A Case for VoIP: Clearing Security Hurdles

By September 28, 2015Communications

I covered in my last installment, how converging your voice and data networks allows you to take full advantage of the benefits VoIP telephony offers. This can be a tricky road, but one very worth the trip. In this post, I’ll talk more specifically about some security details you should consider while weighing your decision to go to VoIP and how to mitigate those concerns.

Converged Network Security Implications

A converged network can create security problems unheard of in the legacy, voice-only telecom world. Traditionally, calls are sent and received over closed, circuit-switched networks. Security and performance concerns are minimal in that world. Calls rarely get dropped and eavesdropping on a call only happens if someone has physical access to the dedicated circuit set up between the two endpoints. But the introduction of Voice over Internet Protocol (VoIP) into a network can have dramatic consequences. Instantly, the once simple and secure voice call is broken up into thousands of packets that are sent over public and private networks and re-assembled at the other end. Along the way, the call is vulnerable to attack at every turn.

Common Vulnerabilities of a Converged Network

In a converged network, all of the threats that affect a traditional data network have a broader impact. For example, a denial-of-service (DqOS) attack against a router can also directly impact the ability to make and receive phone calls.  Phone calls can be purposefully interrupted, altered or monitored using the same techniques that malicious actors have been using against companies for years. The bottom line is voice is now just data.

Due to the new condition of our voice packets, network convergence also introduces new and familiar infrastructure vulnerabilities into the mix. For example, today the most common operating systems on which the call processing software runs are Windows and Linux. These are the same operating systems that routinely need to be patched in order to keep your websites, desktops and servers safe and operational. Malware originally intended to steal or corrupt IP data, can now affect voice and video communications. It’s a paradigm shift for many companies’ system administrators. Now, their monthly patch cycles need to include the telecom equipment – a domain for which they have historically not had any responsibility. Conversely, the telecom administrators now have to live with the fact that their systems require a new skill set to operate in a safe way. They have to change the way they do their work to accommodate for the new risks.

Protecting Your Converged Network

So what does this mean? Basically, voice communications now have to be protected with the same tools, techniques and vigor as data networks. That can be a challenge, especially for small companies who are only recently starting to realize that their data is vulnerable at all. But the challenge is not insurmountable. By following some basic security best practices you can protect your voice data with the same effectiveness as your traditional network data.

  1. Perimeter Firewalls: Properly configured, a modern firewall will allow for your data flow to be more easily controlled. If malicious traffic enters your network, it gives you a single location to start your investigation.
  2. Threat Monitoring: Modern threat monitoring systems take the IDS/IPS to a new level, allowing socialized threat intelligence to tip you off to hot vulnerabilities being exploited in the wild. A properly configured firewall, augmented with a threat monitoring solution, enables you to detect malicious content or traffic anomalies entering or leaving the different sub-sections of your voice and data network – even the latest flavor of the week.
  3. Endpoint Protection: Some of the bad stuff is going to get through. Arm yourself with the tools to stop bad actors at your endpoints. This is more than anti-virus. You need threat-aware capabilities that can quarantine processes when identified as malicious.
  4. Educate, Educate, Educate: As usual, the people are the weakest points. Security awareness training is just as critical now more than ever. But now there’s a new player. With the network convergence we’re talking about here, your traditional telephony engineer, who in the past has only had purview over his or her own domain, now needs some elevated privilege and can make decisions that can impact data security. Make sure they know how to do it properly. Secure their endpoint. Don’t give administrator rights. Allow them easy, but secure remote access. It’s a new world for them.
  5. Port Security: Don’t leave all of your network drops active. Only plug them in when they’re needed. If that port in your waiting room is active then someone could plug in and potentially have access to your network. The same goes for empty cubicles. If some are unfilled, or an employee leaves the company, disconnect that network drop. That way you are not leaving a vector into your network where a malicious actor can social engineer havoc by using the port.
  6. Patching is King: Like your computers, regularly update your phone equipment’s OS to protect from the latest security holes, and limit unnecessary software.

Refrain from being complacent and assuming that no one is out to get you because of your business size. Attackers will take the path of least resistance and settle for a small and easy reward. By following the guidelines above, your small or medium-sized business can enjoy all the benefits of a converged network without putting your network, telephony and entire business at risk.

Scott Avvento

Author Scott Avvento

Scott is an experienced cyber security architect who focuses on highly secure systems that take advantage of the latest trends in security, availability, and infrastructure capabilities. He is a CISSP and ISSAP, and a holds a GCIH, GCFA, and GCIA certification from SANS. At Alpine Cyber Solutions, Scott is the co-founder, CEO, and chief cyber architect.

More posts by Scott Avvento

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.