How to avoid VoIP security risks

In recent research, Forrester recommends the following six steps to help IT organizations avoid VoIP security risks and ultimately ensure their UC systems are secure.

In many companies, data networks and telecom worlds converge, and voice and video traffic runs on the same network as other data in the enterprise. Well-known industry terminology such as IP voice (Voice over IP, VoIP), IP telephony (IPT) and unified Communications (Unified Communications, UC), but also gradually become a new way for hackers to attack. More worryingly, most businesses are not considering protecting their UC deployment facilities because they are unaware of the inherent risks of communication, videoconferencing, and other UC technologies. As a result, the deployment of these facilities has greatly increased the attack surface of their networks.

Understand that most of the threats to VoIP networks are not critical to UC devices such as call Management Servers, voice mail servers, or interactive voice Response systems (IVR). Instead, attackers use VoIP networks as portals to access data networks so that they gain privileged access to data that is truly lucrative, such as account numbers, credit card information, and other private data. UC attackers learned from experience that these networks are not as secure as traditional border portals, such as the public Internet, which are protected by control measures such as stateful firewalls and intrusion prevention systems (IPS).

For security, the deployment of unified communications facilities (UC) requires new ideas and methods. By considering UC security in the early stages, security experts can help their company to move more smoothly and economically into unified communications technology. In recent research, Forrester recommends the following six steps to help IT organizations avoid VoIP security risks and ultimately ensure their UC systems are secure.

Step 1: Develop a UC security Implementation guide

The guidance should include specific actions on how to securely deploy components in the system, as well as guidelines for configuring the current network and its existing security controls. It should clarify:

How you should isolate network data and VoIP traffic

How you should use firewalls and IPs to improve security

Plan to protect UC networks from eavesdropping attacks

How it planning divides responsibilities between security and infrastructure teams

Step 2: Develop a UC security policy

The company must develop a feasible strategy for the operation and maintenance of UC systems from a security perspective. In general, you can evolve your, uh, UC security implementation guidelines into a strategy. UC security is in its infancy, and it will take several years to form a generic best practice or policy document that can be used for third parties.

Step 3: Create the UC security architecture

Most network designs today do not fully define the security controls associated with the UC system. Therefore, it is important to extend and design your network architecture from the inside out, along with your IT infrastructure peers. Create a new schema that defines the precautions to be taken against known attacks. For example, placing an IPS device in front of a critical UC subsystem such as a call management system, IVR, and voice mail server can prevent the most common UC attacks. Or, by properly configuring a server to protect UC, to prevent infrastructure attacks, make sure your server is configured not to assign addresses to unknown MAC addresses, and to analyze information from non-authoritative servers. In addition, it is possible to better mitigate eavesdropping attacks by opening the SRTP protocol for media transmission encryption and by adding the Transport Layer Security (TLS) to a channel protocol such as SIP. Remember that if traffic on the internal network is not encrypted, all voice and video traffic on the aggregation network is easily intercepted and tapped.

Step 4: Take advantage of existing security controls

Many companies have off-the-shelf security controls that can be used to enhance the security of the UC network. However, since UC security is a new guideline for many organizations, few people realize that their existing controls can be used to protect the most important UC components.

Step 5: Penetration testing after VoIP implementation

Consider employing a professional service company to carry out penetration testing of the completed UC system. This helps to determine whether security and policy decisions are valid during the implementation process. These types of tests look at the UC network from an attacker's point of view, using the latest tools to try to bypass control and gain privileged access to the network.

Step 6: Increase control of the risks identified by the penetration test

Once you have completed the UC system penetration test, you will have objective, operable data to determine whether your UC solution is adequate and secure. If the result is that an unacceptable risk exists for an existing deployment facility, you can choose to add additional control based on the current risk preferences.