9 points in securing voice over IP and unified communications

Information security has been an increasingly popular topic in the mainstream media, particularly in Singapore.

Starting in early 2012, National University of Singapore (NUS) confirmed that hackers had infiltrated one of university’s backend web servers, stolen a trove of information and published it – including staff usernames, domain information and encrypted passwords – to demonstrate the weakness of NUS’ network security.

Even though the affected data was not deemed confidential by NUS, the university had to work carefully to inform the public and reset the passwords of all the affected accounts. 

Subsequently in December 2012, 17 government websites, including the People’s Association (PA) website, were hacked by a group called HighTech Brazil Hack Team, which claims to have hacked over 3,000 sites globally – to illustrate vulnerabilities in high-profile sites including unpatched systems, poor Web coding and misconfigured security policies. 

Then, in June 2013, Singapore Traditional Chinese Medicine manufacturer and retailer, Eu Yan Seng, had its website defaced by an Indonesian perpetrator in response to Singapore netizens complaining about Indonesia’s responsibility for Singapore’s recent haze – resulting in lost online sales and displaced brand credibility.

As hacktivism and information-security stories are making the headlines for reasons varying from political points of view, to monetisation, to whimsical entertainment, it is a good time for organisations that rely on VoIP and unified communications (UC) to reassess what they need to do to protect themselves and make sure they are following the best practices of information security. 

Here are nine considerations to secure your VoIP or UC system:

1.     Know your core security objectives

There are four core objectives for securing a VoIP or UC system: availability; confidentiality; integrity and accountability. Your phone system must be available so that your business can continue running smoothly.

In addition, you also need to protect against unauthorised access to sensitive communications and information, ensure that the integrity of that information exchange has not been compromised, as well as maintain compliance with a variety of industry and government regulations.

In addition, companies typically track usage of voice, messaging and video communications for auditing, compliance and business-planning purposes. 

2.     Take a strategic approach to information security

UC provides your business with new ways to communicate and collaborate, beyond just phone calls, and some of these interactions may allow proprietary or sensitive information to be exchanged.

Focus on how the UC system will be used in its different modes of communications (voice, web conferencing, video calls and presence location) and if there are desired restrictions related to their business use.

Address security issues in a systematic fashion to mitigate risks and ensure your organisation stays in compliance with the appropriate regulatory mandates.

3.     Follow best practices for network security

IP voice is just another type of traffic on your network, so general best practices for network security apply.  Many organisations use virtual LANs (VLANs) to separate voice and data traffic.

If your business has multiple locations, your IT department can set up quality of service to ensure that voice traffic gets priority access to the network so that users have the best possible voice quality.

Traffic shaping can be used to allot bandwidth to specific applications, so even if the network is under attack, there will be bandwidth available for voice traffic.

It is important to use firewalls between your network and the connection to the outside world, which will prevent unauthorised traffic from entering or leaving your company’s network; thus, helping protect your business from attacks and malware.

You can also create rules on the firewall to control tightly which applications and traffic are allowed to pass onto the corporate network. 

4.     Protect against eavesdropping

Unscrupulous employees or outsiders may try to eavesdrop on key employees’ VoIP conversations – especially executives or staff working in the finance and legal departments.

IP voice should be protected against unauthorised recording, playback and other forms of electronic snooping.

When protecting sensitive communications, you have to choose a UC system that offers 128-bit media encryption, which is the strongest protection against electronic eavesdropping and replay attacks.

5.     Address SIP security concerns upfront 

The use of Session Initiation Protocol (SIP) trunking is increasing in popularity as an alternative to using traditional T-1 lines to connect IP phone systems to your service provider and the world at large.

According to Infonetics, 38 per cent of companies are using SIP trunking today and the research firm expects that number to reach 58 per cent by 2015.

There are numerous appealing reasons to use SIP trunks, including more flexibility to changing demands and WAN capacities, lower communications costs, enabled collaboration services, and consolidated network connections.

If you use SIP trunks, you need to take some extra steps to ensure that the system is secure.  Common SIP attacks include denial of service, embedding malicious code in SIP messages, registration hijacking, eavesdropping and redirected voice calls.

You can either rely on your service provider’s session border controller (SBC) to protect you or you can deploy your own SIP-capable firewall or SBC at the enterprise edge.

Deploying your own SIP firewall or SBC allows you to maintain control of what traffic can cross into your LAN. An SBC or SIP firewall also has the advantage of being able to bridge between the varied versions of SIP used by different vendors. 

6.     Secure those mobile devices

Whether your company agrees to the bring-your-own-device (BYOD) movement or buy-me-an-iPad philosophy, you need to make sure that communications on these mobile devices are secure – regardless of whether users connect to internal or external wireless LANs, cellular or wired networks.

Using authentication and encryption is the first step to ensuring communications between each user’s mobile device and the mobility server are secure. When connecting from home or a public Wi-Fi hotspot, the addition of a VPN will provide additional security.

A good UC solution can provide secure mobile UC from Android, Apple, BlackBerry, and other mobile devices on ShoreTel, Cisco, Avaya, Nortel and Microsoft phone systems.

In addition, the related software should also enforce the appropriate security policies and secure the communications between the client device and the enterprise UC system. 

7.     Prevent fraud and abuse

Toll fraud is one of the largest threats to enterprise-voice systems today, so it is important to take steps to prevent fraudulent use of your phone system. With toll fraud, hackers tap into your phone system and then resell those toll-free numbers to as many people as possible.

Most often, the buyers make unauthorised calls to international numbers. The costs of toll fraud add up fast.

If the fraudulent calls are not noticed before the monthly bill arrives, the business can have an unpleasant shock – and service providers typically will not waive the charges, since the calls were actually made from your business.

To prevent toll fraud, it is compulsory to follow the proper configuration of the IP phone system. In addition, strong passwords are also a must.

Finally, you can limit the redirection of incoming calls to outside numbers and use call-detail reporting to monitor and log international call activity. 

8.     Perform regular security maintenance

It is crucial to perform regular patching and keep security protection updated on both endpoints and the UC system itself.  

9.     Consider the security architecture of the UC platform 

A reliable UC system architecture should have built-in security with an embedded system platform, distributed intelligence and network-independent call control.

Its software should run on a hardened appliance that has no moving parts other than a fan, whilst the voice switches deliver almost 100 per cent availability. Call control should be distributed, with no single point of failure.

Lastly, voicemail and automated attendant should also be distributed in the voice switches to provide remote security.