Enterprise VoIP Security - Threats and Best Practices
In recent years we have seen the convergence of the IP data and TDM circuit-switched voice network on the rise, bringing about many advantages to enterprises. Companies with WAN resources are realizing cost savings, an increase in the number of available productivity and reporting apps and an overall streamlining in company operations as network functions run across an all-IP infrastructure.
This convergence sounds like a network architecture made in heaven, right? Well, almost. Any change in your network approach calls for a review of security practices to ensure a continued high level of performance. The ;NSA declassified a guide entitled “Security Guidance for Deploying IP Telephony Systems.” In it you'll find information to make your organization aware of potential security threats and how to best guard against them. But, the reading is pretty dense and tedious - as government documents tend to be. So, we pulled out the important parts and arranged them here for you.
7 VoIP Security Best Practices to Avoid Attacks
While the threat of an attack may seem daunting, the good news is that software and hardware security solutions can be implemented - as well as strategic security provisions - to guard your enterprise in the face of an all-out attack on the network.
1. Maintain Current Patch Levels and Install a Good Anti-Virus System
Enterprises should implement adequate monitoring, complete the timely deployment of patch releases and deploy current anti-virus endpoint software.
2. Limit Physical Access to Network Hardware
Physical access to network hardware should be granted only to relevant, authorized personnel, and equipment should be stored in a restricted and controlled environment.
3. Implement Advanced Intrusion Detection and Prevention Systems
These systems should be part of every enterprise VoIP network, as they use stateful detection and prevention techniques as well as deep packet scans, to guard against both zero-day and emerging threats.
4. Enforce Security through Authentication, Authorization and Encryption
Best practices include: configuring Ethernet switch ports to only allow known MAC addresses, password protecting cryptographic keys, and enabling TLS on the web server while disabling non-TLS connections for web-based management interfaces. Furthermore, companies should encrypt media streams and signaling protocols, as well as utilizing challenge-response protocols like HTTP-Digest to authenticate phones to the server.
5. Use VLANs and VPN
The telephony and data networks should be logically separated using virtual LANs (VLANs); doing so isolates each network so that if one VLAN is penetrated, the other will remain secured. Also, limiting the rate of traffic to IP telephony VLANs can slow down an outside attack. Additionally, VPNs (Virtual Private Networks) can be used to establish secure interoffice communications to each VLAN.
6. Filter Traffic through Firewalls
In an optimized setup, the IP telephony and data VLANs should be kept separate by stateful layer 3 & 4 traffic filtering - blocking all protocols not necessary for production. Moreover, application-layer gateways and session border controllers can be set up to manage traffic and control media streams and protocol signals, isolating VoIP segments via policy-based security zones for secure communication between zones.
7. Lock Down Ports
Port level security should be enabled on all switches. And, IP telephony servers implementing different protocols - such as a SIP VLAN and a H.323 VLAN -should be kept on separate VLANs.
Make sure your network is locked down tightly. With good practices, policies and procedures in place, your WAN and telecommunication services can be secured from the most common threats. Protect your network with a complete network security solution.