computerwoche.de

Archiv

IP telephony push calls for rushed assessment

12.06.2006
My motto is to build security into a project early. Making infrastructure and application changes after a technology has been deployed is very difficult.

That's why, as my company deployed IP telephony for its 6,000-plus employees worldwide, I struggled to find the bandwidth to complete a meaningful assessment. I wanted to make my recommendations before the infrastructure went live.

This ball got rolling about nine months ago, when the company decided that IP telephony would help it cut costs. An architectural issue forced us to abandon the original project plan and switch to an all-Cisco deployment. By then, time pressures had mounted, and as management pushed to get phones on desks, security was in danger of becoming an afterthought. My assessment would have to be abbreviated and would fall to my small staff, which is already stretched thin. My budget is even smaller, so bringing in a third party to conduct the audit and assessment was not an option.

Cisco's Call Manager and Unity Server are appliances running software that processes phone calls and manages voice mail. Both will become critical elements of our infrastructure. A compromised Call Manager could allow unauthorized access or even a denial-of-service attack. The Unity Server will be tightly linked to our Exchange server, and its security is of paramount importance. It provides what is commonly referred to as "unified messaging." That means the Unity Server is the recipient of all voice, e-mail and fax messages. With unified messaging, voice-mail messages can be converted into e-mail attachments and sent to a user's e-mail in-box.

It's cool technology, but ripe for trouble if not deployed securely. A compromised Unity Server could be hacked, making all of the company's voice mails vulnerable. It's my job to worry about things like this scenario: A voice mail left for our CEO by an executive at an acquisition target could fall into the wrong hands and lead to insider trading; even if no one at the company was involved, the Securities and Exchange Commission would be all over us. Nearly as bad would be the leak of a voice mail from someone in finance that resulted in the premature release of the company's financial report.

The IP phones themselves are another area of concern because they are very different from the phones most people are familiar with.