Small security measures block VoIP Security Vulnerabilities

Source: Internet
Author: User

VoIP has many security risks and faces many security threats, but this does not mean that the security of VoIP is irretrievable. In fact, with the frequent occurrence of security events, many VoIP manufacturers are also accumulating experience in practice and using some measures to guarantee the security of VoIP to a greater extent.

However, to improve the security of VoIP, apart from the concept that VoIP Security is an additional product, the security technology must be rooted in the VoIP product. For VoIP users, we should be fully aware that the security of VoIP devices directly affects the security of the entire enterprise's basic network. As managers, we should not consider that using VoIP products only adds a network phone number. If we do not take complete protection measures, IT is likely to become a door for hackers to easily access the company's intranet. Therefore, enterprises should choose professionals from the IT or data Department to manage IP communication systems, rather than the original voice department, these people must be more careful than professionals managing traditional PBX.

We can see that most of the security problems faced by VoIP are actually problems faced by IP networks. Therefore, the conventional security measures must be ensured first. In addition, the special characteristics of VoIP applications require special measures to enhance security. Below I recommend several small preventive measures. These measures may not use any advanced technology, but these measures may help your network block large VoIP vulnerabilities.

Unified VoIP into one VLAN for easy QoS policy setting

I have seen that many users often use VoIP and general data in a network when deploying VoIP. The biggest weakness of this deployment method is that the bandwidth and QoS requirements of VoIP are not the same as those of general data, which will directly lead to a significant reduction in the transmission efficiency of switches, routers, and many security devices on the network.

Separating VoIP data from general data is undoubtedly the most appropriate method. This method is also recommended by Cisco and other VoIP equipment vendors.

The specific method is to separate the voice and data into different virtual LAN VLANs, so that the voice and data are transmitted on different virtual LAN, and the VoIP is unified into the same VLAN, data transmitted in the same VLAN must have the same QoS requirements, which can simplify QoS settings. After the QoS settings are simplified, you only need to give priority to the VoIP Virtual LAN. One thing to note is that if VoIP is to be transmitted through a vro, the layer-3 service quality is still required.

The direct advantage of this method is that the two can also hide the voice network from the data VLAN, effectively solving data spoofing and DoS attacks, therefore, without a computer that may initiate an attack, your VoIP network will be much safer.

Reinforce your VoIP server to prevent eavesdropping

In fact, the VoIP signal is unified into the same VLAN, in addition to the above advantages, it can also greatly reduce the occurrence of eavesdropping on the phone. If the voice package is obtained by an analyzer, it is easy to replay the voice. A virtual LAN can prevent attacks from outside.

As the saying goes, "one piece is hard to prevent", the above method can only prevent eavesdropping on external network phones, but it is difficult to prevent internal attacks. As long as internal personnel connect any terminal device to the network, perform proper configuration, and pretend to be a part of the VoIP Virtual LAN, they can eavesdrop at will. To prevent such damages, the best way is to purchase VoIP phones with strong encryption functions. This method should work and each phone call should have encryption functions. It is hard to say to what extent the effectiveness of confidentiality can be improved due to the high cost of this defense method.

Another more direct and effective method is "pay-as-you-go ". That is to say, the VoIP server should physically prevent internal and external attackers, so as to prevent others from using the listening technology to intercept VoIP information. The specific method is to lock the IP address and MAC address that can access the VoIP management interface, and place a firewall in front of the SIP gateway to allow only valid users to access the relevant VoIP system.

For example, Ingate's firewall is designed for a SIP-based VoIP system. Ingate recently announced that its products have now passed certification and can work with Avaya's SIP-based products. Make sure that your implemented VoIP system is based on SIP, so that you will not have to turn to your existing VoIP vendor if you need security options in the future.

Some users not only use firewalls, but also encrypt related VoIP packets. However, you know that only encrypting the data sent out is not enough. You must also encrypt all call signals. Encrypted voice data packets prevent speech insertion. For example, you can use the real-time security protocol SRTP to encrypt communications between nodes and use TLS to encrypt the entire process.

Monitoring and tracking, network redundancy, and other means to defend against DoS Attacks

Stealing a VoIP account is one of the most common methods for hackers to use a VoIP network to disguise as a legitimate customer and access the enterprise network. In order to steal accounts, hackers can say they are unscrupulous or even using brute force cracking to attack the password of an account and try to crack and control it. This will inevitably lead to a sudden increase in network traffic and a significant increase in the probability of DoS attacks.

By deploying appropriate monitoring tools and intrusion detection systems, you can find various attempts to attack your VoIP network. By carefully observing the logs recorded by these tools, you can detect abnormal data traffic conditions in time and detect whether someone tries to use brute force cracking to access the network.

I have to admit that no matter how strict your defense is, there will always be attacks. Therefore, please be prepared to cope with DoS attacks or viruses that cause network paralysis. One way is to add redundant design, once a running system suffers an attack or an accident, it can be automatically switched to another device to minimize the loss and provide plenty of time for you to discover and solve the problem.

The security of the VoIP network depends largely on the operating system of the devices in the Network and various applications running on the devices. Timely maintenance of OS and VoIP Application System patches is very important to prevent threats from malware or viruses. In fact, many attacks exploit system vulnerabilities. This is consistent with the security defense of IP networks.

Develop a plan to convert your role into a hacker's identity. Then try to attack your VoIP system in various ways, although you cannot find the attack entry, it does not mean that your VoIP system is secure, but if you can find the entry, others can also take measures to block this vulnerability.

This article only describes some necessary measures to reinforce the VoIP network. However, this is not the most important thing. More importantly, we need to correctly address the security problems of VoIP, so we must acknowledge its existence, we also need to believe that through reasonable and good design and good security habits, we can put their security risks within the acceptable range.

Related Articles]

  • Use RSVP protocol to Ensure VoIP Quality
  • Ballmer: Vista will support major VoIP actions next year
  • The rapid development and popularization of VoIP technology

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.