By Boris Sedacca
27 October 2006
One of the major challenges in implementing a converged network is
having a coherent security policy for the management and control of a
system that is carrying voice, video and data.
Standards such as BS7799, the British Standard for information security
management, and its international counterpart, ISO 27001, provide
auseful checklist. BS7799 is a mature standard, having first been
published in 1995, and it has recently had its third major revision.
However, it is virtually useless without practical, prior knowledge of
implementing network security.
Companies providing security management software include Cisco, 3Com,
Avaya, Mitel, Siemens, Nortel and Microsoft, among others.
The challenge in securing a network that will allow businesses to
collaborate is what led a group of IT security heads to form the Jericho
Forum user group. This international circle of IT users and suppliers is
focused on the development of open standards to enable secure and
boundaryless information flows across organisations.
At Dresdner Kleinwort Bank in London - one of the Jericho Forum's
members - the demand for converged networks is driven by cost reduction.
Andrew Yeomans, the bank's vice-president for global information
security, said, "Voice over IP services such as Skype offer obvious cost
savings relative to mobile phone bills, particularly with respect to
international roaming costs."
Once people start making free calls, the tariff structure for mobile
phones will change. Yeomans predicted that over the next couple of years
many telcos will move to a flat-rate charging structure. "There are some
security issues and because we are a financial services provider, we
have compliance regulations. One particular requirement is that all
voice communication transactions by traders have to be recorded," he
"With normal VoIP communications, once you have set up the call, the
communication is on a peer-to-peer link and there is no central service
handling it. That means that you have to fiddle around with it to get
the voice logging to take place.
"On the business continuity side, if everything is going onto the same
network, we need some sort of back-up because, at the moment, if the
data network goes down, you can still rely on the voice network, or vice
Yeomans said mobile networks provide a certain element of business
continuity. "We build in dual-redundancy in our networks." In the case
of a disaster where a move to another site is required, it is quite
difficult to cable up a new analogue voice network, but with a data
network it is quite feasible to redirect all the calls over IP, Yeomans
However, wireless networking implies many security issues. Clearly the
signals can be eavesdropped and jammed, Yeomans said. At Dresdner
Kleinwort, there is some wireless networking but it is not used as part
of its main converged network.
The bank moved to a single London office housing about 3,000 people, so
has not had to face the same types of security problems as some of the
larger financial services providers that run out of a number of offices.
As a result, Dresdner Kleinwort can switch the voice and multimedia
services over fibre lines.
One problem of moving over entirely to a converged network is
interoperability - whereas there are secure protocols available for
convergent network technology, they are not open, and there are open
protocols that are not secure.
For its internal network, Dresdner Kleinwort has gone for a Cisco
proprietary set-up because it meets the needs of the business. The
network can also expand to allow more business communications to come in
from outside, providing VoIP over the internet rather than over the
It is a challenge to design for security and interoperability. Yeomans
said, "If you try to use a converged network over an existing one, you
may come up against quality of service problems.
"You do not want your voice link to drop out if you are doing a large
file transfer, for example. You have to find ways to segregate the
traffic and to control the quality of the traffic at the network level."
But locking down the converged network to maintain high security is not
always practical. Chris Whitwood, network manager at University College
Falmouth, said, "We have been running a converged network for a number
of years, and this has introduced some security nightmares."
The college began implementing voice across the network more than three
years ago and started testing a year before that, so it was well versed
in the kind of problems it could face.
"The first thing we did was to completely isolate the voice virtual Lan
from the data virtual Lan, and to ensure that all our telephony devices
were on the internal network only and could not be reached from the
outside," said Whitwood.
The same applied to its call manager system. However, he realised the
college would need to make the call manager visible from the outside,
albeit in a protected manner.
"Users were requesting the ability to change their speed dials, call
forwarding, and so on, when they were working from home. That meant
setting up the virtual private network connections so that users could
connect into the call managers through Cisco's Unified Personal
Communicator software running on PCs," Whitwood said.
The college chose a proprietary converged network with Cisco, complete
with security technology. "Being a Cisco proprietary solutions house
gives us security and confidence, particularly when using a VPN
concentrator," he said. "There are alternatives, but we took the view
that if we do have security issues, there is only one supplier to go
back to. Although cost is an issue, our primary concern is service."
Although Whitwood configured the network to support the college's own
converged applications, it is clear that IT managers must also support
applications that may not necessarily be part of corporate IT, such as
One of the problems with Skype, according to Dave Neild, network
development service leader at the University of Leeds, is super node
activity. If there is sufficient bandwidth available on a network, Skype
may promote an unwitting user client to a super node, and that allows
other traffic to go via the super node.
"Because we have quite a large number of overseas students, we do know
that Skype is a popular application, so we would not wish to stop its
use, but we may want to stop super node activity," said Neild.
Leeds is one of the largest universities in the UK. Of its 32,000
students, 7,000 live in 18 network-connected halls of residence on and
off campus. The halls link via 100mbps leased lines to Leeds' main
campus network, which is based on Cisco Gigabit systems. The university
previously relied exclusively on firewalls and anti-virus programs that
were distributed to students.
But students did not install the anti-virus software, enabling worms and
viruses to sneak into the network. System technicians would manually
cleanse the systems and update their anti-virus software, a laborious
and expensive process.
Bandwidth consumption was also a problem. Some students were downloading
films and music illegally via file-sharing applications, prompting film
companies to forward legal notices to the university that its students
were breaking the law.
To tackle these issues, it selected TippingPoint to protect routers,
switches, VoIP systems and other infrastructure components from targeted
Neild said, "TippingPoint systems control traffic by blocking or
throttling unwanted file sharing." He pointed out that the product also
stopped the attacks and all but eliminated the file downloads without
affecting network performance.
"We can even monitor students who try to use VPNs for their downloads,"
he said. "By blocking peer-to-peer file sharing, the university stopped
notices it receives from copyright holders. Administrators no longer
have to bother with shutting down students' network ports to prevent
improper downloads or contain viruses and worms to the residence halls.
"Moreover, by blocking illegal student downloads, the TippingPoint
solution reduced bandwidth usage, in effect doubling the amount of
bandwidth available to students for legitimate academic pursuits," said
What is clear is that converged network security needs to tackle both
voice and data and whether data is copyrighted. Scott Nursten, founder
of S2S, a security specialist and Cisco silver partner, believes that
with more voice and video on the network, there will be more
opportunities for industrial espionage and for leakage of confidential
"We are on the brink of seeing the next wave of attacks because people
are not even looking at the risk of convergence," he said.
Many suppliers are bundling everything into one device on the edge of
the network, which serves as a wide area network router, firewall, VPN
termination point and voice router. However, as Nursten pointed out, it
is quite easy to deploy these systems in the wrong way but still have
Visit the InfoSec News store!