Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security in Real-Time IP Communications
A white paper on today’s #1information & communication issue
s
November 2004
Contents
Introduction 3
The security challenge 4
Real-time communication concerns 7
How security can be compromised 8
Identifying vulnerable areas 10
HiPath Security Strategy 11
Security-enabled HiPath Products 12
HiPath Security Solutions 14
HiPath Security Services 15
Customer strategies and solutions 16
Conclusions 18
Acronyms used in this paper 19
This white paper focuses on the need to enable robust security mechanisms for real-time
IP communications, the principal medium being telephony. Real-time communications
are essential part of day-to-day operations and the medium is also becoming an integral
part of mainstream business processes. This means that the various mechanisms
must form part of a holistic solution and the resulting solution must be preceded by
a security strategy.
Security issues cannot be addressed via point solutions and there are no easy answers.
Viruses and other threats emerge, mechanisms are implemented, and at later stage
new developments can be expected. Thus, the security strategy has to be on-going
and proactive. The Siemens HiPath Portfolio offers an arsenal of effective weapons to
protect real-time IP communications and IT against security threats.
2 Security in Real-Time IP Communications
s
The business case for real-time IP communications is conclusive. It has the proven
ability to boost profi tability via lower costs, increased personal and workgroup
productivity, and facilitate competitive differentiation. In addition, IP telephony can
become an integral part of many business processes. Thus, many enterprises are
starting to view IP Telephony and other real-time IP applications as cornerstones of
their business communication. This is clearly a positive trend, but it is clear that real-time
communication like voice has to be secured against the kind of issues usually associated
with IT, e.g. Denial of Service (DoS) attacks, viruses, and worms. The need to ensure
that users are identifi ed and authenticated is a related issue, as is the encryption of
traffi c over the Internet, the Intranet, and wireless links.
Security has become a key issue for CIOs and IT Managers. The rather new require-
ment that real-time IP communications must be secure also indicates the need for a
holistic approach: there is little value in addressing unsecured areas via point solutions.
Enterprises need security rings that keep the bad guys out and let the good guys in.
Introduction
This white paper outlines Siemens’ expertise, starting with an examination of the
security challenges that businesses face and the protective mechanisms that can be
employed. This is followed by an overview of Siemens Communications Enterprise
Systems’ and Enterprise Services’ security portfolio, which includes:
¢ security-enabled HiPath Communication products
¢ dedicated security solutions and systems
¢ security services, which include analysis, consulting, building and management.
The paper concludes with an outline of the various steps required to defi ne a security
strategy and a customized solution.
Introduction
Security in Real-Time IP Communications 3
s
There are four reasons why security has become such an important issue:
1) IP Technology and the Internet culture
Internet and intranets are based on open standards and the same communications
protocol (IP). Without the addition of security measures, their interfaces are equivalent
to an open, unguarded door. Open standards make markets and allow millions of people
to share information and resources. That is the positive side of the Internet culture, but
openness and the distributed nature also makes the environment vulnerable to external
and internal security attacks. This has been exploited by hackers. Thus, security is an
intrinsic issue to be addressed by high-tech locks and bolts.
2) Mobility
The mobility paradigm of “anywhere, anytime communications” was the driving force
behind the huge success of cellular telephony. Today we have wireless access to the
Internet, another open environment carrying confi dential information. In this case
security is a real issue and end-to-end solutions are required for mobile professionals
and technicians as well as employees working from home.
3) Ecosystems and outsourcing
Currently enterprises focus on core competences, peripheral activities being provided
by partners, e.g. manufacturing, call centers, or IT. This means that there is a complex
fl ow of information around the ecosystem, i.e. the partners, suppliers, and customers.
Thus, there are more doors that need to be secured against the bad guys without
blocking access to authorized third parties.
4) The need for speed
Many companies operate their businesses around the clock and around the world.
