Determining the Level of Security for Your IP Telephony Network
Let’ start with a fundamental fact: Not all five fingers of a hand are equal. The same applies to IP networks, organizations, and people. No two people or two organizations are precisely identical. And the same applies to IP Telephony networks as well; no networks are ever exactly the same.
With that said, more likely than not, you must be thinking about your own IP Telephony network and how dissimilar it is to another IP Telephony network you’ve had a chance to work with (or designed). The question here is, “How can you compare the security applied in that other IP Telephony network to your network?” And consider if the level of security applied was perhaps too much for your network, or maybe it was lesser than what you would like to have employed in your network.
To help you with these questions, let’s take an example of different organizations and their expectations from their IP Telephony network. Let’s go through a series of brief case studies to help you understand which level of security may be right for your organization.
The following organizations are considering securing their Cisco IP Telephony network:
- A university
- Sport store with multiple branches
- Financial institution
- Government agency
All these institutions want to leverage Cisco’s world-class IP Telephony solution for addressing their telecommunications requirement. They are all very excited to experience IP Telephony and IP-based collaboration solutions. However, they are also concerned about the security of their communication channels, stored call records, rogue devices, unauthorized access, and other practical issues that plague the integrity and confidentiality of their IP Telephony network. They are all striving to secure their IP Telephony network. Let’s analyze the level of security each one of them should logically and practically implement. The following examples are based on assumptions relevant to IP Telephony network security that different organizations or business verticals might plan for.
Before beginning, we will use the same matrix we used in the section, “How to Balance Between Cost and Risk,” for reference. However, now the discussion is no longer about the cost of security or risk. Instead, it revolves around the level of security and the associated complexity, as shown in Figure 4-6.
Figure 4-6. IP Telephony Security Levels
University: At the university, because of openness and availability of resources, it is essential to prevent unauthorized access to IP Telephony facility. Moreover, any rogue devices should be barred from registering to the CUCM cluster. Also, the university IT staff would like to have the wireless communication encrypted because many students will be using Cisco Unified Presence Client (CUPC) or Cisco IP Communicator soft phones installed on their laptops. No remote access via VPN is allowed. Maintaining the IP Telephony network and cost are some of the challenges for the university’s IP Telephony department.
Given the details, what do you think is the right level of security for the university’s IP Telephony network? Could it be low, medium, or high? Give it a thought and write down your answer.
Sport Store: The sport store organization has multiple branches and hosts a decentralized IP Telephony network with clustering over WAN and SRST support at remote sites. The employees are allowed to access the network remotely enabling them to work from home. Thus, VPN is also part of the solution. Thanks to stiff competition, the organization wants to protect its communication streams from any possible tapping or service outage. Also, the organization intends to safeguard its IP Telephony network resources from any intrusion attempt. The security must be within a set budget and implemented in a predefined timeline.
Can you guess what level of security this organization is aspiring for, by referring to Figure 4-6?
Financial institution: A popular and successful financial institution plans to secure its Cisco IP Telephony deployment. Although it does not want to let go of any native security feature, it does not want to increase the complexity level too much. One important aspect is that as per the security policy of the organization, no endpoints can register unless they have been authenticated by the AAA server on its premises. Also, no auto-registration of the endpoints is allowed. The IP Telephony staff of the organization maintains a separate IP Telephony Security policy that it must follow meticulously. Cost is not an issue and neither is manpower.
Equipped with this information, what do you think is the level of security this financial institution is planning for?
Government agency: A government agency is considering implementing its new IP Telephony network. It chose Cisco as its vendor. It wants to have it secured end-to-end with no exception. The level of security must meet guidelines set by its telecom and network security department security policy. Also, it has a contingency plan to address any security issues that may show up during normal operations. Cost, manpower, and time have virtually no frills.
With this information, can you think of the right security level to satisfy the government agency’s need for end-to-end security (based on security levels depicted in Figure 4-6)?
The Riddles Are Over
It is time to put all these riddles to an end and explore the options these institutions should “ideally” opt for.
University: Because the security needed is minimal and basic, a low or default level of security should suffice for the university IP Telephony network. This can enable it to secure its IP Telephony network with minimal additional cost and manpower. (The only exception is the addition of wireless security that overlaps with a medium or moderate security level.)
Sport store: The store is aspiring for a non-default level of security because the requirement was to encrypt the communication (media and signaling) streams and to evade any DoS attacks (use of a firewall to prevent malicious attack attempts). Thus, a medium or moderate level of security will be an ideal fit for it.
Financial organization: The financial organization does not want a complex solution yet one that provides maximum protection. This calls for a medium or moderate security level with the exception that it is requires that the endpoints use its AAA server (for 802.1x). This overlaps with the high or maximum security level.
Government agency: A government agency, as you might have guessed, is a maximum protection facility. Also, keeping in view the end-to-end security requirements along with a contingency plan (security event management), only the highest level of IP Telephony Security can satisfy its requirements.
As you can probably figure out, it is not always that the need for security is addressed by a static set of security controls defined within a security level. Sometimes, these may overflow or overlap to the next level as some of the security requirements cannot be satisfied by the current level. However, at the same time it is important to note that, the cost, time to plan or deploy, and man-hours also increase.