strategy may no longer work for all businesses because:
- No network is secure – It is been proven that the top vector for attacks come from inside the enterprise network.
- BYOD – (Bring Your Own Device) UC from personally owned devices including employees, contractors, partners who do not have a VPN or MDM client software protections.
- Speed – Users want to immediately start communicating versus having to wait for a VPN tunnel to be established.
- Public UCaaS – Hosting UC externally at a 3rd party using internet network connectivity is common, especially with the rise of freemium solutions.
- WebRTC – Supporting standardized clientless UC anywhere and everywhere.
Overcoming Common Challenges
While large businesses can often dedicate substantial resources toward securing their communications, SMB’s need simple and cost-effective solutions. Failure to secure UC can lead to information and data theft. UC is hard to secure for the following reasons:
- Peer-to-peer – WebRTC and proprietary UC stacks allow one device to talk directly to another without going through a centralized service and security stack. All other applications are client/server based, where a security stack can reside at the server.
- Bi-Directional – Sessions can be established in both directions due to the call/calling nature of UC versus a web application where a user establishes the session request. A home router, for instance, has a simple firewall rule that states all TCP & UDP sessions must be initiated from within the home network and why to get a Skype call, the home user first must be logged into Skype.
- UDP Transport – Unlike TCP that has sequence numbers and specific ports for different types of applications, UDP has neither. Different vendors open up a range of UDP ports and UC sessions cycle through the range of ports. The range of ports must be bigger than the peak number of concurrent UC users.
- Multiple services – Voice, video, chat, data – UC uses a range of services, each with their own TCP/UDP port. With conferencing, there can be hundreds of users interacting both inside and external to the organization.
- Jitter Sensitivity – Jitter is the variation in latency, and jitter above 20ms will result in the effective loss of real-time voice/video traffic. With video conferencing, there can be instantaneous spikes in network traffic that are 100x the norm. Firewalls and other security appliances have trouble processing a lot of UC traffic without causing jitter. The primary reason why UC was the last major application to use virtualized infrastructure at scale is due to this.
- Remote control – Co-browsing and taking remote control of an end-device are some of the enhanced features of UC suites. Many vendors use this to circumvent VPN and other types of supported enterprise remote access.
- APIs – The digital world is about getting and sharing data through APIs. Set up a secure, encrypted session and information goes in and out of an organization. The challenge is that some of this data can be private, confidential, and/or regulated data that require enterprise governance and compliance.
- Too Many Proprietary Appliances – Legacy PBX, voice mail, conferencing systems use proprietary hardware with non-common operating systems. These appliances are subject to known security vulnerabilities.
Finding the Solutions for Every System
While this list can be overwhelming, there are best practices to follow regarding security UC. These include:
- Encrypt Everything – It is no longer good enough to just encrypt data at rest, data and communication in motion must be encrypted because users and applications can be anywhere and everywhere. Use 256-bit encryption on sensitive data and communications. For instance, using 128-bit encryption still allows someone to understand if it is a male or female talking, what language, how long the conversation is and the interaction amount between users.
- Adopt Zero Trust Architecture – Zero Trust means that nothing on the network, resource, or application is trusted. A deny all policy, with a whitelist that is integrated with the identity and access management systems. Use anomaly detection to alert when something abnormal is occurring.
- Ensure Identity – Great security starts with great identity and access management. Multi-factor authentication, least privilege access, and good logs to account for who accessed what are industry best practices that are not always applied to UC. Password management for voice mail and other services should be multi-factor and require 2-factor tokens for system administrators. The password reset process should also be rigorous.
Really all proxy services need to be examined, as well. While web and email proxies are common and SBCs act, as one of their functions, as a voice proxy. Be sure to add chat/presence and video proxies. Unfortunately, these proxies are proprietary. A few examples Microsoft has their Edge & Reverse proxies, Cisco uses Expressway. These proxies provide the following features:
- Packet Inspection – Unencrypt each session and inspect the signaling packets and scan each packet and stream.
- Secure Firewall Transversal – Set up specific TCP ports to go through a firewall and handle the NAT required at both layer 3 and layer 5.
- Log & Alarm – Gather a log of all sessions and generate real-time alerts when there are anomalies such as a spike in traffic, malware detection, multiple session failed attempts, etcetera.
- DLP – When required, record the session – Important for screen share logging.
For WebRTC, a WebRTC Gateway with ICE, STUN and TURN services used as appropriate. To add to this list, with the use the Communication Platform as a Service (CPaaS), all API’s should also have a proxy so an enterprise can enforce governance and compliance of all data going in and out of the organization.
- Securing the UC appliances – Scanning on a regular basis and applying vendor security patches immediately, plus turning off unused services. While this may seem obvious, many enterprises fail to do this as their UC infrastructure does not always reside in the security managed part of the data center.
- Log & event monitoring – Every large enterprise has Security Information and Event Management system. The UC systems should tie into this.
- Audit – While all large enterprises and government agencies get 3rd party audits of their critical or sensitive transactions, this is rarely done for interactions. Getting a 3rd party to audit UC security and interactions is an emerging best practice.
- Training – No matter how secure your systems are, users can be lazy and not take security seriously. If they or the people they are talking to are on an unsecured session, confidential, private, or regulated information should not be shared.
Hackers are becoming like spies and getting more sophisticated and targeting employees, contractors, and partners to help them infiltrate an organization. Everything in an organization needs to be locked down tightly, including UC applications. And for IT security professionals, a security breach into systems that you are responsible for will more than likely result in you updating your resume.
So what do you think? Does your enterprise already conduct all of these steps to protect itself from bad actors and security breaches? Do you think there are other critical steps that we didn’t cover here? Let us know by joining the conversation on Facebook or Twitter, and we’ll make sure to include it in future editions of the VirtualPBX Partner Blog Series!