They are “competing in time”, i.e. they compete in a competitive global market where
the ability to conduct business in ”real time” is not only a key differentiator, it may
represent the difference between success and failure. This underlines the importance
of having delay-free business processes (the key factor of the so-called Real-Time
Enterprise (RTE)), so delays caused by security breaches and the resulting loss of
business continuity are unacceptable.
The security challenge
The security challenge
4 Security in Real-Time IP Communications
s
5) External regulations (legal, governmental or liability)
Regulations enacted to prevent the fi nancial consequences of attacks, terrorism, or
dubious corporate practices have received widespread attention and media coverage.
This has led to the need for improved confi dentiality generally and for best-of-breed
security solutions, as well as secure and transparent management processes.
Due to the need to run their communications and business processes round the clock
(24 x 7), many companies made considerable investments in high-availability (e.g. 5 x
9) systems. Their value, however, is seriously reduced if a security breach brings them
down for several hours or, even worse, a few days. It is therefore abundantly clear why
security moved to the top of CIO agendas (#2 of CIO business priorities and #1 of CIO
technical priorities, according to Gartner, Nov 2003).
There is no doubt that the time to act for any enterprise relying on IP communications
is now! Waiting is the worst option.
Creating a security strategy is a challenge since there are numerous unknowns. Expect
the unexpected! You do not know what type of attack to expect, the probability of an
attack, when it will happen, or the fi nancial consequence. It is therefore very hard to
quantify the ROI of security solutions. Moreover, security is a moving target: like it or
not, we are in a fast and permanent race between threats and prevention. Another
factor is the dissemination of fear and uncertainty by the media, particularly Internet
news feeds. This means that development of a robust security strategy requires a
The following statistics indicate the importance of security:
Estimates of the cost of security breaches in 2003 worldwide amount to tens
of billions of dollars. Other statistics that will resonate with IT Managers1
include:
Cost of violations to information security in USA:
> $100.000 10% of companies
$10.000 to $100.000 17% of companies
Note that many security breaches are not publicly reported, so in reality the
cost is considerably higher.
Downtimes of servers, applications, and networks in USA due to security
violations:
More than 3 days: 7%
1 to 3 days: 10%
8 to 24 hours 21%1) Source: IT-Security 2003, InformationWeek
The security challenge
Security in Real-Time IP Communications 5
s
combination of expertise and experience. And security experts may not be part of
your IT resources. Thus, outsourcing your security requirements must be carefully
considered but might be a conceivable option.
The race has started but the information and communications industry has not been
idle. A number of important security standards have matured and have been or are
being incorporated into products and systems. This is good news. In the meantime
vendors have developed many proprietary solutions. Altogether this means that one is
initially confronted with a confusing list of acronyms and terms, and a zoo of available
security methods and tools.
The security challenge
6 Security in Real-Time IP Communications
s
Real-time communication concerns
As mentioned in the introduction, real-time communications have to be secured against
the kind of issues that are usually associated with data applications and services. Today
there are countless potential attackers who know how to attack a data network, its
computers and business applications. Sometimes they are young people who simply
“have fun” while using a trial and error method to crack into a system.
In the past telephony security was a minor issue. Circuit-switched systems could be
threatened by fraud, theft of service, unauthorized use of modems, line interception,
and dial-in administration access, but all in all the problem was under control of the
vendors: except from administration access, the danger was rather restricted to
attackers such as fraudulent employees, criminals, secret service agents, and so on.
They had to burgle their way into PBX equipment rooms or cable cabinets and use
specialized equipment. Telephone security was not a widespread problem because
PBXs were proprietary, closed systems.
Everything changes with the emerging converged communication, when voice and
data employ the same protocol and the same network. In this case, telephony becomes
a real-time IP application that is similar to an IT application. IP PBXs are open systems
typically running MS Windows or Linux, which means that a data-centric attack could
bring the telephone system down, which is very serious. We accept (even have to
assume) data networks to fail from time to time, while many PBXs and the public
network have that famous 5 x 9 (99.999%) uptime record.
