A Security Strategy for VoIP Environments
As the move to Internet-based telephony continues, it’s worth considering the potential threats to sensitive data and business intelligence that occur most commonly. When telephony moves online you need to think of the impact to your overall security strategy as your voice traffic now shares a set of risks that most companies don’t associate with telephony.
Step 1: Identify the Risks
Before you can proceed with implementing security measures and techniques, it’s essential to know what it is you’re trying to guard against.
Many users are still unaware of the possible consequences of transmitting sensitive call data across the public Internet. When voice data is sent over the Internet, it can possibly remain unencrypted – unless specific measures are taken to encrypt it first. Hackers now have a formidable arsenal of tools that can make intercepting and accessing unencrypted VoIP traffic an easy task.
Begin by establishing your security goals. You’ll probably want to keep your VoIP service running continuously, without disruptions. You’ll need to protect sensitive customer information and business data, including call transcripts and transaction records. And you’ll want to prevent unauthorized users from making calls, and gaining access to your network.
Knowing the type of person or organization that poses a threat – and their motivations for attacking – is also a must.
At one level, there are some attackers who simply want to gain access to VoIP services for simple toll-fraud. By piggybacking on your system, they’ll be able to enjoy free international and long-distance calls and data transmissions.
Disgruntled insiders or ex-employees may want to disrupt a VoIP network so that the downtime costs the company money, and damages their reputation.
Organized assaults on a VoIP system may be initiated to gain access to confidential information (from a business and its customers), along with telephone numbers, IP addresses and so on. These may be sold on to competitors, or used to redirect calls for other purposes.
Step 2: Secure It In Transit
As with general web traffic, a major safeguard for VoIP data in transit is encryption, or scrambling of the information so that it can’t be easily deciphered or read.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the prevailing standards for data encryption and can be used to protect the SIP (signaling) and RTP (media) traffic between the switch and the endpoint or phone.
Connections on a VoIP session can be secured by imposing TLS on Session Initiation Protocol (SIP) transmissions during control sessions. Communications on the network between clients and servers are secured through encryption against message tampering and so-called “man-in-the-middle” attacks (interception of the data transmitted). Unless both sides of a dialogue (client and server) agree on the TLS connection with its associated encryption keys, no transmission takes place.
Protecting the SIP traffic will contribute to protecting the “meta-data” of the VoIP call. SIP traffic includes a ton of valuable information to an attacker such as IP addresses, user credentials, call details, text messages, and voicemail details.
Step 3: Secure It In Real Time
While using SSL and TLS to protect your SIP traffic, you still need to go a step further. VoIP calls utilize RTP (Real-Time Transport Protocol) to transmit the actual audio of the call therefore it’s still necessary to encrypt the streams of voice data, in real time. Secure Real-Time Transport Protocol (SRTP) does this, and is typically used to provide security for media transmissions (streaming video, audio, etc.). VoIP networks can use it to encrypt voice calls in transit, and when combined with header compression, there’s minimal effect on the Quality of Service (QoS).
Data files, videoconferences and the like enjoy additional protection, as SRTP guards against manipulation of multimedia content as it’s being streamed. This replay protection prevents words from being substituted or key images swapped out – which could have potentially damaging consequences.
SRTP does impose an overhead, and a slight delay to the transmission of voice packets. But, with the increasing level of online attacks and threats, it’s worth considering.
Step 4: Secure Your Network
When most companies make the transition to VoIP they fail to recognize that their voice and data now shares much of the same network infrastructure. Firewalls, antivirus suites, gateway protection and other tools for network security should be put in place, if they aren’t there already. The majority of VoIP attacks and breaches are due to network security issues, not VoIP vulnerabilities. This is why it is so important to implement a layered security policy or invest in Managed Security from your IT provider.
To guard against outages and downtime, redundancy (standby power supplies, backup servers, data backups etc.) should be built into your VoIP network. Servers and essential hardware should be securely hosted, and secured as appropriate.
Software should be regularly updated and patched, and intrusion-detection systems should be used to regularly monitor your system hardware and software. Threat conditions change over time, so it’s important to conduct security audits on a regular basis.
Step 5: Secure Your Organization
Network security and encryption measures aside, your VoIP environment won’t be truly safe without the participation of your own people. Human error is always a given, and there may be corrupt or disgruntled parties to add to the mix. So you’ll need to make sure your in-house security is sound.
This means setting a policy for strong passwords (which should be changed by everyone, on a regular basis), multi-factor authentication (access control requiring confirmation with an external or mobile phone profile), and the like.
There may be regulatory compliance issues to take into account as well. For example, any VoIP system which transmits customer credit card details must use data encryption that satisfies the Payment Card Industry Data Security Standards (PCI-DSS). Health Care Information needs to be protected and is subject to HIPPA requirements, etc.
All these factors should be taken into account when developing a VoIP security strategy.