Securing Your VoIP Service

While there are many books and articles about VoIP security, I have yet to find a single volume covering the “A to Z of Security” for VoIP providers. Let us examine the fundamentals and some of the most important aspects of security for VoIP providers, many of which can also be applied to other types of Internet services.

Security policies and procedures: A good security plan begins with defining comprehensive security policies and procedures. When describing these measures, be aware that there are people with malicious intentions trying to compromise the fundamental security aspects of the network including authentication, confidentiality, integrity, and availability of the data and network. Also, policies and procedures are of no value if they are not enforced and backed by extensive training of employees. For that reason, all teams in the organization need to be trained about the best security practices in their respective functions.

Social engineering: IT is not the only team in danger of revealing sensitive information through social engineering. To protect privacy of customers’ data and avoid costly legal issues, special attention needs to be paid to the implementation of security policies and training for the departments interfacing with customers, or anyone in the service provider’s organization who handles CPNI (Customer Propitiatory Network Information)¹.

Physical security: This includes, but is not limited to, keeping servers in secure datacenters, limiting the access to the datacenter to authorized employees, timely removal of badge access for terminated employees and frequent review of the access lists and logs for the datacenters. Recent Sarbanes Oxley regulations for publicly-traded companies are often useful for implementing successful physical security programs.

Application security: Applications for VoIP service providers can be categorized in several different ways. For the purpose of this article, these applications are divided into user-facing interfaces and the call flow engine. When it comes to user interfaces and websites, as with most web applications, the best practices include, but are not limited to, using encrypted connections, strong password requirements and login timeouts. With regard to the call flow engine, VoIP-specific threats such as SPIT (Spam over Internet Telephony (News - Alert)), logic attacks (malformed packets), or eavesdropping must be carefully considered and addressed. If you are using SIP, make sure to check the network for vulnerabilities discussed in the security considerations section of RFC 3261.

System level security: No matter how well the VoIP application security is implemented, security vulnerabilities of the operating system and the individual servers providing VoIP services can open up the door for hackers to take control. At a high-level, some of the best practices for system level security include: 1) keeping servers updated with security patches; 2) removing or disabling unused services; 3) limiting the number of users with access to the servers; and 4) using Access Control Lists (ACL) to limit the access to servers to a short list of originating IP addresses (e.g., your NOC (News - Alert)). Also, if you utilize virtualization for any of your applications, specific security considerations should be exercised for those environments².

Database security: Some of the best practices include encryption of data when storing sensitive information such as customers’ credit card or passwords and not exposing servers running these databases to the public Internet.

Network security: Network security measures can be distributed and implemented on each node on the network, or they can be implemented on the edge or border of the network. In most cases, however, a hybrid network security approach with some elements on the border of the network to control threats such as DoS (Denial of Service) attacks combined with the remaining components residing on the individual network nodes is usually the most desirable and effective method³. Implementation of NIDS (Network Intrusion (News - Alert) Detection System) and active monitoring of the traffic patterns are critical steps to detect and stop the network threats.

While most security efforts focus on the topics discussed thus far, it might be surprising to know that most fraudulent activities on VoIP networks are initiated by users signing up through normal, legitimate processes. So, in order to secure your VoIP network, you must also implement fraud detection during the sign-up process and active monitoring throughout the life of the account. These practices include, but are not limited to, checking and monitoring trends of IP origination of orders, billing and shipping addresses, usage trends and automated mechanisms to intercept, block, or generate alerts for suspicious orders or usage patterns. IT

Footnotes:

¹ “CPNI,” November 2008: www.fcc.gov/eb/CPNI/

² M. Price, “The Paradox of Security in Virtual Environments,” IEEE (News - Alert) Computer Magazine, November 2008.

³ P. Li, M. Salour and X. Su, “A Survey of Worm Detection and Containment,” IEEE Communications Surveys and Tutorials, March 2008.

Mehdi Salour is the Vice President of Service Delivery and Support at 8x8 (News - Alert), Inc.

» Internet Telephony Magazine Table of Contents