Sergey Nivens - Fotolia
Voice gateways are critical for any unified communications service as they connect voice over IP networks to telecom providers and analog devices. While configuring a voice gateway might be straightforward, keeping it secure is a different story.
Unfortunately, voice gateway security is not well known among VoIP engineers, IT departments and, in some cases, UC providers. Ever since enterprises embraced VoIP technology, voice gateway security was not an issue until unauthorized calls -- costing thousands of dollars -- started appearing on companies' communications bills.
Voice security is very complex. Many vendors use their voice gateways to terminate telecom provider VoIP trunks and mobile user VoIP applications or transcode voice sessions between endpoints. This introduces additional complexity when trying to secure such a demanding environment.
Additionally, voice security involves protecting multiple VoIP protocols such as SIP, MGCP, H.323 and Cisco's propriety SCCP (Skinny) protocol -- each one with its own history of security problems. When dealing with a network that uses multiple VoIP protocols, enterprises need to make sure the VoIP network is properly patched and protected from voice hacking attempts and other attacks.
Here are some tips for IT managers and voice engineers to help address key areas where voice security usually falls short.
1. Isolate your voice gateway and voice network
Voice gateways, and the rest of the voice infrastructure, must be isolated from other networks. Placing the voice gateway in a different virtual local area network is not going to help much if the rest of the network has unrestricted access to it. Voice security measures must be in place to restrict access, which is usually accomplished with a firewall.
Access lists can be applied at the voice-gateway level as a second level of security to limit external and internal access to known IPs only.
2. Patch your voice gateway
Make sure all voice gateways are continuously updated with the latest software and patches. Always follow your voice gateway vendor closely and check for security updates to avoid running an unpatched gateway.
As new attacks are discovered and patches made available by voice gateway vendors, administrators must ensure that these patches are installed on their systems as soon as possible to avoid being compromised.
3. Use new technology or next-generation firewalls
Securing VoIP traffic at the firewall level presents a big challenge. In most cases, organizations will place the VoIP infrastructure behind a firewall that is not VoIP-aware. Common examples are outdated firewall security appliances that cannot examine VoIP traffic properly and are unable to catch suspicious traffic patterns or voice hacking attempts.
This also highlights the importance of having your firewall firmware and software up to date, or use newer generation firewalls that can inspect VoIP traffic and voice hacking attempts.
The firewall security market has made great advancements in recent years by integrating intrusion prevention systems and firewall technology inside a single appliance. Primary examples include Cisco's ASA 5500-X with FirePOWER security offering advanced threat detection or Palo Alto Networks' firewall security appliances.
Newer firewalls can also eliminate any possible delay introduced when performing a packet level inspection. Thanks to their improved software and multicore 64-bit architectures, they can process traffic at a faster rate without introducing delays or latency.
4. Limit VoIP protocols and services at the voice gateway
A voice gateway can offer a number of services, including support for multiple VoIP protocols and termination of mobile VoIP clients. Often, we tend to configure the features or protocols we need without disabling the rest, which leaves the gateway and VoIP network susceptible to voice-hacking attempts.
As a general rule, turn on only necessary protocols and features while ensuring all other services and protocols are disabled. Vendors often provide advice on how to disable unwanted services and help limit services running on the voice gateway, which also helps save valuable resources and improve the gateway's stability.
5. Encrypt your VoIP traffic
Encrypting VoIP traffic is fairly common, but still not considered a mandatory security practice for organizations. While encrypting VoIP streams introduces an additional layer of complexity, it provides considerable protection against eavesdropping and hijacking of VoIP calls. Encryption also helps protect against SIP attacks that lead to toll-fraud attempts and thousands of dollars' worth of unauthorized calls.
Unencrypted VoIP traffic, especially over WAN links, is an open invitation for hackers to obtain unauthorized access to your VoIP infrastructure. VoIP encryption is even more important when it traverses public, unsecure networks such as the internet. In these cases, voice gateways should use VoIP encryption to securely terminate their SIP trunk to the telecom provider.
Organizations should employ a security policy that prohibits the use of SIP providers that do not support SIP encryption. This practice can save them a lot of problems and headaches later.
Voice gateways are usually hackers' primary targets within the VoIP infrastructure, and they're often exposed to insecure environments for the sake of easy configuration and a lack of security policies. If you haven't already done so, perform a voice security check-up on your organization's voice gateways and ensure they are secured in the best possible way.
Securing VoIP: Keeping your VoIP networks safe
A layered security approach can thwart VoIP attacks
Strengthen network security to contain VoIP risks