How to get Water Tight VOIP Security

Posted by on October 24, 2012 in VoIP [ 1 Comment ]

VOIP securityWhile VOIP, Voice over Internet Protocol, offers a number of cost advantages over traditional telephoning, it can also pose a security threat.

When it comes to getting water tight security for VOIP, all companies will have different requirements. There are three levels of security that most of the companies can be categorized into.

At the very least, your business needs to incorporate strategic security tactics so that others cannot access your data. Here are a few tips that will enable you to secure your VoIP and protect your business from potential hackers:

  • Applying security policies before you implement VOIP will enable you to have better protected devices. You can also apply and then test various security policies after your VOIP has been implemented to ensure that you are tightly secured.
  • For networks, you can implement MPLS VPN or Virtual Private Networks to enjoy a higher level of security. Implementing security protocol is essential and should be done based on the specific type of application being used. SIP applications for instance will require a different protocol than voice applications.
  • SAFW-SIP aware firewalls are a must and should be added to all of your existing systems. You can also add IPSec for security as well as encryption at the IP level.
  • Digital certificates can be added using a third party solution such as Kerberos and all of your UDP IPsec should be evaluated based on RFC 3948.
  • All call processing and feature servers need to be placed behind a firewall. Software feature loads should be encrypted and it is essential that you perform spyware, virus and intrusion as well as other security scans when you first boot up your systems.
  • Not overloading systems is essential as well. Ensure that all software and sets are only running the minimum of services that are required for use.
  • Gateways and phones should always be authenticated before signaling.

VOIP is an excellent way to boost production in your workplace, but it’s essential that you have security systems in place to avoid falling victim to threats. VOIP offers many benefits but only if you are properly secured. If you’re using wireless applications, they should be integrated over WiFi and you have to plan for both horizontal and vertical attacks.

Being secure often means being prepared so taking the necessary security precautions may seem a bit extreme but you simply never know when something may happen that will test your security precautions; experts agree that there is simply no way of knowing when or where an attack may take place.

It is critical that all of your staff is aware of what attacks could take place and that they do what they can to avoid these security threats. Being aware that a potential danger exists is often the first step in overcoming that danger.

Alert staff to be careful of what they say over the phone and if your organization has a PBX, you can check to see that the call manager software is properly filtering calls, detecting any that may seem suspicious. You may want to consider assigning one person on your staff with the responsibility of handling these suspicious calls and if you feel that you have been threatened, it is essential that you report your suspicions immediately.

VOIP can significantly increase productivity and has changed how many businesses operate. Keeping your VOIP secure offers more benefits than you may realize, and it’s integral that you ensure that every security measure is taken.

Photo credit: meship.com

This article was written by Abbey Telecom at abbeytele.com, suppliers of telephone system installation from the Highlands to the Channel Islands.

 


One thought on “How to get Water Tight VOIP Security


  1. avatarDavid Metcalf

    Hi,

    Thanks for the article, but how about just using TLS/SSL & ZRTP? These are standards based (see RFC6189) and don’t need custom VPNs or complex setups like kerberos & IPSec.

    The same as we have http & https, we have sip & sips equivalents e.g. sips://me@example.com (some older dialers might need something like sip://me@example.com;transport=tls). SIP is usually on port 5060, SIPS uses port 5061. As you would for setting up SSL/TLS on a web server, you can use a tool like OpenSSL to generate a private key and a public certificate for a SIP server. Get the certificate signed by an SSL certificate authority, install it on the server and you have secured signalling (assuming your clients support and use it). If your server doesn’t support SSL, you can use the open source “stunnel” application to act as a proxy, it accepts secure connections on 5061 and forwards locally on the server to the regular insecure sip port (5060).

    ZRTP is something different and can be used with or without TLS. While TLS provides encryption of the signalling channel, ZRTP together with SRTP provide encryption of the content stream, also known as the media path. ZRTP is the key exchange mechanism, it’s simple and everything is handled transparently for the user (key exchange, etc.). More and more clients are supporting it, e.g. Jitsi, CSipSimple, etc. Older clients without support can use proxy software like ZFone. ZRTP is responsible for exchanging the keys and works together with SRTP which actually encrypts the content. ZRTP also works with Jingle (the VoIP extension to XMPP).

    Check out the “Open Secure Telephony Network” project (https://guardianproject.info/wiki/OSTN). It’s still in it’s infancy, but has public testbed running. OSTel (http://ostel.me). If you want to setup an OSTN compliant server from scratch, there’s an example here using FreeSwitch: https://guardianproject.info/2012/05/17/build-your-own-open-secure-telephony-network-some-assembly-required/

    For IM encryption, e.g. SIMPLE (but working equally well with XMPP services like GTalk, Facebook, etc.), there’s the OTR protocol. Originally an ‘underground’ project, it’s now gaining significant traction, and available in clients like Pidgin, Adium & Gibberbot. http://www.cypherpunks.ca/otr/

    I really believe these protocols are the way forward to getting widely adopted, Internet scale & standards based security for VoIP.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>