Enterasys secures enterprise VoIP

Enterasys Networks has launched a suite of products to help enterprises secure their voice-over-IP deployments.

With the security of IP-based networks increasingly coming under the microscope — because converged networks face the same hacking threats as data networks — Enterasys is aiming to match the security offered by traditional PBX platforms.

Enterasys' Secure Open Convergence platform allows firms to spot and automatically respond to security threats against their IP telephony infrastructure, enforce network access control policies and comply with regulatory demands for monitoring data security.

While the major VoIP infrastructure providers already offer their own VoIP security solutions, most are designed for individual suppliers' products. Enterasys' VoIP security offering is particularly useful for those firms using a mixed VoIP infrastructure environment.

"The Enterasys integrated open architecture approach to understand and manage the priority and security of unified communications doesn't lock you into a particular voice, video or data vendor," said Mike Fabiaschi, president and chief executive of Enterasys. "Whether you have invested in VoIP solutions from the likes of 3Com, Alcatel, Avaya, Cisco, Mitel, NEC, Nortel, Panasonic, Polycom, Siemens or anyone else, we can protect the confidentiality, integrity and availability of voice services while ensuring compliance with internal policies and government regulations."

"Security is among the top concerns of enterprises deploying voice-over-IP systems," said Brian Riggs, an analyst at Current Analysis. "Software that detects unauthorised use of VoIP systems, prevents service disruption and eavesdropping, and monitors voice networks for new threats will be absolutely vital for businesses considering IP telephony as an alternative to more traditional forms of communication."

With VoIP security often addressed "in a haphazard fashion", said Riggs, a comprehensive solution for securing voice over both wireline and wireless IP networks will be a vital asset to enterprises of all sizes.

Whilst Enterasys' offering will help firms secure their own VoIP architectures, firms that allow their staff to communicate over shared public VoIP networks should still be concerned about increasing threats.

Managed security firm Network Box has published a white paper on the security of Skype — one of the biggest public VoIP providers — which says firms could be compromised by a hacker or a malicious employee. In the white paper, Network Box claims that Skype can leave organisations open to backdoor vulnerabilities, eavesdropping and even bugging.

Simon Heron, managing director of Network Box, said: "Skype can bypass firewalls, network address translation, and proxies. Because it uses peer-to-peer technology, it is difficult to isolate. And its code is a black box, making it the perfect back door."

Another issue is that Skype has a number of features that prevent any debugging. For instance, it will not launch if the established SoftICE for Windows debugger is present. Also, the protocol used by Skype is proprietary and not obvious, which means it is difficult to distinguish bad behaviour from good. This makes it difficult to control, manage and monitor, which is problematic because many financial regulations require customer conversations to be recorded.

Heron said, "Skype undoubtedly offers significant benefits to end-users, but it is important to mitigate the risks associated with running the system. Skype offers significantly more security than conventional analogue or ISDN voice communications, but less security than VoIP systems running over virtual private networks."

A spokesman for Enterasys said, "By no means is Skype easy to secure — there are fundamental risks of allowing any peer-to-peer application to be used on any network. However, there are some capabilities to restrict where Skype enters your network, where it is allowed to travel, and the content of those Skype packets."

Enterasys has a peer-to-peer traffic management solution to control applications such as Skype.

The technology can control whether Skype traffic is allowed into the network based on its Layer 4 socket signature range. It can then control where it is allowed to propogate through the network, to ensure that only authenticated/authorised users are allowed to connect to Skype services.

With Enterasys' latest VoIP security offering, protection is provided by Enterasys' NAC and Dragon security applications and Enterasys' security-enabled infrastructure for switching, routing and wireless connectivity.

The Dragon Intrusion Detection/Prevention System (IDS/IPS) offers specific signatures and protocol behavioural analysis for H.323 and SIP, which are used in IP telephony environments.

Enterasys' NAC solution assesses, authenticates and authorises VoIP users and telephony devices before allowing them onto the network, while enforcing role-based policies after they are connected.

Enterasys' switches, routers and wireless equipment embed policy-based security features on every interface, and each device is protected from denial of service, man-in-the-middle and spoofing attacks. VoIP mobility, manageability, and reliability are specifically addressed by other separate Enterasys products from the same suite.