That's why, as my company deployed IP telephony for its 6,000-plus employees worldwide, I struggled to find the bandwidth to complete a meaningful assessment. I wanted to make my recommendations before the infrastructure went live.
This ball got rolling about nine months ago, when the company decided that IP telephony would help it cut costs. An architectural issue forced us to abandon the original project plan and switch to an all-Cisco deployment. By then, time pressures had mounted, and as management pushed to get phones on desks, security was in danger of becoming an afterthought. My assessment would have to be abbreviated and would fall to my small staff, which is already stretched thin. My budget is even smaller, so bringing in a third party to conduct the audit and assessment was not an option.
Cisco's Call Manager and Unity Server are appliances running software that processes phone calls and manages voice mail. Both will become critical elements of our infrastructure. A compromised Call Manager could allow unauthorized access or even a denial-of-service attack. The Unity Server will be tightly linked to our Exchange server, and its security is of paramount importance. It provides what is commonly referred to as "unified messaging." That means the Unity Server is the recipient of all voice, e-mail and fax messages. With unified messaging, voice-mail messages can be converted into e-mail attachments and sent to a user's e-mail in-box.
It's cool technology, but ripe for trouble if not deployed securely. A compromised Unity Server could be hacked, making all of the company's voice mails vulnerable. It's my job to worry about things like this scenario: A voice mail left for our CEO by an executive at an acquisition target could fall into the wrong hands and lead to insider trading; even if no one at the company was involved, the Securities and Exchange Commission would be all over us. Nearly as bad would be the leak of a voice mail from someone in finance that resulted in the premature release of the company's financial report.
The IP phones themselves are another area of concern because they are very different from the phones most people are familiar with.
Next up was the network architecture, which will be responsible for routing and switching the voice packets over our corporate network. This wasn't a big worry, since our network team is very competent. Still, separate virtual LANs for voice, data and management and additional router configurations will be needed to secure the environment.
Finally, I had to assess the Cisco Remote Operations Support (CROS), an outsourced monitoring and management service we'll be using for our IP telephony infrastructure.
Microsoft's part
The implementation of Call Manager and Unity Server is at its heart the deployment of a Windows 2000 server running some Cisco applications. As with any Microsoft installation, there are the usual concerns about service packs, critical updates and viruses. I also wanted to ensure that the operating system was hardened, so I had to remove any unneeded applications and services and make a few changes to the registry.
I also wanted to ensure that proper administrative control and auditing were enabled. The applications provide various levels of administrative access, and those levels must be tightly controlled. As for auditing, the applications can log various types of events, but I had to ensure that it was all enabled so that critical activity will be properly logged and monitored.
I'm glad I decided to take a close look at CROS. Going with this outsourced monitoring and management service made sense for us, given our need for an expedited rollout and our own dearth of people to manage the technology. I didn't like the first thing I saw: To use CROS, we need to provide a group of technicians employed by Cisco with access to our IP telephony infrastructure. You'd expect that, of course, but there are more than 50 technicians who will at various times be responsible for monitoring and attending to issues related to our deployment.
The more questions I asked about this setup, the more my eyes burned with disbelief. Those 50-plus Cisco employees will use a single account to access our Call Manager and Unity servers. Not only that, but they'll also need access to the routers, switches and gateways that encompass our IP telephony deployment. A single account with so much access makes me very uncomfortable. Not only is it difficult to track activity when more than one person shares the same account, but we're also essentially providing a level of access that a criminal technician could use to "own" our company's critical network resources. The same routers that will route phone traffic also route e-mail, financial data and a ton of other sensitive and private data that should never be allowed to leave the company.
When I told the Cisco account representative about my misgivings, he acted as if it was no big deal and even said that other customers didn't seem to have a problem with such arrangements. Can I be the only one who sees this as a real problem?
All of these and other issues will go into a report for executive management. In a report like this, I always explain the issue, spell out the risks that attend it and then make recommendations. In some cases, all you can do is to make sure that the risks are thoroughly understood and then recommend that "executive management will accept the risk."
What do you think?
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security