Should You Include VOIP Security in Your Security Reviews?
Voice over IP (VoIP) is fast becoming ubiquitous in the business world. But VoIP can be subject to various types of threats and there are also privacy issues and other concerns, some of which include access and authentication, Denial of Service (DoS) attacks, VoIP spam, toll fraud and ‘vishing’ (the VOIP equivalent of phishing emails).
My colleague, Simon Heron, succinctly itemized these concerns in a recent white paper. IT managers take heed — here are a few tips you may find useful:
– Include VoIP security in your security reviews
– Use encrypted protocols like SRTP and SIPS
– Patch your systems frequently and don’t assume that your SIP trunk provider follows similar security procedures
– It’s critical that your network traffic goes through a firewall designed to protect VoIP systems
– Monitor VoIP traffic frequently – it’s a good way to spot abnormal activity
– Educate your users to recognize VoIP fraud
Simon indicated that probably the most critical concern is privacy as both SIP and H.323 are easily listened to if a hacker finds a relevant data stream. He recommended placing VoIP phones on separate, individually secured (firewalled) vLANS to protect against rogue devices, and then protect that vLAN against introducing any unauthorized device.
And the bottom line? Watch your network and calls for any unusual activity – you’ll mitigate potentially nasty security problems by responding expeditiously!