Building Security into Your Hosted VoIP System
When IT professionals talk security, often initial considerations go towards proper security for the data network. However, of equal importance is the security of the voice or VoIP network.
VoIP security considerations become even more important when considering that more and more companies are transitioning their voice systems to a converged, hosted voice-over-IP infrastructure.
Therefore, organizations must find ways of securing both sides of the data and voice network infrastructure that ensures unwanted traffic doesn’t get in, but all productive traffic gets out. Following are some tips for building necessary security measures into your Hosted VoIP framework.
What Makes Up a Hosted VoIP System?
First off, hosted VoIP systems can be comprised of many different kinds of equipment. On the front end, this usually includes telephone handsets, conferencing equipment, and mobile devices. On the back end, there are also components such as: call processors/call managers, gateways, routers, firewalls, and the protocols that connect them. Moreover, in a hosted VoIP system, at least some of the equipment is housed and maintained by the service provider.
Implementers of VoIP systems need to not only ensure that all VoIP-related hardware, software, and services are properly secured, but that critical services like E911 and call traffic flow are properly enabled while still maintaining acceptable service levels. Due to the time-sensitive nature of VoIP, and its low tolerance for disruption and packet loss, many security measures implemented in traditional data networks are simply not applicable to VoIP in their current form; firewalls, intrusion detection systems, and other components must be customized for use with VoIP.
5 Best Practices and Considerations for Implementing VoIP Infrastructure Security
1. Ensuring QoS
There are many different pieces of the hosted VoIP security puzzle that need to be addressed – each equally important to optimizing security on your hosted VoIP system. One area of consideration in securing the VoIP network is the need to balance installed security standards with Quality of Service (QoS) measures put in place, in order to prevent latency, jitter, and packet loss. In addition, proper bandwidth needs to be allocated and used appropriately so that performance isn’t compromised by security methods.
2. Implementing the Proper Protocols for VoIP
H.323 architecture and security profiles -- for call signaling, multimedia transport, and bandwidth control for point-to-point and multi-point conferences -- should be established. However, while encryption is a recommended security measure, you need to ensure that performance is not hindered.
Another common protocol used with VoIP systems is the Session Initiation Protocol (SIP). SIP defines the messages between endpoints and governs the rules for establishing, terminating, and other facets related to call sessions. Using SIP architecture, it’s important to be sure that appropriate security features exist. These features include: the authentication of signaling data via HTTP Digest Authentication; S/MIME usage; media data protection; TLS, IPsec, and other SIP security enhancements.
Two other protocols that may also be utilized in properly establishing VoIP sessions are the Media Gateway Control Protocol (MGCP) and Megaco/H.248. These can be used for gateway decomposition in large installations or to ease the message handling with media gateways.
3. Securing VoIP Networking Equipment - Switches and Routers/Gateways and Firewalls
Both hardware and software switches and routers should be secured with SSH and HTTPs and other secure network protocols. Hosted VoIP systems also need to be protected by the right kind of gateways and firewalls -- whether software or hardware-based.
For instance, depending on your particular infrastructure, an MGCP gateway should be installed using Megaco/H.248 protocols. Furthermore, there might be a need for a voice Application Level Gateway (ALG) - when using firewalls and NAT, where appropriate - to prevent denial of service (DOS) attacks. A Session Border Controller might also be installed depending on your setup, to take control over the signaling and media streams involved with each call session.
From the firewall side, you should keep data and voice VLANs separated. If possible:
- Use private addresses and avoid NAT – though it can hide internal addresses - as it has incompatibilities with IPsec and other issues associated with the transmission of voice traffic
- Each network trunk should have its own VLAN ID, and make sure to disable VLAN 1, since it is the native VLAN and therefore, more vulnerable to attacks
- Place all unused ports in a VLAN outside of all in-place networks and disable those ports
- Enable 802.1X authentication for the ports on all switches
- Implement Access Control Lists (ACLs)
4. Encryption and IPsec
Using IPsec, endpoints must be secured using various authentication and encryption methods, as each IP packet in a communication session is protected. Also, you’ll want to secure the VoIP network by using encryption on the media and control channels.
Moreover, Secure Real-Time Protocol (SRTP) should be added to your hosted VoIP infrastructure. It’s important to use all techniques possible to authenticate users; for instance, using certificates that can authenticate each phone via a unique username/password combination.
5. Physical Security
Finally, don’t forget about the physical security of your VoIP equipment, both onsite and hosted offsite. You’ll want to ensure that there is controlled and limited access to the server rooms and networking equipment. Moreover, it’s vital that equipment rooms are kept at a cool enough temperature to protect equipment and that any potential hazards like water, heaters, pipes, and so on, are kept at a distance. Furthermore, UPS’s and other redundant backup systems should be implemented for business continuity and disaster recovery.
Securing VoIP is a little like adding layers to a cake, with each layer adding an additional flavor of protection for your hosted VoIP system. By making sure to secure each layer appropriately, while taking into consideration performance levels, you can ensure that you are building a secure foundation for you voice communications infrastructure.