File Access

Within minutes of starting this piece, I received six separate e-mails attempting to steal my identity. All of them were much better disguised than the typical ones from Nigeria asking for a bank account number to deposit $20 million. The best was from the IRS, stating I was “eligible for a tax refund of $268.32.” If $20 million didn’t inspire me to act, then $268.32 would?

 

ID theft is just one of many security threats we face in the data world: DoS/DDoS attacks on Web and e-commerce servers, viruses and malware infecting enterprise PCs and servers, information theft, the plague of SPAM. To protect us, the industry has developed a variety of products and application techniques to mitigate these threats.

 

Unified communications is much more than data:

 

The integration of IC and delivering it over multiple networks introduce significant new challenges. The ugly reality is that real-time, interactive voice and video communication is fundamentally very different from data in terms of secure, high-quality delivery. IP phones need to receive incoming calls without asking for them, but Web browser and other data clients initiate all requests for data from inside your network. Every endpoint in the world is a potential source and destination for a voice call, whereas data is retrieved from a smaller number of servers. None of our existing data security products — firewalls/NAT devices, IDP/IDS and SPAM filters — have proven to work for IC.

 

Most security breaches are an “inside job.” VoIP testing tools, which run off any ordinary PC, can kill any IP PBX (News - Alert), SIP proxy or popular SIP-enabled firewall by sending a flood of legitimate SIP messages. Information and identity are easier to steal within the enterprise than outside it. Compared to the Internet or a managed IP network, the corporate net is a much smaller haystack, so finding that “needle” is much easier for the crafty employee. E-mail is much more rich in company confidential information than most voice calls, yet is hardly ever encrypted. Voice calls are usually made to confirm information receipt or provide explanations, yet they’re exclusively used to discuss highly confidential topics.

 

Imagine the damage if some “enterprising” employee intercepts your CEO’s conversation about an imminent acquisition of a public company or, worse, his loving whispers into the ear of his mistress.

 

To take full advantage of UC, we must extend its use outside the network walls of the enterprise. In the context of IC, will you allow incoming calls to your IP PBX or SIP proxy from any external network and signaling element, such as:

 

As you descend this list, the threat of DoS/DDoS attacks, SIP-attached viruses and SPIT increases. There is a dramatic difference in risk between connecting to subscribers of fee-based, managed services and connecting to anonymous users of free services.

 

What network will we trust to deliver voice calls to the right place and person? When we use the PSTN today, by some leap of faith, we trust that our calls will be delivered to the right place and person. In fact, we have no problem providing social security numbers, credit card numbers, and more over the PSTN to total strangers.

 

At the networking level, we will have two, non-exclusive options for connecting to the rest of the world — the Internet and the Federnet. The wonderful yet wild Internet is a collection of peered “best-effort” IP transport networks, placing the responsibility for security upon the originating or terminating networks and devices. But do we really believe the Internet hippies that all endpoints on the planet will ever have pre-existing, mutual authentication mechanisms ranging from some combination of username, password, personal image, and secret questions to biometric company or personal data?

 

The emergent Federnet is a federation of managed IP networks with similar high security and high quality characteristics. Its subscriber profiles are similar in terms of security risks. Service providers and enterprises will interconnect to create the Federnet, with end-to-end trust gained through transitive relationships. Each participating network will authenticate its subscribers and/or attached networks and their ability to connect to them. From an enterprise perspective, the Federnet will mitigate, not eliminate, in-bound IC security threats and assure outbound IC delivery to the right place and person.