Flexibility and cost savings are the main reasons why more and more businesses are turning to VoIP based systems for their business telephone needs. But while there are compelling reasons to switch to this technology, there are also some considerations, not least of which is VoIP security.
Because it uses an internet connection, the security of VoIP needs to be properly implemented. That means understanding the potential threats and knowing how to counter them
VoIP wholesale carrier threats
As a general rule, VoIP vulnerabilities can be broken into three categories. These are protocol, application and implementation, let’s look at some examples of each. A protocol vulnerability might, for example, be used to launch a denial of service attack by falsely turning on message waiting indicators, getting users to needlessly check their voice mail.
An application vulnerability would be a software flaw – in scripting for example – that allowed back door access to the computer. Perhaps the most serious type of vulnerability is in implementation. There have been cases where poorly configured system infrastructures have allowed hackers to listen into conversations via a man-in-the-middle style attack.
Things are further complicated by the very flexibility of VoIP. Some endpoints, for example, may not be directly connected to the network. They may be connections via a mobile app or remote workers operating from home and therefore harder to secure as communication from these devices may not be encrypted.
Implementing a VoIP system involves a range of equipment including endpoint hardware, call servers, proxies and gateways, all of which increase the potential attack surface. These constitute attractive targets for hackers and mean that converged voice and data networks as used in unified communications strategies can fall victim to new exploits.
Securing VoIP
Knowing where the threats come from is the first stage in planning to secure your VoIP system. You might want to start by looking at the security of your existing systems for both IT and PSTN. Any system that relies on physical cabling can potentially be ‘sniffed’ if the hackers have access to the internal network. The best way to guard against this is to encrypt traffic and this is generally easier and cheaper to achieve on VoIP systems.
In a sense, the nature of VoIP makes it inherently more secure than PSTN. This is because it’s easier to provide authentication of users and to encrypt traffic. You are also able to take advantage of the system’s configuration options to prevent abuse. You can restrict who is able to make overseas calls, for example. You can tighten access control too by adding options such as two-factor or biometric security.
For endpoints that access your VoIP system remotely, the best practice is to provide access via VPN. This gives remote users what is effectively a private tunnel to the system which is encrypted so that the traffic cannot be intercepted by an attacker.
IP phones connected to internal networks need consideration too. The key issue here is the use of the phone’s Ethernet port. This is something that most IP phones have in order to allow a PC to connect to the network using a single port. For security and reliability, it’s important that this is properly configured at the switch so that multiple devices are allowed to access the same port.
If you are concerned about the risks arising from mixing voice and data traffic on the same network, you might want to consider setting up separate virtual networks (VLANs) to logically segregate the traffic.
VLANs are not, of course, immune to attack, but by separating voice and data traffic you reduce the risk. As always, it’s crucial to keep your security software and the software of any network switch equipment up to date to reduce the risk of zero-day attacks.
VoIP communications are increasingly a part of enterprises today and so their importance cannot be underestimated. In terms of keeping them secure, the information security team needs to make sure that it works with both VoIP users and management.
No system is perfectly secure, whether PSTN, mobile networks or VoIP systems, all require consideration and careful security planning. However, because VoIP systems are essentially network and computer-based, they allow for significant improvements to be made to security. Using VoIP allows for the addition of security enhancements, including better authentication, together with encryption of communication traffic. All of these can help to minimise the risks of using IP-based voice systems.
As with any technology, there will always be some level of security risk with VoIP. However, businesses that put in place proper VoIP security measures can achieve a higher level of voice communication security than is possible with older systems.