Converged IP PBXs are robust platforms that employ traditional circuit-switched telephony
as well as packet-switched VoIP (Voice over IP). Regular phones are connected to the
circuit-switched side and IP phones to the other. The early business case for converged
platforms, which is still valid, was the ease with which they allow IP communications
to be introduced into corporate environments; they facilitated migration and were
less disruptive than the fork-lift alternative. Today, many customers see converged
IP PBXs as a longer-term option, since in case of disruption on the IP side, the regular
phones continue to work internally and externally over the PSTN. Underpinning this,
there have been several well-published examples of large sites where native IP PBXs
were fork-lifted out and replaced by converged platforms.
Real-time communication concerns
Security in Real-Time IP Communications 7
s
How security can be compromised
VoIP is a service on a shared data-centric IP network; it can be accessed by users on
the LAN and, directly or indirectly, by mobile users or teleworkers. VoIP signaling for
example (the method to control call setup) uses identifi ed IP Ports (just like many IT
applications), the ports for voice payload are negotiated. This makes telephony systems
more vulnerable. They can and should be protected using data-type mechanisms, but
some attacks require VoIP-specifi c measures.
The convergence of data and voice security is illustrated in fi g.1. The most important
threats to VoIP systems and their remedies are as follows:
Unauthorized access to systems
Unauthorized access may be local or remote. This fundamental issue is addressed using
various security mechanisms. VoIP users and their devices must be authorized and
authenticated, e.g., using the IEEE 802.1x Standard on layer 2. Remote access should
only be allowed over a VPN or with strong authentication. In addition, fi rewalls and/or
PKI (Public Key Infrastructure) should be employed. PKI provides an X.509/certifi cate-
based infrastructure for encryption of IDs and digitally signed documents/messages.
Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) can be used
to recognize or prevent intrusions by identifying unusual traffi c patterns.
Interception/Eavesdropping
The term indicates that the attacker is located between the two end points of a
communications link intending to monitor, record or even manipulate the data stream.
In some cases the attacker might try to take complete control of the link, hence the
term “connection hijacking”, also known as the “man in the middle” manipulation threat.
Interception is addressed fi rst of all by exploiting all network security features, then
Figure 1. Security in a voice-data convergence scenario.
Multimedia-Applicationsand Networks
Yesterday Today Tomorrow
Threats:Spoofi ngDenial of Service (DoS)Sniffi ngHackingVirus, Worm etc.
Threats:Interception/EavesdroppingUnauthorized accessFraudRisk of Outage/DoSManipulation
IP PBX
LAN
Data Networks
Voice Networks
FewInterfaces
SomeInterfaces
How security can be compromised
8 Security in Real-Time IP Communications
s
by higher layer encryption, e.g., using SRTP (Secure Real-time Transport Protocol) for
voice/video payload and TLS (Transport Layer Security) for signaling protection, for both
SIP and H.323 VoIP Standards. WLAN security has been addressed by the IEEE 802.11i
Standard. Traffi c over VPNs (Virtual Private Networks) will normally be encrypted using
IPsec or SSL. Note that SSL VPNs are not recommended for delay-sensitive applications
like VoIP. Network equipment such as routers and switches should also be hardened
in order to prevent ARP (Address Resolution Protocol) spoofi ng.
Fraud
Toll fraud is unauthorized access that makes use of resources without paying for them.
Remedies include use of authentication, use of IDS/IPS non-repudiation mechanisms
for proof-of-service-usage, and separation of the local data network by fi rewalls.
Denial of service
Denial of Service covers actions and events that prevent systems from providing agreed
levels of service to authorized users. A “Load-based DoS” involves bombarding a server
with millions of requests. A “Malformed Request DoS” is a sophisticated protocol
request that exploits a vulnerable area, e.g. in the operating system. Both attacks
impact the availability of resources and could lead to degraded Quality of Service (QoS).
Remedies include using hardened network components and implementing measures
within a protocol engine in the targeted application. Furthermore, IDS/IPS could be
deployed to detect and react upon DoS attacks.
