Securing Your Hosted VoIP Installation

Converged VoIP communications can be made as secure as traditional PSTN. Voice over IP threats such as toll fraud, denial of service attacks, impersonation exploits, phreaking and eavesdropping can be prevented and contained with proper planning and design.


Although VoIP offers substantial savings among other advantages, it comes with its own challenges particularly when it comes to security. The number of hacker attacks against VoIP systems has steadily increased over the past 5 years. And while VoIP security is not the biggest threat facing most businesses, it is the one business owners and managers shouldn’t overlook.

While VoIP has increased the number of people able to exploit a corporate phone system, the tools and expertise available to protect the technology have also been improving. To help our customers better understand some of these issues DLS NSS engineers would like to highlight some of the best practices in deploying business VoIP service.

Encryption

While there is no consensus about the degree of threat to Voice over IP posed by the eavesdropping, companies should consider securing their VoIP calls by encrypting them. Whenever there is a risk of eavesdropping, such as on public or wireless networks, remote users should definitely consider using encryption. Some security experts even suggest using encryption throughout private or enterprise networks. The best option (while more expensive) is to use some sort of Voice data encryption for voice traffic traversing between your business and DLS. While this is one of the more expensive options requiring some sort of VPN tunneling – it ensures that voice traffic traveling to your DLS Hosted PBX in a form of data is encrypted, preventing a hacker from listening in on the conversation. Encryption requirement will also keep thieves from using your VoIP service to make costly overseas calls.

Regretfully, VoIP encryption has its own disadvantages. Remote callers must add another security layer in order to traverse the firewall. One option is to use an IPSec VPN (Virtual Private Network) but the processing overhead can adversely affect voice service quality. SSL (Secure Socket Layer) is another technology used to create a secure tunnel through the firewall and access the VoIP system. This option asserts less overhead and thus has lower impact on the call quality.

The best encryption promise for tomorrow’s VoIP is the emerging SecureRTP protocol, which does not have much of a processing overhead. It employs a lightweight encryption method and will be ideal in smaller businesses with fewer than 1,000 users. SecureRTP utilizes high-strength encryption. While not yet widely adopted, this option is high on DLS’s Hosted PBX service roadmap.

Protecting Endpoint Devices

Another best practice that needs to be extended to voice is changing the default passwords of all of the components of the system. For example, phones can fall victim to hacking if their passwords are not changed as they offer multiple points of entry for hackers. In addition, all non-essential applications such as telnet and web servers should be removed from VoIP systems . Many IP phones have web servers installed, so that configuration can be managed from a PC screen, however this leaves them exposed to the internet.

Keeping Up With Security Updates

Patching is another key security chore. In a hosted environment it is taken care of by your Service Provider: DLS. DLS Hosted PBX Engineering team relies on rigorous patching regime as new vulnerabilities are found in VoIP systems frequently.

Using VLANs

The first step for VoIP security is to follow data commonly accepted networking best practices.

Voice traffic should be deployed on a separate physical or virtual LAN, or VLAN, from the data traffic. This helps protect the voice service if there is a denial of service attack on the data network.

DoS attacks can be a serious problem for VoIP service as it can severely impact your call quality. Security systems such as intrusion prevention systems (IPS) or intrusion detection systems (IDS) combined with a properly segmented network using VLANs can provide protection from these types of attacks.

Networks must be designed to use VLANs properly in order to prevent packets traversing VLANs. However, even if they are designed correctly, there are hacking tools available which can make packets do just that. Among especially useful tools that will help network administrators with prevention and mitigation of most types of attacks are intrusion detection and prevention systems, which scan for patterns in incoming packets. Antivirus software also helps prevent any known threats from disrupting the network.

Security Policy

Finally, in order to make sure that all that sweat equity invested in securing the network isn’t wasted, organizations need to enforce an end user security policy comprehensive enough to include voice over IP. Such policy needs to clearly define end users responsibilities – such as keeping their passwords secret – and what applications they can download.

Adhering to a clear security policy should help prevent users from falling victim to phishing scams and other social engineering that can bypass all of the security measures enterprises put in place.

CONCLUSION

To summarize all this – voice network security depends on a comprehensive approach. Securely deploying unified communications requires the cross-functional participation of the expert personnel in your organization, combined with the careful planning, development, and implementation of a comprehensive communications security policy. To assist you in this, DLS Network Solutions and Services team offers design, testing, and implementation services to help ensure that your company has a unified communications solution in place with full security.