It’s time to boost VoIP network security
-
Upload
bev-robb -
Category
Technology
-
view
217 -
download
2
Transcript of It’s time to boost VoIP network security
It’s time to boost VoIP network security
More businesses than ever are jumping on the Voice over IP (VoIP) bandwagon today. Aside from significant cost
savings (when compared to traditional phone services), VoIP also offers many value-added features such as
voicemail-to-email transcription, barge and whisper service, call screening, conferencing, music on hold, find
me/follow me call routing, portability, and increased flexibility and mobility for employees that are always on the
move or required to travel.
Although VoIP’s advantages have plenty to offer the business world, there is also the need for companies to secure
voice technology. While the 2015 cyberthreat landscape is beginning to look even more stealth and treacherous than
last year, let’s not forget that 2014 was dubbed “the year of the breach.”
When it comes to securing VoIP, it is time for businesses to go beyond basic compliance and become proactive in
securing VoIP technology from hackers. Since VoIP packets flow over the network (just like data packets do),
sensitive corporate information could be intercepted. Some of the same threats that affect data networks can also
affect VoIP.
Other threats that can affect VoIP systems are:
Conversation eavesdropping/sniffing
Default passwords
Hacked voicemail
Identity spoofing
Man-in-the-middle exploits.
Denial of Service (DoS) attacks
Toll fraud
Web-based management console hacks.
The Shodan search engine
Recently, I ran a query on Internet-connected devices from the Shodan search engine— I was amazed when I
discovered that beyond public-facing servers and devices — banners for voice-over-IP (VoIP) SIP servers were also
prevalent. While digging around in search, I discovered a U.S. government agency that is using an out-dated Cisco
TelePresence Video Communication Server, and if I was a malicious hacker, I would be thrilled to know that this
particular server contains two serious vulnerabilities.
If you are wondering what Shodan is — it is an Internet search engine that helps you to find vulnerable device
targets. It has been described as a search engine for hackers; an IoT device search engine; a tool for IT pros and
hackers; and frequently described as the scariest search engine on the Internet.
Null Byte states that “Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems,
and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface,
Shodan can find it!”
If you want to find out if your VoIP system may be vulnerable, you can check out the Shodan search
engine here and input net:your.ip.add.ress in the search box.
Hackers for hire
Identity theft expert, Robert Siciliano recently wrote about “hackers for hire”who currently operate a website
(launched last November) called Hacker’s List. There are also hacker’s for hire on the Darknet (and plenty of them
too), in both the marketplace and on secret forums that offer VOIP hacking services. With so much hacker
availability, securing and monitoring your voice network is mandatory.
While hackers are continually discovering new ways to attack VoIP systems, there are some established favorite
approaches. Also known as ‘footprinting,’ these techniques rely on information that unsuspecting VoIP users make
publicly available.1
Social media sites (LinkedIn, Facebook), job sites, company websites, web searches, web crawlers (HTTrack), etc.
can be used to gather publicly available information about an organization’s business, employees, and network.
Company job postings can contain a plethora of information about internal network systems and often can become
an asset for a hired hacker. If you are going to write a job description, try to avoid footprinting. As an example:
Footprinting: He or she will also be responsible for integrating the SHORETEL VoIP system with CISCO VoIP.
No footprinting: He or she will also be responsible for integrating VoIP (SIP) servers, infrastructure, and
applications.
Let’s get back to VoIP security…
VoIP security is a challenge for many companies, but the bottom line is: VoIP security should operate on the same
rung as network data security — both forms of data contain valuable information. Remember this: The bad guys
never sleep; they are always looking for new and innovative ways to hack into business VoIP systems.
Best security practices should include:
1. Separating data traffic from voice traffic by creating two virtual VLANs.
2. Protecting the remote admin interface with a complex password and non-standard port.
3. Encrypting sensitive voice traffic.
4. Using Secure Session Internet Protocol (SIPS) for protection from eavesdropping and tampering.
5. Applying physical and logical protection: The VoIP server should be behind a SIP-aware firewall and
intrusion prevention system (IPS).
6. Creating user names that are different from their extensions.
7. Keeping VoIP systems always up-to-date and patched.
8. Limiting calling by device.
9. Using encryption to secure calls.
10. Setting strong security policies.
11. Utilizing traffic analysis and deep packet inspection (DPI).
12. Properly securing VoIP gateways.
13. Using a strong voicemail 6-digit passcode or device certificate.
14. Deleting sensitive voicemail messages.
15. Removing mailboxes when employees leave the company.
16. Limiting invalid login attempts.
17. Restricting type of calls allowed on the network and implementing time of day policies.
18. Disabling international calls by default.
19. Security awareness training for employees.
20. Requesting that all employees report odd occurrences.
With hacking and ongoing data breaches playing a strong lead in the headlines lately, what other security strategies
should be implemented?
Resources:
Are You Vulnerable to Voice over IP Hacking?
How to Detect and Guard against VoIP Security Vulnerabilities
SANS: Security Issues and Countermeasure for VoIP
VOIP security risks overlooked
VoIP vulnerabilities: Why firewall protection is not enough
Shodan: The scariest search engine on the Internet
Network security resources from Dell
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the
evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore.Dell sponsored this
article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
1Hadley, J. (2014, Sep. 29). Are You Vulnerable to Voice over IP Hacking? [Web log post]. Retrieved April 15,
2015, from http://www.cloudwedge.com/vulnerable-voice-ip-hacking/