BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Editor's note: Part five of our SIP Trunking Explained series looks at the VoIP network security implications of SIP trunking and how to handle them. Check out the rest of the series (see box below) for essential information on SIP vs. PRI, selecting a SIP trunking provider, how to enable your legacy equipment, how to calculate how much VoIP bandwidth you'll need for SIP trunking services, and the advantages of SIP trunking.
As with most technologies, SIP trunking also has security concerns, which consist mainly of toll fraud. Hackers are unlikely to launch a successful attack against a legacy telephone system and gain access to it. With SIP-based systems, however, attacks can be directed at IP addresses belonging to the telephony system and are more likely to find ways to penetrate it to make international calls.
SIP trunk security encompasses a number of different issues. To address them, most security vendors prefer a layered approach to provide an effective way of isolating and protecting the telephony system and the communications path to the SIP service provider. The layered approach avoids placing the whole security solution into a single box, which means a single firewall shouldn't be used to try to protect the whole infrastructure, even though that approach is common.
Of course, vendors are also responsible for many toll fraud incidents because their systems are either buggy or are configured with a default mechanism that would help protect against toll fraud.
Here are some tips to help identify which areas of SIP security need to be changed or redesigned to help avoid unpleasant surprises.
Ensure complex passwords for your SIP trunk: SIP trunk providers require authentication in order to allow incoming and outgoing calls from the SIP trunk. Make sure complex passwords are used for the authentication process to your SIP provider.
Limit access to the telephony system: Only specific people from specific locations should have access to the telephony system. In most cases, the telephony system is incorrectly placed on the same network and virtual LAN (VLAN) as other network traffic. Always ensure your telephony systems are isolated in a separate VLAN and that the correct VLAN security policies are in effect. Check out Firewall.cx's VLAN Security article for more information.
Avoid port forwarding: The easiest and most dangerous method of getting a SIP trunk with your provider is to port forward the necessary ports (TCP/UDP 5060 & 5061) from your router/firewall directly to the telephony system. Port forwarding is extremely dangerous and can expose critical parts of your network to the public.
Make use of intrusion detection systems (IDS): IDSes help detect and mitigate attacks to your systems. Make sure a correctly configured IDS is in place to monitor all communications with your SIP provider. The IDS should automatically alert the administrator when attacks are in progress.
Lock your SIP trunk against toll-fraud access: Ensure some type of secret number must be entered before international calls can be made. This is a simple, but very effective, way to limit toll fraud on international calls.
Accept SIP traffic only from your SIP provider: Block traffic from all external sources except your SIP provider. This will help limit access to your telephony system and minimize chances of unauthorized access.
Encrypt SIP traffic with TLS and RTP: Transport Layer Security (TLS) can be used for signaling encryption (SIP TCP) and authentication, while Real Transport Protocol (RTP) can be used for media encryption. While TLS and RTP provide a serious level of encryption, they must be supported by both the telephony system and the SIP trunk provider.
Update and patch your security systems: Keeping security systems up to date is very important, especially when IDSes, intrusion prevention systems (IPSes) and firewall systems are involved. This helps take care of any bugs, exploits and security holes that have been discovered and published by your security vendor.
Always backup your systems: No matter how simple or complex your telephony and network security systems are, always make sure you have a valid and recent backup.
When it comes to network security, you can never be secure enough when connected to the Internet. Keeping your company and communication channels secure from the large range of attacks and dangers lurking out there (Internet) is an ongoing daily effort.
Find out how VoIP vendors are working to prevent toll fraud
Book chapter: Make sure SIP trunking doesn't leave your network open to security problems
How network admins should tackle SIP trunking challenges
Go for both: Configure your SIP trunks for security and reliability