Recently, Cisco announced that Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) are vulnerable to attack. CUCM can be made to crash via attack traffic aimed at particular ports. Both CUCM and CUPS can be flooded with ICMP Echo Requests; the resultant barrage of pings could effectively crash the servers.
CallManager servers are used to process VoIP calls—taking them down would have significant impact on a company’s ability to communicate. And even if affected servers were only to lose select feature capabilities, as is more likely with the ping-flood threat, there would still be significant loss in end-user productivity (both because users couldn’t access those features, and as they start a flood of their own by pinging tech support to find out what the heck is going on).
I must say, neither vulnerability surprises me—indeed, I expect to see many more such problems in the months and years to come, as companies double down on their VoIP and UC deployments. That, of course, could pose a significant problem for IT managers, who now have to worry about securing all their communications applications on an IP network, and from multiple types of attacks. If you think e-mail viruses and spam are bad…
Indeed, if you thought network security was important before, you better bet it’s even more critical today. When a company’s entire communications infrastructure (voice, chat, presence, video and collaboration) runs on a single IP network, the point of failure is large and enticing. No wonder Interop feels like a security show these days, rather than a networking one (hey—just check out the list of exhibitors to see what I mean).
There’s another security issue to worry about, too: compliance. Today, most companies are taking proactive measures to log and archive e-mail messages, and at least those in regulated industries do the same for IM (other companies should, too, but they don’t). But what about Web conferencing or collaboration sessions? Wikis? How about all those voice calls that are, effectively, just a bunch of data packets traveling across the network? Do they need to be logged and archived as well?
The answers aren’t clear—the typical response I get from IT executives when I ask that is “I sure hope not!—but the questions are valid. Are you prepared?