Telephone security has always been a concern, especially for companies and government agencies that routinely use telephone calls for exchanging sensitive information. On the corporate side, industrial espionage is very real and some of your competitors will stop at nothing to learn your trade secrets.
Before the age of VoIP, listening in on phone calls required physical access to the PBX or the phone line. On the upside, simple physical security protocols could prevent most incidents. On the downside though, once those physical barriers were penetrated, access was very simple. However, listening in on a VoIP call does not require physical access – it’s the same as hacking any other computer network. It’s a scary proposition, especially if the VoIP lines are tied to the enterprise network — and it’s something that business users rarely consider.
The fact that VoIP is really nothing more than a computer network – and sometimes may provide indirect access to the main data network if you’re not careful – makes this a much bigger target than simply cutting into a copper phone line. We were lulled into a false sense of security in the beginning of the VoIP revolution since there was a perception (incorrect though it may have been) of security, primarily through obscurity. Nobody really knew yet what VoIP was all about, and hackers and spies had bigger fish to fry. Now VoIP is the big fish, and the sharks are out for blood.
The greater risk is in greater access. Gaining unauthorized access to the PBX would result in toll fraud and unauthorized long-distance charges, sometimes to fee-based destinations, but VoIP fraud brings in a whole new range of challenges. Because voice is transmitted just like any other type of data, the network can be exposed in ways that were not possible with ordinary phone lines. Fortunately, it is a relatively simple matter to configure the VoIP network to protect it at the edge of the network, before the voice traffic intersects the enterprise data, with devices like enterprise session border controllers (E-SBCs).
There are a handful of best practices for VoIP security that can be taken – without undue expense – to protect your enterprise network as well as to protect your voice network from infiltration. To mitigate these security concerns, which include unwanted traffic, authentication (or lack thereof), and exposure of your enterprise data, start with encryption and certificate-based authentication options. Allowing encrypted phone calls over the Internet can be done with a simple, standards-based software product.
These types of security measures at the edge of the network will go a long way towards locking down your VoIP traffic, and preventing unauthorized access, spying, toll fraud, and other threats.
Besides deploying appropriate security technology, passwords are also a consideration. IP phones require a password like any other part of the network, but more often than not, the default password is never changed.
Another best practice of course, is to allocate privileges judiciously. VoIP systems come with a lot of nifty features, but not everybody needs access to all of those features. Most VoIP systems will let the administrator control access on a user- or role-based basis.
A proactive approach, which monitors VoIP traffic separately from the data network, may also yield better results and protection, with systems designed specifically for monitoring the VoIP network. Look to companies like Q1 Labs for example, for VoIP-specific network monitoring systems. These monitoring systems will help on two fronts: Besides spotting potential security threats, the VoIP network needs to be constantly monitored for quality control – VoIP is naturally subject to traffic jitter and contentious traffic flow, and without a VoIP-specific monitoring application in place, voice quality may occasionally degrade.
Choose a system that offers detailed reports, offering information on all VoIP-related security and policy events, indicators of VoIP network health, and a high-level look at all VoIP network activity. In fact, a Network Instruments survey shows that VoIP-specific network monitoring and analysis has become an essential part of the network – and should no longer be considered an “extra.” The survey indicated that most organizations deployed VoIP to save money, without realizing the added security risks inherent in VoIP. The survey stressed the importance of a network analysis in the pre-deployment stage, which helps to establish a baseline for any comparative analyses done post-deployment. And even when network engineers do monitor the VoIP system, their primary concern tends to be monitoring and maintaining quality of service – obviously an essential part of the deployment, but not a complete picture.
Using a mainstream operating system familiar to administrators (and back-up administrators) will also go a long way towards overall security. There is a temptation among some admins to use a different OS, but maintaining a single platform throughout the enterprise has advantages. If the organization runs Windows on the main data and application platform, use a Windows-based IP PBX. And naturally, when selecting an IP PBX, make sure the vendor is reliable, and issues security updates on a regular basis. There are some IP PBX devices that operate as a type of black box, often with an OS that is unfamiliar to the admin and which cannot be accessed without calling the VAR for help. This option may cause problems down the road.