Manage Learn to apply best practices and optimize your operations.

SIP security checklist helps lock down your SIP trunks

Part five of our series, SIP Trunking Explained, walks you through the dos and don'ts to prevent SIP security breaches that could lead to toll fraud using a layered approach.

FROM THE ESSENTIAL GUIDE:

The basics of SIP trunking explained

+ Show More

Editor's note:  Part five of our SIP Trunking Explained series looks at the VoIP network security implications...

of SIP trunking and how to handle them. Check out the rest of the series (see box below) for essential information on SIP vs. PRI, selecting a SIP trunking provider, how to enable your legacy equipment, how to calculate how much VoIP bandwidth you'll need for SIP trunking services, and the advantages of SIP trunking.

As with most technologies, SIP trunking also has security concerns, which consist mainly of toll fraud. Hackers are unlikely to launch a successful attack against a legacy telephone system and gain access to it. With SIP-based systems, however, attacks can be directed at IP addresses belonging to the telephony system and are more likely to find ways to penetrate it to make international calls.

SIP trunk security encompasses a number of different issues. To address them, most security vendors prefer a layered approach to provide an effective way of isolating and protecting the telephony system and the communications path to the SIP service provider. The layered approach avoids placing the whole security solution into a single box, which means a single firewall shouldn't be used to try to protect the whole infrastructure, even though that approach is common.

Of course, vendors are also responsible for many toll fraud incidents because their systems are either buggy or are configured with a default mechanism that would help protect against toll fraud.

Here are some tips to help identify which areas of SIP security need to be changed or redesigned to help avoid unpleasant surprises.

Ensure complex passwords for your SIP trunk: SIP trunk providers require authentication in order to allow incoming and outgoing calls from the SIP trunk. Make sure complex passwords are used for the authentication process to your SIP provider.

Limit access to the telephony system: Only specific people from specific locations should have access to the telephony system. In most cases, the telephony system is incorrectly placed on the same network and virtual LAN (VLAN) as other network traffic.  Always ensure your telephony systems are isolated in a separate VLAN and that the correct VLAN security policies are in effect. Check out Firewall.cx's VLAN Security article for more information.

Avoid port forwarding: The easiest and most dangerous method of getting a SIP trunk with your provider is to port forward the necessary ports (TCP/UDP 5060 & 5061) from your router/firewall directly to the telephony system. Port forwarding is extremely dangerous and can expose critical parts of your network to the public.

Make use of intrusion detection systems (IDS): IDSes help detect and mitigate attacks to your systems. Make sure a correctly configured IDS is in place to monitor all communications with your SIP provider. The IDS should automatically alert the administrator when attacks are in progress.

Lock your SIP trunk against toll-fraud access: Ensure some type of secret number must be entered before international calls can be made. This is a simple, but very effective, way to limit toll fraud on international calls.

SIP Trunking Explained

You've got the basics, now read the rest:
Understand the basics of SIP vs. PRI
Find the right SIP service provider for your telephony system
How much VoIP bandwidth you need for SIP trunking
Highlight reel: SIP trunking advantages

Accept SIP traffic only from your SIP provider: Block traffic from all external sources except your SIP provider. This will help limit access to your telephony system and minimize chances of unauthorized access.

Encrypt SIP traffic with TLS and RTPTransport Layer Security (TLS) can be used for signaling encryption (SIP TCP) and authentication, while Real Transport Protocol (RTP) can be used for media encryption. While TLS and RTP provide a serious level of encryption, they must be supported by both the telephony system and the SIP trunk provider.

Update and patch your security systems: Keeping security systems up to date is very important, especially when IDSes, intrusion prevention systems (IPSes) and firewall systems are involved. This helps take care of any bugs, exploits and security holes that have been discovered and published by your security vendor.

Always backup your systems: No matter how simple or complex your telephony and network security systems are, always make sure you have a valid and recent backup.

When it comes to network security, you can never be secure enough when connected to the Internet. Keeping your company and communication channels secure from the large range of attacks and dangers lurking out there (Internet) is an ongoing daily effort.

Next Steps

Find out how VoIP vendors are working to prevent toll fraud

Book chapter: Make sure SIP trunking doesn't leave your network open to security problems

How network admins should tackle SIP trunking challenges

Go for both: Configure your SIP trunks for security and reliability

This was last published in October 2014

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

The basics of SIP trunking explained

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Some others:
- Not using the standard port 5060, this needs to be coordinated with the carrier or other end but can prevent problems as this is a standard port that is scanned hundreds of times a week looking for potential target.
- Real-time monitoring, see what is going on in real-time (or even near real-time) to prevent end of month bill shock. This should include threshold monitoring of number of calls, maximum cost of calls per day/hour, time of day monitoring (most fraud happens over night, weekends, or holidays), and destinations (do all extensions really need to be able to call Cuba/Afghanistan/Palestine/etc. ?)
- Use white lists rather than blacklists, block everything and only allow in the IP of your carrier, known address of authorized phones (off-site employees/offices/partners). If you block something that is needed you will hear about it and can add it but you will be protected from many of the hacks out there.
- Remember NAT is not a form of security, these days scanning all IP addresses takes no effort for those doing the hacks as it is automatic and can be done via BOTs.
Cancel

-ADS BY GOOGLE

SearchCRM

SearchNetworking

SearchSDN

SearchTelecom

SearchITChannel

Close