An evolving good news story
The initial promise of VoIP deployments was savings on toll bypass while completing your calls over data networks. As time went on the IP PBX was integrated with converged messaging, identity systems, call centers, and interactive media over complex LANs and WAN infrastructures operated by multiple ISPs. Improvements and maturing of IP Telephony brought reliability, convenience, and true cost-effectiveness. However, concerns over VoIP security arose and had slowed full adoption. Enterprises can achieve a great security posture by being aware of the unique and common vulnerabilities of voice over data infrastructures. Best Practices for VoIP security are essential in planning architecture, education, and operation of your investments.
Whether a ‘Do-It-Myself’ IP PBX system is internally put up, or a partnership is struck with a Communication Service Provider (CSP), all of the potential VoIP Security issues need to be identified, understood, and addressed. The delivery of VoIP security is a shared responsibility between the user base, IT staff, a service provider, and even the Original Equipment Manufacturer (OEM).
First off, verify your risk
Your initial thoughts on VoIP security as a small or medium business owner may be that you’re likely not a target based on company size and the assets you operate. True, a chain of 5 Pizza stores may not hold many secrets in a breach, but still carries card payment information and the privacy expectations of loyal customers. Large target organizations like financial institutions, political parties, and retailers must take a holistic approach and are obligated to make serious investments. The 3 broad assumptions are helpful to understand today’s landscape.
- Vulnerabilities present for data in motion (or at rest) is also applicable for VoIP traffic, servers, and services
- Security is like insurance. Your investment should be consummate with the potential losses of critical assets and possible damage to your brand.
- VoIP Security can be safer than legacy TDM voice with IT knowledge and vigilance.
VoIP vs landline security
Traditional analog voice networks are very mature and often delivered end to end by trusted major carriers within Canada. Audio signals are switched over analog lines at the in-house PBX or the service provider’s often aging infrastructure. TDM Voice Trunks and Toll Fraud has dwindled. Today the biggest vulnerability is listening devices like Butt Sets that can be used in the wiring closet. They are now commercially available to anyone and not just Telecom technicians. Many traditional ‘telephone rooms’ operated with questionable physical security from internal employees.
Conversely, the VoIP traffic is usually encrypted and likely not worth the effort to decode with a sniffing device even if it can be captured. Today cell phones make free calls from a LAN with special precautions. Voice servers are now peers with and present a similar risk as any business server. Some vulnerabilities exist but an ‘informed administrator’ can achieve acceptable VoIP security with solid internal and externals partnerships.
Minimize the Risks: #1 Partner with your User Base
Action items to gain buy-in from employees throughout a VoIP migration:
- Provide training on the new phone systems operation and benefits
- Set policies on IPT passwords, PINs, and multifactor authentication
- Provide security awareness training to safely empower the end-users
- Have employees report anomalies. (eg. missing voicemails or redirected calls)
- Physically lock down access to voice components and LANs
- Turn down unused Ethernet ports and document voice operations
- Strategically roll out new communications features with new security asks
- Measure and report operational availability and user adoption of VoIP
- With mobile BYOD, employees should avoid unsecured public WiFi such as coffee shops and airports.
- iOS and Android firmware require security patches as they become available.
Minimize the Risks: #2 On In-House IP PBX Deployments
The beating heart of your voice deployment is now the IPT Call Server. Its main job is for the signaling required for the call setup. Once connected it then watches VoIP/internet performance and provides administration functions. It needs tight control by qualified staff so new skills need to be in place. The voice gateway, LAN, and endpoints also need to be secured with the following:
- Architect IP voice traffic over isolated LAN segments
- Lock Down unused Ethernet ports on the LAN
- Lockdown physical and administrative access to VoIP appliances
- Encrypt traffic with TLS and SRTP for media streams
- Document new policy and enforce operational best practices
- Scan for relevant security vulnerabilities (CVSS cases) at NIST.Gov or expect Security Advisories from your IP PBX equipment partner
- Firewall your Call Server for unused protocols and broad admin web access
- Turn on security features provided by the equipment manufacturer
- Treat the Deskset as a vulnerable endpoint that needs patch management
- Implement DDoS appliances or outside services to mitigate IP attacks
- Analyze call logs and/or view the critical events at an in-house SIEM
- Prepare for worst-case scenarios and plan quick remediation from in-house experts or external support assistance
- Consider your risk as a DDoS target at IT systems and Voice gateways
Your voice servers are running one of Linux, Unix, VxWorks, or Windows so you need to treat them all as IT infrastructure. They are often integrated with authentication services, CRM, email, and call center software. Remember that the ultimate prize for most bad actors is creating chaos or stealing corporate data on other business systems. Bring the same IT discipline to your VoIP security practice so as not to be the weakest link that intruders choose to gain access to the enterprise.
Minimize the Risk: #3 Partner with a Communications Service Provider (CSP)
A popular choice and growing trend are to buy finished VoIP services from a CSP rather than taking on 100% of the operational headaches and capital outlay. A ‘per seat’ pricing model applies on a pay-as-you-grow basis. Collaboration features can be easily layered on top of basic voice functions to augment user productivity.
Although most CSP will sell on features and price, the educated buyer may have to bring up the security conversation during the selection process. Security considerations may sway your decision on which partnership is right for your organization. You may not be able to review their internal cloud architecture but ask potential CSPs about, and request proof of:
- Current experience and current investment in VoIP Security protection
- In-house Security skills and certifications by support staff
- Professional Service offers for your IT and VoIP security integration
- Investment in 3rd party security tools to assist troubleshooting
- Complimentary services like Identity Management or DDoS Protection
- Accreditations HIPPA, PIPEDA or Payment Card (PCI) compliance
- Sharing industry security alerts & perform regular firmware updates
- Incident Response & policy of publicly sharing security breaches
- They assist and test basic VoIP security during the onboarding phase
- A console that includes monitored security event logs and alerts
VoIP Security in Short
Today’s VoIP platforms and providers will provide a safe environment for business-grade quality voice conversations when adhering to best practices already in place for cyber and network security. Go forward with confidence on a new VoIP PBX deployment or choose a service partner that shares your vision on the security of a voice platform.
The Canadian Government also offers a good list of tips referred to VoIP utilization @ GetCyberSafe.ca