Manipulation
This is unauthorized modifi cation of information (including program code), typically
caused by computer viruses and worms. Remedies include: fi rewalls, PKI, IDS/IPS,
antivirus software, access controls and integrity protection of data.
Protocol attack
A protocol attack exploits vulnerability in VoIP protocols such as SIP or H.323. VoIP
vendors have to provide secure protocol implementations.
Spam
Spam (unsolicited messages) can be used as a vehicle to transfer viruses to recipients
or may block resources resulting in a lower Quality of Service.
How security can be compromised
Security in Real-Time IP Communications 9
s
Identifying vulnerable areas
The following areas of a complete IP Telephony system might be vulnerable: fi rst, the
IP PBXs themselves since they play a business-critical role; and second, the IP network.
Critical areas of an IP PBX are: the communications platform, applications and their
application platform, client devices, and the management software.
Communication platform: the main target of attackers is the operating system. An
attack will typically originate on regular computer servers, i.e. the initial target may
come on the data side. Other attacks maybe DoS and protocol attacks, attacks via remote
access (often on administrator level), etc.. In addition, access points and gateways are
vulnerable and the remedy is similar to that of communication platforms.
Application platform and applications: Critical vulnerabilities of real-time
applications include: intercepting a voice mailbox and abuse of the service by registration
hijacking or toll fraud, and manipulation of statistic or accounting data. Note that the
application platform of an IP softswitch might include mission-critical IT middleware
components like databases or directories.
Clients: IP hard- and softphones should be hardened to make sure that data, voice
streams and authentication cannot be accessed or altered by unauthorized parties. The
obvious objective is to retain baseline telephony in case of an attack. Communications
protocols must be secured, e.g. employ TLS for HTTP, LDAP and signaling, SRTP for bearer
encryption, and replace FTP by alternatives like Secure FTP. When SRTP is implemented
in both parties’ devices, the result is a secure end-to-end voice/video connection. For
IP phones authentication on layer 2 using IEEE 802.1x is highly recommended. If the
devices use an industry-standard client OS, as softphones do, then precautions similar
to those in communication platforms should be taken.
Management software: this will normally manage the user and administrator rights
and the resources. Thus, local and remote administration access (including logon) must
provide strong authentication and traffi c must be encrypted. Software distribution
modules must carefully be protected against fraud and manipulation.
Last but not least, the IP network infrastructure needs to be secure. Network devices
such as routers and switches have to be protected anyway. Note that Siemens HiPath
Systems are basically network vendor-independent, i.e. they can use the network
infrastructure of all major vendors.
Identifying vulnerable areas
10 Security in Real-Time IP Communications
s
HiPath Security Strategy
Siemens Communications is playing a leading role, possibly the leading role, in the big
convergence picture. Our IP Communication Systems and real-time, presence-aware
applications set the enterprise communications and security bar. We have defi ned
security as one of the most important preconditions for customers to reach their real-
time IP communication objectives like effi ciency, productivity and mobility.
Siemens is also a very experienced vendor of IT security solutions and services. Many
of the mechanisms employed for real-time IP communication are based on proven IT
technologies and practices. The company is therefore able to combine these two core
competences and offer best-in-class solutions for real-time communications.
The company’s security objectives are:
¢ to be proactive
¢ to deliver best-in-class secured HiPath products
¢ to improve security management process and organization in order to optimize
HiPath Security regarding short reaction times to security alerts and quality
¢ to offer a comprehensive suite of security solutions and services.
Our security portfolio includes the following segments and demonstrates that Siemens
is a highly qualifi ed one stop security shop (Fig. 2):
¢ secured HiPath products by built-in security features
¢ HiPath security solutions to enable customers to customize their security policies
and systems, e.g. employ complementary solutions
¢ HiPath Security Services, to help customers build up and maintain a secure business
environment. We also share internal security experiences with our customers.
Figure 2. Portfolio for protecting and enabling the enterprise.
