Problem solve Get help with specific problems with your technologies, process and projects.

A secure approach to convergence

Learn how to support voice securely by adopting security-centric thinking and focusing on access control, proactive protection and dynamic response capabilities.

John Roese
Voice over Internet Protocol (VoIP) has become, in the past few years, a "real" technology choice. This statement is interesting because the capability of using Internet-centric technology to transport real-time voice communication has existed for more than a decade. So, why has it only become "real" in the last year or so?

There are two main reasons: First, the goal of VoIP was to create a technology and associated applications that would deliver a communications experience as good as or better than traditional voice services. Second, the idea was for VoIP to deliver a better value proposition (more benefit and less risk) than what could be done without convergence.

Early, proprietary VoIP systems delivered excellent voice quality, but didn't address the risks associated with a converged network. These first-generation systems also failed to open their protocols and interfaces to create truly converged networks. It was those failings, not the core voice capability, that have limited the growth and acceptance of VoIP.

To address this major barrier to creating the true converged communications system -- the need for secure, predictable and efficient services for a wide range of diverse applications on a common network -- the fundamental approach to networking design and architecture must be updated.

Security, in the broad sense of the term, sets the expectation of predictability in a system. When considering how to deliver a converged network to support VoIP along with the rest of the business applications in use and planned by an enterprise, a logical approach to the functions of that network can be used to define its capabilities. While the basic "simple, dumb, fast" network designs of the past worked well enough for non-real-time data such as e-mail and Web traffic, the ever-increasing virus and worm threats, along with the introduction of real-time applications such as VoIP to a network, mean the new model must be about a "fast, smart, and efficient" system.

The first element of a secure converged network is the ability to control access. Most networks today have no idea who or what is connecting to them, what should or should not be done over them, and are woefully lacking in the ability to understand good from bad uses of the infrastructure. The three critical elements of an effective access control capability for a converged network are:

  1. Authentication or detection of all people and devices attaching to the network. While protocols such as 802.1X are very appropriate for access control for PCs with human users, the converged network will allow machines such as cameras, IP phones and new collaboration or multimedia devices to access the same network. In many cases, these devices cannot use the traditional authentication model of presenting a credential and identity to the system. Accommodating these innovative technologies requires a new set of authentication techniques.

  2. Authorization of the attached devices is critical. Authorization is the process of associating the authenticated device with a role appropriate to the business. For example, a network may know that an IP phone is allowed to use the network, but it should also be able to understand that this phone is authorized as a phone used by a specific department or employee rather than one that is authorized to exist as a guest phone in the reception area.

  3. Policy association is needed once authentication and authorization occur. This ensures the dynamic mapping of the correct services, privileges and access to the attached device. If a system can recognize an IP phone by authentication, but cannot dynamically associate the correct security and quality of service functions to that device, the ability to deliver a predictable, secure network is not achieved.

The second critical element of a secure converged network is the ability of such a network to offer proactive protection to the devices and applications in use. Given that VoIP is a well-defined application using clearly understood protocols and traffic levels, the communications system should be able to define protective mechanisms to prevent exploitation of the VoIP devices and applications by proactively preventing the use of protocols that have no relevance to the VoIP systems. The elements of such as capability are:

  1. The ability to define an acceptable use policy for the network system, where unwanted applications and protocols are simply globally disallowed from accessing the network.

  2. The ability to create and dynamically apply a service definition that concurrently expedites the use of the VoIP system while protecting it from misuse.

  3. The ability to protect VoIP devices from other protocols that could be used to compromise and exploit them.

The last element of a secure converged network should be the incorporation of a dynamic response architecture. This is defined as a mechanism in which, when something unpredicted occurs in the network that can affect the reliability or integrity of the converged systems, the network can identify the threat, locate its point of origin and dynamically isolate, remove or control the threat in real-time. Doing so prevents broad, adverse impact on the system. The elements of dynamic response are:

  1. The ability to detect detailed and complex attacks on the network or the converged system.

  2. Upon detection of a critical issue by the IDS systems, the ability to communicate the event to the network management systems and locate the point of ingress of the offending station. This kind of location service is vital; while IDS systems can detect a problem, the more pressing issue is to rapidly find its origin so focused action can be taken in near real time.

  3. The ability to alter the behavior of the network at the point of attachment where an offending action originates. This is done by adjusting policy to isolate, disable or throttle back the services provided to such a device. It is important to note that a key to success is the ability to deliver a measured response to a problem, rather than only being able to turn off physical ports.

The desire to leverage a common infrastructure for a wide range of applications including VoIP is becoming much more common in enterprise IT organizations. In general, the last significant gating element threatening to delay that deployment is the realistic fear that the network is simply not ready to support voice and other applications without compromising the security and predictability of any of the shared applications.

By adopting a model of networking with security-centric thinking and by focusing on access control, proactive protection and dynamic response capabilities, it is possible to support voice on a converged network while building a foundation equally applicable to almost any future application or service added to that system.

About the author:
John Roese, CTO, Enterasys Networks
In his role as CTO, Roese is Enterasys Networks' chief technologist and technical visionary, responsible for the company's strategic technical direction. Roese oversees the development of the company's technology architectures, including comprehensive quality of service, security, management and transport services. Additionally, Roese is responsible for Enterasys Networks' initiatives in the Internet2 /NGI effort. Externally, Roese is an active member of the IEEE, IETF and other industry-standards bodies. He is co-author of the recent IEEE 802.1X Port-Based Network Access Control Standard. Roese is also the author of
Switched LANs: Implementation, Operation, Maintenance (McGraw Hill, 1998).
This was last published in August 2004

Dig Deeper on Network Administration

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.