6 Steps to
SIP trunking security
How securing your network secures your phone lines.
There are stories that SIP has set
off a cyber crime wave of corporate
espionage and telephone fraud.
They say SIP opens up network
vulnerabilities, and that SIP trunking
lets anyone listen in on calls.
It’s not true.
The truth about SIP security.
SIP trunking is growing in popularity faster than any other toll phone service. Experts project SIP trunking will be the sole PSTN connection in 42% of businesses by 2016*. Beyond cutting
costs and adding features, decision makers are sold on SIP trunking’s ability to centralize PSTN access, failover instantly, and provision channels as needed to deal with spikes in call volume. They are comfortable implementing SIP because they know it doesn’t add vulnerabilities or put their organization at risk for fraud.
Security is only as good as the weakest link. In most cases, when it comes to information security, organizational networks are the weakest link. SIP trunking security is not only a question securing SIP connections. To keep SIP credentials, and all sensitive information, out of the hands of fraudsters,
the entire network must be secured.
SIP trunking only transmits
information you want to transmit.
SIP trunking is not an open door cut into firewalls, it’s a
controlled 2-way gateway to the PSTN.
SIP trunking doesn’t make it easier to eavesdrop on
call audio.
The myths about
SIP trunking can
be misleading.
Developments in business communications technology have created new usage patterns that require anywhere, anytime access to internal networks. Cloud-based SaaS, BYOD, and a remote and mobile workforce, are all placing greater demands on network availability while poking holes in network security.
Insecure internal and cloud-based networks are the access point fraudsters use to seize control of communications accounts and sensitive corporate data. These six steps will reinforce network fortifications, and save accounting departments from using up the bonus budget to cover fraud liability.
Securing IP communications
starts with network security.
1. Update all software
In addition to feature enhancements, software updates are released to patch security vulnerabilities. On a daily basis, people all over the world are working to find weakness in network-based software. When they find it, word spreads fast, and a targeted cyber crime wave ensues. Reputable software companies employ people to find vulnerabilities first, so they can update their product to keep customers safe.
It is important to update CRM, UC, PBX, or any other software that run on or access organizational networks.
The latest version will be the most secure from attacks. This applies to firmware too. So make
sure router firmware is up-to-date.
2. Create complex passwords
Local network and voice device security is critical when blocking intruders from tapping your calls.
Technology exists that can crack a 15 character password in a matter of minutes. It requires far more
computing power than is realistically in the hands of attackers, but as Moore’s Law states, computers grow more powerful every day. As processors become more powerful, exhaustive brute-force attacks against high-level encryption will become more feasible. An immediate threat is the ability to find dictionary words and common passwords that open account access. It is all too easy to build a crawler that will automatically attempt standard and default passwords (like 1234, etc.) in every password field it finds, until it gets one right.
3. IP authentication
Authenticating account access based on IP address is an excellent way to deflect unwanted intruders.
Lock down access by assigning a static IP address to each user, or user group, and establish a strict whitelist of approved addresses allowed network entry.
Alternatively (if mobile users need to login from a dynamic IP address), build a blacklist of IP addresses known to exhibit threatening behavior (or see step 4v). Lists can be found online, and/or third party or custom built tools can be employed to monitor log files and automatically block IP addresses that have failed a preset number of password attempts.
4. Only permit trusted SIP providers
A PBX is a potential entry point for security threats that needs to be locked down. Set firewalls to only permit trusted SIP connections by adding them to an IP whitelist so that intruders will be unable to
6. Establish secure connections
Business networks are being accessed from more and more locations as employees, and their work habits, become increasingly mobile. For fixed remote extensions such as home and satellite offices, you can gain control over the connection by setting up Virtual Private Networks rather than broadcasting
connection credentials over the public Internet.
If a dedicated connection is infeasible, use a non-standard SIP port (i.e. not 5060 or 5061)
to disguise the transmission and access point.
5. Understand your signaling and media
Research providers and how they handle call transmission, decide which criteria are most important for you. If you want end-to-end encryption,
SIPS plus SRTP is the the most secure, especially when the call won’t touch the PSTN.
It’s good practice to secure the transmission path as much as you can when sending calls over the (always unencrypted) PSTN. By using a provider that sends signaling and media to the PSTN in two streams of disassociated information when making outbound calls, voice data can be obscured from identification. That way, if criminals intercept signaling at the provider level, all they’ll have is numbers and IDs, not the audio.
When employees access your organization’s internal network from less established locations such as a public Wi-Fi connection (e.g., in a coffee shop),
anyone watching the network can see and capture credentials sent via clear text. Because employees
on the move demand nimble connections, establish secure connection protocols like SSL for all access
to any point in your network from anywhere.
The average cost of a toll fraud attack on a VoIP phone system in 2014 is roughly $36,000*. More often than not, the horror stories told about VoIP vulnerabilities stem from improperly secured networks. There are so many pros that it’s hard to find an argument against connecting telecommunications through a strong SIP provider. Securing your network against intruders secures every component of your network, including Internet phone lines. For more information on telephone security and other industry insights and updates, subscribe at blog.flowroute.com.