HiPath Security Strategy
Security in Real-Time IP Communications 11
s
Security-enabled HiPath Products
Security Policy
The HiPath Security Policy is a set of rules to ensure on-going security improvements
of HiPath products and solutions. The policy includes: defi ned common security
requirements across the entire portfolio; a security monitoring and patching process;
positioning of security as an integral part of the product development process; and
the distribution of security information. The monitoring and patching process receives
security alerts from, e.g. customers, vendors and security monitoring bodies like CERT
(Computer Emergency Response Team). A customer interface to the monitoring process
provides fast security alerting between customers and Siemens. An inter-departmental
process-driven organization has taken the responsibility for policy execution.
The combination of a robust policy and the virtual organization means that Siemens
can anticipate and prevent security threats quickly, reliably and consistently.
Security-enabled HiPath Products
Security is built into all relevant building blocks of IP-enabled HiPath systems and is
still an ongoing process in order to provide:
¢ secure HiPath Communication Platforms including HiPath Gateways
¢ secure HiPath IP Phones and IP Softphones
¢ secure HiPath Applications
¢ secure HiPath MetaManagement.
Security measures implemented in HiPath products include:
l all new HiPath products and new HiPath product versions go through a security
enabling program
l proactive consideration of cross-product security requirements in an early phase
of product development cycle, for example:
ü protection against viruses, worms and DoS attacks, i.e. hardening of HiPath
products
ü protection against illegal use of resources, misconfi guration, and interception,
e.g. avoiding clear text protocols like Telnet, FTP; securing passwords used
for log-ins or transmissions; prevention against call charge fraud; voice
encryption
ü securing of protocol implementations
l security certifi cation by a quasi-neutral Siemens body
l software updates in case of actual critical vulnerabilities
l adoption of relevant security standards.
The portfolio of built-in security functions in HiPath products will include:
¢ hardened HiPath Platforms
¢ support of payload encryption using SRTP and signaling encryption using TLS in
the most important gateways and IP phones
Security-enabled HiPath Products
12 Security in Real-Time IP Communications
s
¢ support of IEEE 802.1x Authentication in IP hard- and softphones
¢ H.235 Security Annex D (Base line Security Profi le) for authentication of IP phones
and message integrity of the data stream
¢ VPN support based on IPsec by selected gateways for IP trunking and by selected
IP softphones
¢ HiPath Applications: authenticated administrator/user access, encrypted storage
and transfer of sensible data, and usage of secure protocols of relevant security
standards
¢ OpenScape: Kerberos-based user authentication, presence notifi cations and instant
messaging restricted to closed user groups, SIP signaling and Instant Messaging
encryption using TLS and payload encryption for IP phones using SRTP
¢ HiPath MetaManagement: authenticated and encrypted administrator access, e.g.,
secured browser-based remote access, and secure management protocols
¢ HiPath Deployment Service (DLS) offering software upgrading of clients is protected
by access control using passwords and https encryption of software downloads
¢ support of WLAN security as mentioned below.
WLANs are being increasingly used for real-time communications and can be seen
as a natural extension of a wireline HiPath network. Details on the company’s WLAN
solution can be found in the white paper “Enterprise-grade Voice over Wireless LAN”.
WLANs continue to be perceived as insecure for reasons that are mainly historic, e.g.
security was weak and access points shipped with the security mechanism turned off.
The reason is simple: they were not designed for the task they ended up performing.
This issue is addressed by the new security standard IEEE 802.11i, which was ratifi ed in
June 2004, and standard-compliant access points can be expected in late 2004. This is a
very positive development, however, access points that were installed before this date
will be insecure if they are only protected by WEP. There was a pre-standard security
protocol known as WPA (Wi-Fi Protected Access) that includes 802.1x Authentication
and this is generally considered to be robust.
