Unified Communications versus VoIP Security

Unified Communications versus VoIP Security

By Dan York

Does the world really need a book on "Unified Communications Security"? Isn't "UC" really just an over-hyped marketing term for all those voice-over-IP (VoIP) systems that vendors have been pushing for years? How could UC be different?

Those were questions I asked myself when Syngress approached me to write the Seven Deadliest Unified Communications Attacks. After all, there are a good number of excellent VoIP-security books out in the market, some written by good friends of mine. Was there really a need for something new about UC?

But in looking at what's out there, I realized that all of the existing books really focused on just the voice aspect of communication. They dive deep into the Session Initiation Protocol (SIP) and how to secure it, but from a voice angle. They explain how to attack IP-PBXs from vendors like Cisco and Avaya or open source solutions like Asterisk, but again, they are all about voice.

The reality, though, is that business communication today is not just about voice. It is also about instant messaging (IM); it's about video; it's about presence; it's about Web collaboration. This is what unified communications (UC) is all about. I myself am a heavy daily user of a UC system, and I spend most of my day in near constant IM communication with my staff and colleagues, with occasional one-to-one video calls and audio conference calls. Pure "voice," though, is only a small part of my daily communication routine.

This raises a question: When communication has moved beyond simply voice, how do you secure it?

Some of the mechanisms are quite similar, but there are subtle nuances. How, too, do you secure a system that is now distributed globally? And what about the fact that a UC system is typically no longer a single vendor, but rather an ecosystem of separate applications from very different vendors? Also, users might be using a traditional phone, but more may be using a "softphone" on their own laptop. There is also the fact that all of this UC traffic is running over the standard IP data network your company uses as well as the public Internet. And now we can distribute functionality across the global IP network and move part or all of our communication out "into the cloud.” All of these issues are factors that must be considered when securing UC.

Those are some of the issues I explore in the Seven Deadliest Unified Communications Attacks. The focus is on explaining the threats and then providing solid strategies to secure communications systems that include not only voice, but also IM, video, and presence. It also focuses on communication systems that are globally distributed and that are composed of an ecosystem of applications. Along the way, I talk about identity issues and "voice phishing" or "vishing," Spam for Internet Telephony (SPIT), and, of course, the issues around moving communications functionality out into the cloud.

I do think the term "Unified Communications" is getting a bit over-hyped these days. Already we're seeing some vendors move to talking about "Unified Communications and Collaboration" or simply back to saying "Collaboration". Regardless of whatever term we choose to use, the reality is that our real-time communications infrastructure is moving beyond voice, is globally distributed, and is now becoming deeply integrated with the rest of our IT infrastructure; thusly, it’s becoming something that must be protected at every level and form.

We as security professionals and as a larger industry need to look at how we secure the whole communications system, across all the various communication channels. I hope that in some small way my upcoming title can help feed that larger discussion, and I'd love to hear your feedback.