Security — a reseller’s selling point

VoIP security can’t be an afterthought

THERE ARE RESELLERS STILL relying on their end customer’s internal security infrastructure during an IP telephony integration. Chances are neither the reseller and the end customer see the potential threats.

However, industry experts believe converged network security isn’t something to be added after the fact — the need to protect the end-user’s mission-critical communications systems and business applications should be considered from the very start of the resellers converged network planning. At the same time, it’s not enough to simply protect the network from external threats. With more and more employees using IP softphones, converged network security has to enable protection of these assets from within the network as well.

Defining VoIP
VoIP is often referred to as IP telephony because it uses the latest innovations with the popular and familiar IP protocols to make possible enhanced voice communication throughout the enterprise. IP networking supports corporate, private, public, cable and even wireless networks. IP telephony unites an organisation over many locations, including mobile workers, into a single converged communications network.

Wayne Smith, director at Queensland-based reseller Comlinx believes clients need to understand their business pain points, highlighting current security challenges with existing infrastructure.

“Gone are the days when a license is stuck on a small PABX or key phone system as the individual license is tied to the CPU of that phone system,” he said. “Virtualisation allows the client to centralise their licenses in one location, so they can distribute those licenses as and when required across the business.”

Smith said once the reseller sets up the virtualisation, Comlinx then delivers a range of applications out to the end-user, whether that is an Avaya IP/VPN handset, soft client on the end-user’s laptop or S-series Nokia mobile phone.

“For our customers we will also look at introducing WAN acceleration technologies, allowing for the management and acceleration of the IP telephony to now be distributed across the traditional wired or wireless networks with the appropriate security built into many aspects of the Comlinx design,” he said.

Once the client is able to see the business benefit and practical ROI associated with the design, they agree to its value within their organisation. The client will see through the discovery process and questioning the value of virtualisation and its positive impact on their business.

Helping the customer to understand security
According to Smith, it’s then a matter of working with the client to understand the security implications when designing and deploying a converged solution.

“Currently Comlinx works with, what we term a ‘best of breed security partner’. Juniper Networks is able to highlight areas of vulnerability, exposure and will work with the client to mitigate risk in these areas,” said Smith.

Smith said Comlinx takes two approaches in relation to security; firstly it will work with the client’s existing security strategy and align its solution to it; or design and develop a security strategy with the client
to fit the needs of their business.

Be aware
Comlinx believes end-users need to be aware of three key security concepts:

• Vulnerabilities – weaknesses present in a program, network, devise or system.
• Threats – the possible actions or attacks that may take place, particularly in a vulnerable system.
• Incidents – the events that can take place if someone or something successfully damages, disrupts, or steals information from an information system.

“We believe this will help them to understand the importance of a security plan and some of the incidents they may risk if they don’t protect their VOIP network,” Smith said.

He believes the key to selling these solutions is based on aligning the technology with real business outcomes and practical benefits. Gone are the days when you are selling solutions to add boxes to a customer site. The IP solutions become compelling when the customer sees the real tangible benefit of the proposed solution.

Clients are taking a more holistic view of their technology requirements, considering IPTEL, mobility and security in their decision-making process. Clients are no longer looking at their telephony needs in isolation to other core elements of their infrastructure.

The phone is no longer just a phone
Smith said the industry has a mature understanding of security in relation to data and mobility networks and is starting to take an active interest in securing converged networks.

Companies such as Comlinx are taking an active role in working collaboratively with and by educating its existing client base on the dangers of not preparing for securing their voice network, he said.

However there are traditional PABX resellers going into IP telephony without realising the security implications of working with such products.

Tony Warhurst, managing director at VoIP provider ShoreTel said resellers shouldn’t trust an end-user to say everything is fine with their systems.

“Resellers need to do a full security check upfront. They need to be able to tick every box in order to ensure they have checked every aspect of a customer’s infrastructure,” he said. If you don’t have security today then you are going to have problems, maybe not today but somewhere down the line the customer is going to call up and ask why the phone system isn’t working.”

Warhurst said the majority of resellers have no problem with understanding the implications of security during an IP rollout. However, the traditional PABX resellers are still getting their head around it.

“These guys (PABX resellers) are used to just putting in a phone system and handsets. They have never had to worry about security problems, other than someone physically stealing the handsets. They need to get their heads around it,” he said.

Not fast enough
Gavin McDougall, managing director at ISPhone believes PABX resellers also need to quickly get their heads around security in a converged network. However he also said the industry as a whole is still lagging behind when it comes to VoIP security.

“I don’t think that a lot of resellers have seen the security light and I don’t think end-users are aware of any security implications because there has been no event that has triggered a real cry for security in VoIP,” he said.

McDougall said 10 years ago cyber criminals were hacking into people’s computers and everyone was getting worried and crying out that there was a need for security.

“In the VoIP industry we haven’t had that yet and it’s taken for granted. However as more and more resellers investigate that security is more than just an added functionality, some of the risks will become important to them, and they might turn into real experts at providing
a secure network,” said McDougall.

Competitive advantage“I think it is incumbent on people providing VoIP services to educate resellers so they know some of the issues surrounding security in a rollout,” he said. “If they don’t have a background in this then they are going to have issues with their end customer. I think in 95 percent of rollouts there might not be a problem, but it’s the five percent that resellers have to worry about.”

He believes a lot of vendors expect resellers to go out and do IP telephony rollouts without properly equipping them, especially if something goes wrong during an implementation.

“VoIP providers are the ones that have the obligation to provide resellers with the answers to security questions. The obligation is on all of us and its better to have a reseller’s end-user protected than not,” he said.

McDougall said there are many ways things a reseller has to look at before implementing IP telephony. He believes there are a lot of things to put in place, especially when it comes to the architecture of network ports.

“Having an in-depth security knowledge can certainly be a differentiator in such a competitive marketplace. It really gives resellers an advantage when they have the skills and knowledge about IP telephony and security can be a great selling point for them.”

Here’s a start
Getting a grip on security in today’s converged network environment can seem daunting. But the steps a reseller takes are actually similar to those for basic home security: when a reseller thinks about providing security and protection for a family and their possessions. First, they typically create a layer of security that surrounds the house and family, then locks are put on doors and windows; alarms are set to notify them of intruders, and perhaps even a contract with a security firm to respond in case intruders manage to get in. When the family is travelling outside the home, they may provide them with mobile phones so that they can stay in touch with other family members in case of emergencies.

Working within a converged network, security planning means also considering how to secure all the devices and applications that are connected to that network. Resellers need to determine how to secure systems at the operating system level, enable security and encryption features on wireless LAN access points, and encrypt VoIP traffic moving between IP phones and IP PBX systems. Then they may wonder about all the non-IP stuff still in the system. Even though the world is moving towards end-to-end IP networks for all sorts of services, you probably still have connections to the public switched telephone network (PSTN) for long-distance services, and perhaps even inbound and toll-free lines that enable outsiders to access many of your communications systems, especially voicemail systems, audio-conferencing bridges, and fax machines. Just because they’re migrating an old PBX system to a new IP telephony solution doesn’t mean you can stop worrying about things such as theft of service from unauthorised use of network bandwidth, toll fraud, and subscription fraud — in addition to threats of service disruption and privacy issues.

Although this information barely scratches the surface when it comes to securing a converged network, taking this type of knowledge to an end-user will help differentiate a reseller that provides VoIP solutions from a reseller that just sells box products, with no thought of what could happen to their end-user.

“Resellers need to do a full security check upfront.”

“If you don’t have security today then you are going to have problems.”

“I don’t think that a lot of resellers have seen the security light.”