Security-enabled HiPath Products
Security in Real-Time IP Communications 13
s
HiPath Security Solutions
Siemens’ comprehensive portfolio of dedicated security solutions and products
addresses IT and communication security concerns as well as physical access, and is
independent of the network vendor. The fl exibility has facilitated vertical solutions in
several areas, e.g. in healthcare, education and government.
The portfolio (see Fig. 3) is a comprehensive array of solutions under the umbrella
name “HiPath SIcurity”:
¢ Network and Systems Security Solutions based on various building blocks like
fi rewalls, virtual private networks (VPNs), and antivirus components
¢ Solutions based on smart cards. These are used to control access to systems and
networks as well as buildings, departments and rooms. They include single sign-on,
smart-card production, smart card device operating system, etc. The solutions can
be integrated into a Public Key Infrastructure
¢ Solutions for Identity and Access Management. Used to ensure robust control of
users and their privileges. In an Identity Management Solution authorized individuals
receive their access rights at the designated times. An Identity Management System
is required in order to maintain an ID database, assign rights to those IDs, and
authenticate employees and third parties such as business partners when they
access important corporate resources.
Figure 3. Key examples from HiPath Solutions and Services Portfolio .
HiPath Security Solutions
14 Security in Real-Time IP Communications
s
HiPath Security Services
There are three reasons why security services are as important as secured products
and security tools. One, this is a relatively new and complex subject that requires
considerable know-how and experience. Moreover, the environment is very dynamic;
new threats arise with unfortunate regularity. Two, a managed outsourced service
brings peace of mind and allows IT management to focus on the enterprises’ core
business. And three, qualifi ed security personnel is scarce, as evidenced by the fact that
60% of North American midsize businesses don’t have a dedicated security resource
(Gartner Dataquest, Nov 2003).
Siemens Communications’ Enterprise Security Services are targeted to build and
maintain best-in-class security of customer communications and IT infrastructures by
a complete suite of services from consulting up to managed security services. Siemens
takes advantage of its experience in voice and data networks and IT Management
Services.
The Security Services portfolio includes:
¢ Security Analysis and Consulting: professional services covering IT and real-time
communication security, like security frameworks, security assessments and
designs, risk analysis, ROI analysis, as well as security certifi cation according to
British/International Security Standard BS 7799/ISO 17799 (Fig. 3)
¢ HiPath product-related security services: professional services for HiPath related
applications and solutions, covering security aspects in every phase of the real-time
communication deployment (consult, design and build)
¢ Managed Security Services, including cyclic security assessment of installed HiPath
Products and Solutions.
HiPath Security Services
Security in Real-Time IP Communications 15
s
Customer strategies and solutions
Siemens has recognized that most enterprises want to defi ne and implement their
own security policies and solutions. They want modular solutions, enabling them to
adopt real-time IP communication to their own existing security strategy. To date, there
are still many enterprises that have not started to include real-time communication.
However, they have become increasingly aware that earlier security issues were
addressed individually and this resulted in a set of ‘island’ solutions. This approach
cannot handle the increasing variety of threats and a proactive and holistic strategy
is required. Enterprises have to take the lead in the race between security threats
and security prevention. A recent message from Gerhard Eschelbeck, Qualys Inc., at
Blackhat Conference, Las Vegas, July 2004, says that companies are taking typically
62 days (!) to patch internal vulnerabilities and are still struggling to protect systems
against external attacks.
To build an effi cient and effective security strategy companies need to
1) take a holistic view; defi ne security as a cross-organizational task
2) identify all potential threats and understand the prevention mechanisms.
Recognize that people are often the weakest link in the security chain
3) start with a careful risk analysis and a defi nition of security requirements
4) make a systematic evaluation of existing security solutions
5) defi ne a robust security policy (including rules, risk vs. investment, security
management processes, etc.)
6) create a realistic plan for securing the network infrastructure (needed anyway
for IT security). Consider network design opportunities (e.g. VLAN separation
of voice and data) and the deployment of converged IP/TDM platforms
7) evaluate the merits of different VoIP scenarios, e.g. campus VoIP, trunking,
IP-WAN and Internet Service Provider-supplied links, WLAN
8) leverage existing IT security know-how
9) evaluate offers of vendors with extensive, hands-on experience like Siemens
10) check the building blocks of the proposed solution; are they “security-certifi ed”;
how were they tested?
