Robert Toro, Optimus Solutions offers some VoIP-specific security practices when implementing IP telephony for the first time.
- Test, test, test. Test IP telephony systems and applications as one would firewalls, VPNs, and other security services—by conducting self-hacks. Simulate code-embedded message attempts, DoS attacks, and override exploit attacks. This should help security administrators gain a greater understanding of the system’s strengths and weaknesses.
- Use security as a key selection criterion when buying any IP telephony solution.
- Implement password security for end users and system administrators. Passwords and the services they protect should be managed like any other network resource. Enforce these procedures:
- Implement automated password reset for every 30 days.
- Restrict unsuccessful login attempts to three.
- Replace all temporary passwords with complex passwords.
- Delete inactive voice mailboxes to avoid abuse or misuse.
- Delete all testing codes used by the installation team.
- Secure all hardware. Users of IP telephony must secure phones, IP servers, switches, and other types of voice equipment. Eavesdropping may only be achieved if the hacker gains direct access to the LAN. Since most LANs are secured by established technologies, VoIP sessions are also protected by default. Simply enable and configure each device’s security features, and then manage them just as you would any other corporate device.
- The VPN must be configured and tested to support VoIP if remote users will be accessing telephony functions via the Internet.
- Mobile workers who are accessing the Internet via hotel or airport Ethernet connections must also run personal firewalls.
- Investigate VoIP-specific security products only as a last resort. Security vendors claim that they are not trying to overhype IP telephony vulnerabilities, yet new VoIP security products are coming to market in a steady stream. Expect this trend to continue as the number of VoIP installations grows. Solutions range from security hardware and software, to hosted services, to consultation for secure VoIP architecture. Companies include:
- Follow developments from the VoIP Security Alliance (VOIPSA). Recently founded VOIPSA is composed of VoIP hardware and software vendors, security firms, and researchers. VOIPSA helps enterprises navigate the VoIP security landscape through discussion lists, white papers, research projects, free tools, and methodologies. VOIPSA’s VoIP Security and Privacy Threat Taxonomy defines many of the potential threats to IP telephony deployments. Increase IT’s awareness of VoIP security issues by reading this publication.
VoIP-specific risks may be overblown at the present time, but enterprises should nevertheless take the same precautions for IP telephony as they would for any other network service. Don’t allow fearmongering to stall deployment.