The average medieval castle featured layers of defence. Multiple wall rings were constructed so that there was no single intrusion point. However, these walls could be rendered useless by that most unpredictable of enemies: the insider — a spy within the castle walls who helped the intruder gain access. But what ultimately did in the castle era was the trebuchet, a sort of catapult on steroids which not only allowed the enemy to pound castle walls from a safe distance, but also to hurl flaming objects or diseased pigs over the walls. That ended the focus on building perimeters around castles as the major line of defense.
We’re going through a similar security shift now in our networks, and I can’t help but see the same evolution occurring. But while castles had decades to refine their security systems, most network growth has occurred within the last few years, and security technology has been scrambling to keep up. …while castles had decades to refine their security systems, most network growth has occurred within the last few years, and security technology has been scrambling to keep up.TextAdd VoIP to the network and you bring in an entirely new security problem. VoIP is more susceptible to denial-of-service (DoS) attacks than data applications because of its QoS requirements. Secure solutions are needed to protect against voice spam, phone number spoofs, theft of services and other threats as yet unknown. What’s worse is that when you add voice components to the data network, they become susceptible to the same threats as the data network such as switch, router and software vulnerabilities.
Even more unnerving is the recent publicity regarding VoIP and 911 calling problems. A distributed DoS attack on a VoIP phone could prevent someone from dialing 911 in an emergency. That’s a lawsuit you don’t want to be on either end of.
Intrusion-prevention systems (IPS) not only address data threats and DoS attacks, but also can address VoIP vulnerabilities that have been discovered in Session Initiation Protocol and H.323 implementations. Because of their high throughput and low latencies, customers are increasingly putting IPSs at their network core to protect against worms, viruses, Trojans, DoS attacks, spyware and VoIP threats.
However, in the vein of “You can’t be too rich or too thin,” you can’t be too secure or too wary. More proactive measures are needed to nip problems before they appear on the network. Security needs to be closer to the client.
Some ways to deal with this?
— Follow the movement toward internal security. The days of perimeter security being all you need are gone. Companies such as ConSentry Networks offer access enforcement gear specifically designed to control users and malware within enterprise LANs — in effect locking down security as close to the user as possible to create self-defending LANs. IPSs from companies such as TippingPoint/3Com can be placed on either internal or external points on the network.
—Track the VoIP Security Alliance. This group is working on predicting ways that hackers can cause problems with VoIP security. All VoIP vendors should participate in this effort. There’s no room for proprietary one-sided solutions, and with more wireless and more VoIP coming into networks, we need to be further ahead of the curve, not behind in a “patch and run” fashion.
—Be aware of the movement toward reputation rating among networks. If you’ve got a reputation for sending a lot of spam — even if it’s not your fault — then other networks will start shutting you off.
There’s nothing like having a flaming pig hurled over the wall to get your attention — medieval kings and lords quickly changed their defensive plans and took the battle to the field. Today’s environment is more akin to a hand-to-hand battle, with the good guys and bad guys intermixed, and you need new approaches to adequately defend against that.
QuickLink 055838
–Briere is CEO of TeleChoice, a market strategy consultancy for the telecom industry. He can be reached at telecomcatalyst@telechoice.com.
Related links:
DOS attacks cripple Authorize.Net