11) establish an event-driven security management (if not in place for IT
security)
12) improve security mindshare throughout the enterprise and communicate the
impact of failure to comply with corporate policy
13) defi ne worst case scenarios and be prepared for the worst to happen
14) don’t lean back! Recognize the ongoing race between threats and prevention
Do it! Your enemy will not waste any time! Will you?
Customer strategies and solutions
16 Security in Real-Time IP Communications
s
The holistic view mentioned above shall include a “Layered security architecture” model.
It is a technical strategy of protection by layered rings of defense perimeters, with
different measures placed at each level of the system. An example is given on the title
page (many attacks may be thwarted at the outer ring, but inner rings may also thwart
attacks from the outside and the inside):
1) Real-time IP communication, being the core object to be secured
2) Applications Layer: includes the application entities to be secured, like real-time
IP communication applications, messaging, or IT application programs
3) Resources Layer: includes PBX systems incl. PBX Management, operating systems,
network infrastructure, clients
4) Security & Access Management Layer: controls/enables the data traffi c to resources
and applications, using, e.g., fi rewalls, intrusion detection or prevention systems,
smart-card applications, single sign-on, VPN
5) Perimeter Layer: contains infrastructures controlled by other parties, e.g. service
provider domains with VPNs
6) Customer & Partner Layer: includes domains of customers and business partners
involved in common business processes and who must spend additional efforts to
protect processes, applications, or resources.
Customer strategies and solutions
Security in Real-Time IP Communications 17
s
Conclusions
Security is today’s #1 information & communication issue and mandatory for business
continuity. Attacks are growing in number rapidly and they are becoming increasingly
sophisticated. They exploit many of the developments that have given us a dynamic
business environment, e.g. open systems, wireless communications, a mobile workforce
and outsourcing. But holistic security solutions that keep the bad guys out and let
the good guys in are even more sophisticated, i.e. they work. However, security is an
on-going issue so constant vigilance is required and the security solutions must be
maintained continuously.
The need for comprehensive, holistic security is relatively new and any meaningful
solution must be holistic since the whole I & C spectrum is open to attack. The inevitable
result is a shortage of security expertise within many if not most organizations. An
expertise cannot be acquired by closing doors after an attack has been made: by then
it is too late. Thus, there is a very real need for informed, objective, in-depth analysis
and solution competence from companies such as Siemens.
The company’s expertise covers that I and C spectrum and in the area of real-time
communications we are market leader. In addition, Siemens has merged two large
communications divisions into one, a move that will ensure that the company continues
to offer and deliver best-in-class security solutions and services in the convergence
space, i.e. real-time communications and IT as well as the fi xed-mobile convergence.
.
Conclusions
18 Security in Real-Time IP Communications
s
Acronyms used in this paper
DoS Denial of Service
I & C Information and Communication
IPsec IP Security Protocol
OS Operating system
Phishing (= password fi shing), a threat by fraudulent emails
PKI Public Key Infrastructure
PSTN Public Switched Telephone Network
ROI Return on Investment
Spam undesired email. Not a dedicated security threat, but emails can be used as
a vehicle to transfer viruses to recipients
SRTP Secure Real Time Protocol
SSL Secure Sockets Layer
TLS Transport Layer Security
VPN Virtual Private Network
© Siemens AG 2004 • Communications • Hofmannstr. 51 • D-81359 München
The information provided in this white paper contains merely general descriptions or characteristics of performance which in case of
actual use do not always apply as described or which may change as a result of further development of the products. An obligation
to provide the respective characteristics shall only exist if expressly agreed in the terms of the contract. Availability and technical
specifi cations are subject to change without notice. Printed in Germany.
Security in Real-Time IP Communications 19
s