Last week, we talked about securing the network plane, and this week, we talk about controlling the perimeter. In line with the Pareto principle, securing the network and the perimeter accounts for 80% of the enterprise-critical aspects of communication security. Here are the key risks that you have to be aware of at the perimeter. 

The Border is a difficult place 

Risks from Direct Internet connectivity 

Assume you have a remote office in Podunk, somewhere in the middle of nowhere. It’s impossible to get a leased line there because the CLEC is just too slow and incompetent. You decide to use the normal internet to carry voice traffic between your Podunk and New York offices. This makes life easier but also exposes your organization’s traffic to all third parties that carry the traffic between the two offices. 

Risks to Wide area network (WAN) links 

If you are a nationally or globally distributed organization that uses leased lines to connect remote offices, you are exposed to the potential risk of exposing your internal networks to the outside world, simply by traversing over third-party networks. A compromise here is potentially catastrophic and at that point, not only is your communication network exposed but so are all your other data and systems.  

Risks to Gateway Devices 

Signaling gateways 

As calls move from an IP-based corporate network to public networks (and vice versa), signaling gateways translate call information between IP-based systems and carrier protocols such as SS7 and others. Attackers love to compromise signaling gateways because of their wealth of information and control. A compromised gateway not only causes disruption to the call network, but it also yields information such as network topology and subscriber information.  

Media gateways 

When calls move between IP-based corporate networks and public networks, media gateways translate the media streams between the IP-based systems and carrier media protocols. Media gateways interact closely with signaling gateways – after all, it is the signaling gateway that tells the media gateway what to do with the media stream. The risk from a compromised media gateway is obvious – attackers get access to direct feeds of voice and video – they can choose to listen in, disrupt, or do both. 

How to protect the perimeter 

Drawing inspiration from the NSA VVoIP security guidelines, here are some things you can do:

Read more on Assertion Blog - Protecting Communication Systems – Control the Perimeter