Johannesburg, 27 Oct 2004
As local companies gear up to take advantage of the new legislation allowing voice over IP, many have not fully considered the additional security risks associated with the converged network. Martin May, African Director of Enterasys Networks, looks at the additional risk when running a converged network.
As applications such as IP telephony and storage over IP are being considered for implementation in the enterprise network, best-effort availability services and traditional security methods are no longer sufficient to support these new applications.
Convergence has created the need for advanced applications and network security. However, this has to be coupled with intelligent management capabilities, high availability and interoperability.
There is a general need to neutralise security breaches like worm and virus attacks, eavesdropping (also known as man-in-the-middle attacks), service theft and unsecured protocol firewall transversal.
It is clear that a new model must be developed to secure the real-time applications VOIP brings to the network.
The increase in the mobile workforce means that companies often do not know who is connecting to their network. Nor can they immediately ascertain if the connecting infrastructure is high-risk.
Converged networks will allow machines such as cameras, IP phones and multimedia devices access to the network. Where protocols such as 802.1x controlled human user access, these devices don`t use the traditional authentication models. A new set of authentication techniques is needed.
Knowing which devices have access to each part of the network is also a fundamental part of converged security. Assigning authorisation to devices allows specific departments and employees controlled network access. Policy association will allow dynamic mapping of devices and allow the correct security and quality of service functionality.
Voice over IP operates using clearly defined protocols. Networks must also have the ability to protect VOIP devices from other protocols that could pose a threat of compromise.
However, if a network is to stay operational, threat detection and neutralisation must be dynamic. Intrusion detection systems can isolate a possible network anomaly, but a network must have the ability to manage the threat intuitively. Network management systems must immediately detect and isolate the point of entry of the threat. Thereafter policies must be adjusted to disable or throttle back the services provided to devices.
Advanced authentication and policy management capabilities - such as convergence endpoint detection, granular control mechanisms to the user level, and mapping of users to flows - make it possible to prevent attacks, secure the network and allow companies the peace of mind to run the new services.
It is clear that while many companies are actively considering implementing convergence technology, security remains a nagging concern. Solid risk analysis should be undertaken before embarking on this endeavour.
Share