Getting Real

Getting Real

Andreas Seum, Vice President IP Strategy, Siemens AG Communications.

Siemens and Enterasys ask ‘how do we balance the increased mobility and productivity offered the enterprise by real-time IP, while minimizing security risks and their associated costs?’ Andreas Seum, Vice President IP Strategy, Siemens AG Communications tells how.

The popularity of Converged IP networks is increasing. As a foundation for real time communications over an ever-growing array of divergent devices and heterogeneous networks, it is dramatically improving enterprise communications and lowering costs. However, IP suffers from its own ubiquity and accessibility, its improved flexibility and access engenders increased risk. So how do we balance the increased mobility and productivity offered the enterprise by real-time IP, while minimizing security risks and their associated costs?

IP is inherently more susceptible to security risks than the closed TDM environment. Some of the frequent security threats involving IP convergence include unauthorized access, connection hijacking, Denial of Service attacks, voice spam and protocol based attacks (SIP, H.232). As a result, vendors and their customers must be armed with hardened, security enabled platforms with Intrusion detection Systems (IDS) that can extend existing security measures beyond what is commonly found in IP networks.

By the same token, the margin of error in IP networks supporting critical real time applications is low and Quality of Service is a high priority. There is no room for downtimes, particularly with VoIP. It is one thing to have a few packets compromised when the system is delivering an email, but with voice there is no such allowance. Another characteristic of IP Convergence making it more susceptible to a “catastrophic” security breach is the very fact that it is integrated—where an attack on the data network once had no effect on voice traffic, the entire enterprise
communications apparatus is now at stake.


Secure IP-Networks – some ground rules

As such all vital systems in the converged voice/data communication infrastructure should be redundant or at least thoroughly backed up. A secure IP network in heterogeneous environments includes measures that take into account all media access, i.e. LAN, Wireless LAN and WAN (Virtual Private Network VPN). Otherwise common attacks like Dynamic Host Configuration Protocol (DHCP) Server Spoofing, Address Resolution Protocol (ARP) Spoofing and Source IP could quickly escalate to a severe disruption of communications. In addition, an efficient Host IDS/IPS System, like the Enterasys Dragon HIDS, on the server components of the VoIP solution must be in place. In the Backbone, there must of course be a Firewall, e.g. with H.323 Application Level Gateway (ALG), or SIP Proxy functionality. And all VPN equipment must be secured with hardware encryption so that there is no loss of Quality of service due to “Delay” on the WAN section of the network.

Some of the features of this system might include provisions for: “Web-based management interface” that allows the platform independent administration of the IDS system from any browser. Strategies might also include ‘Continuous Signature Updating’ whereby new signatures are automatically sent to customers, and ‘System-level management’ where all network or host sensors are configured and updated simultaneously with new configuration parameters or signatures. Another effective measure comprises ‘Custom Signature Development’. This allows you to create your own signatures to detect whatever events are most critical to each environment. An ‘Event Analyzer’ can monitor events in either real time or from a historical perspective. Management reports must further offer easy-to-understand aggregated data on the events detected. They should be classified by level of attack and the timeframe of detection. And finally, ‘Session Reconstruction’ enables you to view the entire session related to an event, including the packets involved.


Reacting in Real Time

Obviously a real time network, comprised of an intelligent IP Network infrastructure, has got to be backed up with security contingencies that dynamically react to attacks, intrusions and any other anomalies. Dynamic Intrusion Response (DIR) is a Secure Networks Solution that detects abnormal behavior on the enterprise network, and quickly intervenes to quarantine the offending user or deviant device. DIR isolates and categorizes any susceptibility, identifies the source and automatically reconfigures the network to mitigate the threat. The enterprise network is thus protected against both known and undocumented security risks.

By deploying a DIR Solution, exposure of the IT resources to internal and external threats due to targeted business disruptions and opportunistic predators is reduced.

At the same time the enterprise may more effectively leverage the network infrastructure investment, adding new features to increase productivity, knowing that the embedded security system is proactively addressing all security issues.


Complete security with Siemens HiPath and Enterasys

In order to create a secure environment for the development of real-time communications some vendors have integrated the solutions. For example with HiPath, Siemens has integrated Enterasys’ Secure Networks products into its HiPath Enterprise Convergence Architecture for VoIP. Theo Bossman, president of the alliances and partners division of Siemens AG says, “Fully integrated network security is a vital component of Siemens’ complete second-generation VoIP solutions. The network is the backbone for business today and the convergence of voice and data over high-performance, highly secure networks is vital for the success of any business.

IP Convergence means new services and applications that are easily deployed to business communication systems, and when the security challenges engendered in these new features are effectively solved, vendors and customers alike enjoy the best of both worlds.”