How to protect against VoIP security vulnerabilities
Source: Internet
Author: User
KeywordsSecurity VOIP
VoIP has a lot of security risks, face a lot of security threats, but this is not to say that the security of VoIP is hopeless, in fact, with the frequent occurrence of security incidents, many VoIP manufacturers also in the continuous practice of accumulating experience, through a number of measures to a greater extent to ensure the security of VoIP. But to improve VoIP security to the two-pronged approach, in addition to VoIP vendors to abandon VoIP security is an additional product concept, the security technology is embedded in the VoIP product itself; For VoIP users, to fully realize that the security of VoIP devices directly affect the security of the entire enterprise infrastructure network, As a manager, don't assume that VoIP products simply add a network call, if not complete protection measures, it is likely to become hackers easy access to the intranet of a door, so enterprises should choose from the IT or data department professionals to manage IP communications systems, rather than the original voice department, These people must be more cautious than the professionals who manage traditional PBXs. It can be seen that the security problems faced by VoIP are in fact mostly the problems faced by IP networks. Therefore, the conventional security measures are to be guaranteed first, and the particularity of VoIP applications so that it needs special measures to enhance security, the following I recommend a few small measures to prevent. These measures may not be using any advanced technology, but taking these steps may help your network plug up the VoIP big hole. VoIP Unified into a VLAN easy to set QoS policy The author sees many users deploying VoIP, often using VoIP and general data mixed in a network. The biggest weakness of this approach is that VoIP bandwidth and QoS requirements are not the same as the general data, will directly lead to exchanges, routers and the network of many security devices on the transmission efficiency greatly reduced. After the VoIP data and the general data are screened, it is undoubtedly the most appropriate way to transmit separately. This approach is one of the recommended methods for VoIP equipment vendors such as Cisco. The specific method is to divide the voice and data into different virtual local area networks (VLANs), so that voice and data are transmitted on different virtual LANs; Unified VoIP into the same VLAN, the data transferred in the same VLAN has the same quality of service (QoS) requirements, You can simplify the quality of service (QoS) settings. Once the QoS settings are simplified, users need only give priority to VoIP virtual LANs. It is important to note that when VoIP is to be transmitted over a router, a third tier of service quality is still required. The direct benefit of this approach is that the two separate voice networks can be hidden from the data VLAN, can effectively solve data spoofing, Dos attacks, and so without the potential to attack the computer, your VoIP network will be much more secure. Fortify your VoIP server against eavesdropping in fact, unified VoIP signal into the same VLAN, in addition to the above advantages, but also can significantly reduce the phenomenon of eavesdropping telephone. If the voice pack is captured by an analyzer, replaying the voice is easy. Virtual LANs can prevent people from attacking from outside. As the saying goes, "Guzei", the above method can only prevent the external network phone eavesdropping, internal attacks are difficult to prevent. Because internal personnel as long as any one terminal equipment into the network, properly configured, disguised as a part of the VoIP virtual LAN, can be arbitrary eavesdropping. The best way to prevent this is to buy VoIP phones that have strong encryption capabilities, and this method works by encrypting every phone. This kind of precaution method cost is high, its secrecy effect can raise to what extent, it is hard to say. Another more direct and effective way is to "reduce the effect". That is, the VoIP server is physically eliminated from internal and external attackers, so as to avoid the use of listening technology to intercept VoIP information. The specific approach is to lock the IP address and MAC address that can access the VoIP management interface, and place a firewall in front of the SIP gateway to allow only legitimate users to access the relevant VoIP system. For example, the Ingate company's firewall is designed for SIP based VoIP systems. Ingate recently announced that its products are now certified to work with Avaya's SIP based products. Make sure that the VoIP system you implement is based on SIP, so you will not have to turn to your existing VoIP vendor when you need the security options feature. Some users not only use firewalls, but also encrypt related VoIP packets. However, you know that only encrypting the data sent out is not enough and must encrypt all call signals. Encrypting voice packets prevents voice insertions. For example, a real-time security protocol (SRTP) can be used to encrypt communication between nodes and encrypt the entire process through TLS. Monitoring tracking, network redundancy and other means to protect against Dos attacks stealing VoIP account is one of the most common ways for hackers to disguise themselves as legitimate customers through VoIP networks. In order to steal account, hackers can say that unscrupulous, or even the use of brute force to attack the password of an account, trying to crack control of it. This is bound to cause a sudden increase in network traffic, the probability of triggering a Dos attack greatly increased. By deploying appropriate monitoring tools and intrusion detection systems, you can help you discover attempts to hack into your VoIP network. By looking closely at the logs recorded by these tools, you can help you discover the unusual state of the data flow in a timely manner, and find out if anyone is trying to hack the account into the network with brute force. Admittedly, no matter how tight your defenses are, there will always be attacks, so be prepared for a Dos attack or a virus that causes network paralysis, one of which is to increase the redundancy design, which can be automatically switched to another device if the system currently running is compromised or unexpected, this minimizes loss and provides ample time for you to find and solve problems. The security of VoIP networks depends largely on the operating system of the devices in the network and the various applications running on them. Maintaining a patch of operating system and VoIP application systems in a timely manner is essential to protect against threats from malware or viruses. In fact, many attacks exploit the system's vulnerabilities. This is consistent with the security defenses of IP networks. Make a plan to convert your role into a hacker's identity, try to attack your VoIP system in a variety of ways, although not being able to find an attack entry doesn't mean your VoIP system is safe, but if you can find a portal, someone else can do it quickly. The way to strengthen VoIP network is not only that, this article only pick up some of the necessary points to introduce. However, this is not the most important, more importantly, we have to correctly face the security problems of VoIP, we must recognize its existence, but also believe that through reasonable, good design and good security habits, we can control its security risk within acceptable limits. "Responsible editor: Zhao TEL: (010) 68476636-8001" to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title of the party (0 votes) passing (0 Votes) The original: How to prevent VoIP security vulnerabilities back to the network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.