Securing voice services is among the most essential measures any business can take to mitigate attacks involving toll fraud, denial of service or corporate espionage. Voice over Internet Protocol (VoIP) encompasses a robust and fully developed set of technologies that incorporate strong security features sufficient to deal with virtually all such attacks. Nevertheless, even with the most secured VoIP services, malicious hackers often find alternative attack vectors to achieve their goals.
In this article, we examine those attack vectors and the best practices to defend against them.
Security inherent to VoIP
VoIP security is primarily implemented using secure VoIP protocols such as Secure SIP, SRDP, and SRTCP. Additional security methods include the creation of VPNs among VoIP endpoints, IP PBXs, and other VoIP devices. This is especially useful for a mobile workforce.
These security measures are primarily implemented by the VoIP provider and/or VoIP equipment vendor, encompassing endpoints, as well as servers and gateways. This type of VoIP security can typically be enabled, disabled or adjusted on devices according to the needs and requirements of each business.
Boundaries of inherent VoIP security
Inherent security measures have a specific job: securing the VoIP signaling and voice packets exchanged between devices. However, what happens if an attacker decides to target the actual IP PBX server or the network carrying VoIP transmissions?
For example, what good would Secure SIP or a VPN do if an attacker gained unauthorized access to the IP PBX and disabled these features? What if an attacker were to disable or modify the routing within the network, causing voice conversations to fail (along with all other network data, for that matter)?
We don’t associate these attack vectors directly with VoIP but more with network and systems security in general. Even so, they are just as important to consider as simply securing the voice conversations themselves.
Putting a plan together
Network and systems security should always be part of your enterprise’s documented security policy. There are some general and VoIP-specific steps that you can take to ensure effective and holistic defense against the full spectrum of possible attack strategies. These should include the following aspects:
- Systems security: This involves best practices to harden your enterprise’s IP PBXs, whether they’re on-premises, virtual machines or cloud-based.
- Network security: This area includes employing best practices involving hardening network devices such as switches, routers and especially firewalls to disallow unauthorized access to the network.
- User security: This often-neglected area of security involves training both end-users and network administrators on how to manage credentials and system access.
Keeping malicious users out of the management interfaces of IP PBXs and VoIP gateways is a vital part of systems security. Some of the most important steps you can take here include the following. Unless otherwise stated, the principles are the same regardless of what kind of IP PBX you have.
- Keep firmware current: Ensure sure your IP PBX software and firmware are up to date. The newest firmware version is the most secure since it has the most recent fixes for bugs and vulnerabilities. In addition, updated versions will often support newer security features and mechanisms, offering layers of protection that may not be available on older versions.
If you have a cloud-based service where the provider is responsible for these updates, ask them to keep you updated with published change logs that detail all the improvements applied to their cloud-based software, including security features, whenever they upgrade their firmware.
- Implement platform security features: For on-premises and VM (virtual machine) IP PBXs, it’s important to enable any access security features provided by the platform itself. This may include host-based firewall settings that limit access using a series of parameters, including IP addresses and credentials.
Implement full-coverage network security on any network carrying VoIP traffic. Features such as QoS and routing configurations can be easy targets for a malicious attacker to leverage to conduct a DoS attack or degrade service. Some of the most important security measures you can take to safeguard against network attacks include:
- Don’t use port forwarding: For IP PBXs on the enterprise network, port forwarding can be configured at the edge of the network to achieve connectivity for external mobile users. Although this was once considered standard practice, safer methods such as secure tunneling and VPNs are now preferred.
- Harden your networking equipment: Switches and routers comprise the bulk of the enterprise network and, as such, represent a broad target for attackers. Network device vendors publish best practices to harden their equipment against attacks, so it's wise to follow those.
- Secure the edge of your network: Use a firewall and/or SBC (session border controller) to secure the edge of the network to protect against the myriad of threats on the Internet.
- Employ access control on the network: Network devices allow you to employ what is known as management plane policing (MPP). The management plane is the logical path taken by all traffic related to the management of a network device, such as an SSH or Telnet session or an HTTPS web-based management interface. MPP employs highly fortified restrictions that allow only authorized users to access network device management interfaces.
- Design resiliency into your network: No security measure is 100% secure, so resiliency and contingency plans should always be part of your security policy. This can include:
- Real-time monitoring, logging and alert systems that inform you of network events as they occur.
- Scheduling automatic and frequent backups of all IP PBX and network device configurations for quick recovery in the event of a misconfiguration or an unscheduled device reset.
- Implementing a redundant network design with multiple network devices and multiple connections to the Internet as well as a high-availability implementation of your IP PBX whenever possible.
As part of your security policy, you should enforce proper security management by the users themselves. This includes both end-users and administrators who have access to network resource management systems. Some of the most vital best practices for user security include the following:
- Maintain adequate password policies: Train users on the use of strong passwords and require them to change passwords periodically. This is important for end-users using SIP extensions and administrators accessing VoIP management interfaces.
- Harden end-user extensions: You can also configure the IP PBX to restrict endpoint registration by specifying allowed IPs or blocking the registration of an extension after several failed attempts occur.
- Train users to identify suspicious activity: If users see a call history containing calls that they haven’t made, or they receive a notification of a login to a VoIP account when they weren’t logged in, they should report these events immediately.
VoIP security is not just about securing conversations. It involves a holistic approach to the security of the network and the systems running the services. Ensuring that all attack vectors have been considered, verifying the implementation of a resilient design and training users to behave securely and identify possible breaches will deliver a highly secure enterprise VoIP environment.
You may also like: