Brought to you by The Cisco Innovators Program
Cybercriminals will happily tell you: IP telephony, known as VoIP, is a wonderful thing.
Eavesdropping on phone calls opens a treasure trove of valuable data. Big gems await in financial institutions, professional services firms, and government agencies. Equally dazzling are call centers, where the bounty can include confidential account information, health records, and payment card data.
Hacking voicemail is also lucrative; it exposes private business information and celebrity secrets.
Toll fraud is prized by a global armada of phone pirates, who are unrelenting in their attacks. "Unfortunately, a business decided they needed voice security after the fact," says Chris Krueger, director of operations at Cisco Premier Certified Partner PEI. "During a few hours one morning, a rogue user had easily accessed the call control in the SIP gateway and generated several thousands of dollars in calls to Eastern Europe."
Complacency Is Costly
Don't let security vulnerabilities decimate the financial and productivity benefits that your company can get, or is already getting, from an IP phone system.
"Some customers who have us design and implement their VoIP solution decline security services, saying with full intention that they'll do it themselves. It's amazing to see that 100 percent of them just don't get around to doing it," Krueger says. His company, PEI, is a technology consultancy and service provider focused on technologies such as networking unified communications, with security as a top priority.
VoIP risks extend beyond toll fraud, voicemail hacks, and eavesdropping. IP phones can be entry points into your business network. VoIP calls and voicemail messages are data, susceptible to data network attacks.
Whether you use a hosted IP phone service or an onsite VoIP system, protecting the voice network is much like protecting the data network. The security policies and technologies can be complex, depending on your goals (including compliance requirements), users' applications and locations, and the IP phone system you're using, whether onsite or hosted. Fortunately you can engage VoIP experts--such as Cisco partners--to strengthen and simplify your company's security.
Following is an introduction to some IP phone security strategies, from Cisco and two Cisco partners that provide VoIP security solutions and services.
Are You Using a Hosted VoIP System? Investigate It
Has the service provider provisioned your voice services with security in mind?
Evaluate services such as VLAN configuration, user authentication, and encryption, as well as the security of configuring and signaling methods. Also investigate any HIPAA, SOX, PCI, or other compliance guidance that may apply.
"A client of our hosted contact center service wanted voice encryption on its phones because it's highly protective of its data and it's also subject to regulatory compliance," says Rocky Livingston, CIO at USAN. A Cisco Registered Partner, USAN provides contact center communications and optimization solutions that give users flexible ways to engage customers across channels.
For this client, USAN chose the Secure Real-Time Transfer Protocol (SRTP) because it's easy for users to use, has less overhead than IPsec protocols, and does not cause any difference in voice quality, says Mike Evenson, vice president of managed services.
"By integrating Cisco SPA525G2 phones, we give the client a customized solution that implements SRTP based on the configuration file in their DHCP server that is associated with the phone's MAC address," says David Al-Khadhairi, vice president of enterprise architecture.
Configure Dial Plans and User Profiles
Take advantage of features on your VoIP system that enable security. Essentially:
- Control voice network access by device certificate and/or user name and password.
- Restrict the types of calls allowed on the network, by device, user, and other criteria, such as time of day.
Protect Your Voice Systems
Apply physical and logical protection, such as:
- Set up a firewall and intrusion prevention system (IPS) to monitor and filter authorized and unauthorized VoIP traffic, and track unusual voice activities, says Krueger.
- Lock voice servers physically, and logically for administration. Centralize administration and use domain restrictions and two-factor authentication for administrative access, including to credentials, signaling data, and configuration files.
- Regularly install OS updates, and limit software loading on phones.
Use VLANs to Segment Voice Traffic and Separate It from Data Traffic
Some voice systems and switches support device discovery protocols and automatically assign IP phones to voice VLANs.
Encrypt Sensitive Voice Traffic
Apply encryption by segment, device, or user; encrypting indiscriminately can result in excessive network latency or introduce operational overhead and complexity.
Encrypt the signaling at your Internet gateway with Session Initiation Protocol (SIP) over Transport Layer Security (TLS); your service provider's switch fabric may do this.
Encrypt the media (packets) with protocols such as SRTP.
Use VPNs for network connections by remote phones. This is especially important when HTTPS or SRTP is unavailable, says Krueger. He says that Cisco AnyConnect® Security Mobility Client and site-to-site VPNs work well in this role.
Implement Strict Security Policies with Users
Communicate your phones' built-in security features to users.
Apply strong passwords to access the voicemail inbox. Immediately change the default password to a strong password, then change it as often as your company's policy dictates for changing login and email passwords.
Delete sensitive voicemail messages as soon as users have listened to them. Not storing voicemails is the easiest and most effective way to protect them.
Immediately report anomalies. You may not know a phone has been hacked until an employee reports an odd occurrence, such as a saved voicemail message that has been deleted or forwarded to an unusual number.
When cybercriminals find your IP phones and voice system, how happy will they be?
Ruin their day. Cisco partners can help you protect your company's voice and business assets--and raise your happiness by simplifying your security job and providing award-winning support.
- Learn more about Cisco IP phone systems for small and medium-sized businesses.
- Find a local Cisco Certified Partner that can help with your VoIP systems and IP phones.
- Join the Cisco Innovators Program to continue receiving articles, videos, and offers for small and medium-sized businesses. Already a member? Refer a friend.