Q&A: How Can You Make Wireless/VoIP Secure?

Both wireless and VoIP have become very popular in the past few years and have made the transition from consumer and niche business use to widespread enterprise adoption. VARs that are certified to sell these technologies can make a lot of money, but as our four industry experts attest, if you’re not addressing your customers’ network security needs, you’re leaving them vulnerable to a host of security threats, not to mention industry compliance infractions. What’s more, you’re missing out on significant upsell opportunities.

Which wireless/VoIP security needs do end users most often address via VAR assistance?

Bill Dunnion: In regards to VoIP, which is an emerging technology, end users rely on VARs for all of their security needs. One key area, however, is firewalls. There are only a handful of VoIP firewalls available that handle the demands of voice traffic on a data network, and it’s up to VARs to find and implement these devices so end users don’t have to choose between security and performance. By using SIP (session initiation protocol)-enabled firewalls such as BorderWare’s SIPassure, VARs can provide customers with QoS (quality of service) and security and save customers a lot of money compared with installing VPN (virtual private network) equipment at every end point.

John Horner: We’ve heard of instances where a VAR bypassed a customer’s firewall in order to optimize QoS. Not long after that, the customer’s voice system got hacked by another company, which made tens of thousands of dollars’ worth of overseas calls at the customer’s expense. Even though the hacker got caught, the time and court fees it took to bring the criminals to justice put a major drain on the customer’s business.

Bill Botti: Securing wireless LANs (WLANs) is another service that end users turn to VARs for help with. VARs need to address their customers’ authorization, authentication, and encryption requirements, which often require special servers, directories, and configuring. We’re also beginning to see NAC (network access control) solutions playing an important role in wireless network security because they take into account which assets [e.g. laptops, PDAs] are trying to get onto the network and where access is taking place. This level of security is driven largely by industry regulations such as Sarbanes-Oxley, section 404, which requires companies to be able to prove they know who is accessing their networks and from which access point.

Which security services offer VARs the best revenue opportunities?

Buck Baker: Network assessments offer VARs the best revenue opportunities — not because of the cost of assessments, but because of the other opportunities they reveal. For example, they could lead to remote monitoring services or security consulting opportunities. Our experience is that end users buy additional products and services from the VAR that performs the network assessment 9 out of 10 times.

Horner: Network assessment/consulting services will bring VARs the most revenue because just about every security solution requires a subscription service to keep it updated. If you buy an appliance that’s configured to stop certain viruses today, it will be outdated within two weeks. VARs earn commissions on the subscriptions that keep security protection current, plus subscriptions give VARs an opportunity to follow up with their customers and provide complementary network assessments on a regular basis. It’s not uncommon for VARs to earn an additional 30% profit over the initial sale of a security appliance or software within the first year as a result of subscription fees and network assessment services. Subscription services become a recurring revenue stream for VARs.

Do VARs need a dedicated security expert on staff to properly solve their customers’ security needs?

Botti: It depends on how security fits into the VAR’s business. If the VAR only occasionally gets involved with security assessments, software, and appliances,  it won’t be able to afford a dedicated security person on staff.

Horner: VARs should consider having a security expert on staff, but they have to be realistic about how to acquire that expertise. Network security knowledge isn’t something that can be attained after a four-day training class. When we look to expand our security base, we try to hire people with at least 10 years of network security experience.

What is the biggest security mistake/oversight you see VARs make?

Botti: VARs have a tendency to get comfortable with what they are used to. Oftentimes, reseller companies are started by salespeople or engineers who are very good at a portion of what it takes to run a successful business, but they’re quick to say, ‘I don’t do that,’ to any new technology or service opportunity that comes along. As a result, they don’t ask the right questions and miss out on the real growth opportunities such as selling security solutions and services.

Dunnion: Not looking at the complete security picture is a major mistake. Security is not just e-mail, it’s not just securing mobile devices, and it’s not just gateways — it’s all of these and more. VARs need to understand and address all of the layers that make up a secure network environment, from the gateway to the desktop and accounting for IM (instant messaging), HTTP, SIP, and wireless traffic.

Baker: VARs should never assume a network is ready for VoIP just because the customer uses a certain vendor’s equipment. VARs should also avoid the other extreme, which is to assume that the customer’s existing routers, switches, and APs (access points) have to be replaced. In many instances, VARs can add a piece of equipment that will make a legacy network VoIP ready. For instance, if a customer has legacy Cisco wireless APs installed, the VAR can add a Bluesocket or Meru wireless controller to enable the QoS necessary to accommodate VoWi-Fi (voice over Wi-Fi).

What are some typical upsell opportunities a network security assessment can provide VARs?

Dunnion: I was surprised to see how few security products were on exhibit at the VON (Voice On the Net) show this fall, considering how regulatory/compliance issues are affecting the data world. In a VoIP environment, phone directories and e-mail reside on the same IP network. Voice mails are often turned into e-mail attachments. Customers’ addresses are stored on IP PBXs (private branch exchanges). If these environments are not secure, the customer could be in a very dangerous compliance situation. VARs have the opportunity to help their customers and earn additional sales by protecting their VoIP implementations with solutions such as session border controllers, which perform deep packet inspection on traffic entering and exiting the customer’s network.

Botti: Once a VAR gets in the door with a network assessment, a domino effect takes place. First, the VAR may sell some subscription-based network security services (e.g. antivirus, antispam, antispyware, intrusion detection/prevention). Then, it could set up a recurring network reassessment with the customer and check the network’s health on a quarterly or even monthly basis. Additionally, the VAR could talk about the customer’s business continuity/disaster recovery plan and earn additional revenue selling storage, backup, and/or network redundancy services. Many of our security vendors have experienced double- or even triple-digit growth over the past year, which is a confirmation their VARs are doing very well, also.