Ebook Practical VoIP Security: Part 2

Ebook Practical VoIP Security: Part 2 includes contents: Chapter 10 Validate Existing Security Infrastructure; Chapter 11 Confirm User Identity; Chapter 12 Active Security Monitoring; Chapter 13 Logically Segregate Network Traffic; Chapter 14 IETF Encryption Solutions for VoIP; Chapter 15 Regulatory Compliance; Chapter 16 The IP Multimedia Subsystem: True Converged Communications; Chapter 17 Recommendations.
Nội dung trích xuất từ tài liệu:
Ebook Practical VoIP Security: Part 2 Chapter 10 Validate Existing Security Infrastructure Solutions in this chapter: ■ Security Policies and Processes ■ Physical Security ■ Server Hardening ■ Supporting Services ■ Unified Network Management Summary Solutions Fast Track Frequently Asked Questions 263 264 Chapter 10 • Validate Existing Security Infrastructure Introduction We begin the process of securing the VoIP infrastructure by reviewing and validating the existing security infrastructure. Addition of VoIP components to a preexisting data network is the ideal opportunity to review and bolster existing security policy, architecture, and processes. One way of visualizing the components of a given security architecture is to use Figure 10.1, which graphically shows a number of network security interfaces. Figure 10.1 Security Interfaces The interfaces between data and voice networks and the external world are rep- resented by the red circles numbered 1 through 6. Additionally, data and voice net- works share interfaces with the physical and social realms. Interfaces to data and networks include VPNs, telephones and modems (modems that are used to control or monitor servers or other critical systems are particularly interesting to miscreants), typical web browsing and e-mail services, intracompany WAN connections, and intranet or external connections with vendors and business partners.Technical secu- rity controls such as firewalls, IDS, and ACLs are useful at these interfaces. Interfaces 7 through 9 portray the users, administrators, and help desk personnel that connect with the data and voice networks. In some situations, a call center for example, an additional class of users—operators—could be defined. I believe, based upon personal and anecdotal evidence, that most criminal information security inci- dents occur via these social interfaces. Unfortunately, technological security controls are difficult to implement and manage at these interfaces. www.syngress.com Validate Existing Security Infrastructure • Chapter 10 265 Interfaces 10 through 12 represent the interfaces between the physical domain and the data and voice network. Recently, problems in this area have resulted in the loss of critical data. In January 2006, a laptop stolen from an Ameriprise Financial worker resulted in the loss of personal information from more than 230,000 cus- tomers, and in the same month, an unnamed Toronto health clinic found its private patient data literally “blowing in the wind,” as the clinic’s waste disposal operator improperly recycled rather than shredded the clinic’s data. Numerous other examples exist where discarded laptops or hard drives have been found to contain private information; and “dumpster-diving” is recognized in the security industry as a valid and often lucrative source of information. Lastly, interface 13 describes the VLAN (Virtual LAN) interface. This listing is not necessarily complete, but it suggests where security controls can be most effectively implemented.Traffic can oftentimes be monitored, dropped, or approved, or throttled at these synapse-like junctions. The purpose of this chapter is to reinforce the concept that many of the compo- nents that you will require to secure a VoIP/Data network are likely to exist within your current infrastructure. The first portion of this chapter is not designed as a “how-to” on writing secu- rity policies because there a large number of these resources available. In this section, we will argue that information security is critical to an organization, and that secu- rity policy underpins all other security efforts.Then we will review the processes required to implement a functional security policy, and we’ll look at some of the critical factors that determine the value of a security policy. We have provided a worksheet that will allow you to perform a gap analysis on your existing security policies. A commented sample VoIP Security Policy module is provided for you as a template at the end of this chapter. Security Policies and Processes In order to reap the benefits of modern communications, we are required to secure the systems and networks that comprise the communications infrastructure. The process of securing a converged VoIP + Data network begins with the for- mulation, implementation, and communication of effective security policies.This is true for pure data networks as well. Security policy provides metrics against which costs can be justified, drives security awareness, and provides the framework for tech- nology and process. Once policy is in writing, less time will be spent debating secu- rity issues. Policy provides a vantage point that can be built into an organization’s reporting systems in order to reassure management about the quality, reliability, and comprehensiveness of its security infrastructure. When approached in this fashion, www.syngress.com 266 Chapter 10 • Validate Existing Security Infrastructure information security becomes less an administrative and technical burden, and more of a competitive advantage. NOTE A competitive advantage within a vertical can be gained either by providing products or services that provide more benefits at a fixed price, or by providing the same benefits at a lower price. An organization can gain a competitive advantage by utilizing its resources (things like p ...