Blog | Grandstream Networks

Best Practices and Tips to Increase Security in VoIP Networks

en español

Let’s face it, security in VoIP is a top concern, especially when multiple locations and users are connected under the same network— if something goes wrong, that means your entire system and everyone in it is affected. Thankfully, with the right security practices, keeping your VoIP network safe and protected doesn’t have to be messy. Today, I am going to list the most effective ways to keep your VoIP network secured and how you can apply these best practices to your own communication hub.

Encrypt your communication with SIPS & SRTP
To keep the information shared between a server and a client safe, the recommended protocols are SIPS or SIP over TLS, and SRTP.  These protocols encrypt the exchange of signaling messages and audio traffic and solve authentication, confidentiality and integrity problems commonly seen in these scenarios. Using SIPS means that a secured connection between an IP PBX and an IP endpoint can be established thanks to TLS (Transport Layer Security). To form a secured peer to peer connection a key is exchanged in the SSL tunnel, signaling the encrypted connection. What’s great about SIPS and SRTP is that they encrypt all information associated with call initiation, processing, and audio traffic. For example, during a call, not just the audio file will be secured but also all related information like caller ID, voicemail, etc., extending security to your data during the exchange processes. One thing to keep in mind is that in order to use these secured protocols, all involved devices have to support SIPS and SRTP simultaneously or else the connection cannot be established. Other recommended encryption protocols are SSH for remote log in from one computer to another, and SSL & HTTPS for linking a web server and a browser.

Protect your network with secured, unique values and passwords
It’s important to take security a step further and always use unique passwords and values when setting up your VoIP network. This practice prevents hackers from guessing default values and keeps your network and all transferred information safe and secured. For example, always use a single username and password for each authentication session. It’s never a good idea to allow concurrent VoIP sessions with the same credentials as this can make your network vulnerable to hackers. When mapping numbers and routing plans, avoid using default aliases for E.164, and make sure E.164 is customized and unique. As a best practice, use one unique E.164 alias for every username and password. To add extra layers of protection, all VoIP devices should use unique pins that are at least four digits long. And finally, each endpoint should have different alias names. If two endpoints try to register with the same alias name, the endpoints should receive error messages to alert the administrator of duplicate values.

Place secured authentication practices for your call signaling protocols
Whether you use H.323 or H.225, it’s important to configure these protocols with secured authentication practices. To start, avoid using the standard H.323 authentication that uses MD5 hash and password as this is not an encryption method because it always generates the same 128-bit hash values, making it easy to retrace through a process called replay. Instead, wrap H.225 in a TLS tunnel used for session layer protection using H.323 (H.323 using SSL/TLS). The most common authentication method is called password hashing, consisting of a combination of an MD5 hash password, username (H.323 ID or general ID) and timestamp to create a unique hash for each authentication request. However, keep in mind that this process has some vulnerable constituents because of possible replay attacks. As for the H.225 signaling protocols, these use a timestamp for NTP server authentication, so it’s important to set the duration of this timestamp of no more than 15 minutes to prevent replay attacks. Lastly, regardless if you are using SIP, H.323 or IAX, make sure your session protocols require authentication in order to unregister a user agent or endpoint.

Set up secured protocols and processes for your network
Customizing a plan that prevents vulnerable and weak networks is essential for achieving maximum security in your VoIP network. A recommended practice is to use the out-of-band device management method from an isolated and secure management network, as this creates a secured path to manage a remote network without interfering with normal traffic. However, if you do use the in-band device management method, make sure the in-band management is encrypted. When it comes to daily management practices, it’s important to have VoIP management software that logs any critical events or activities to be reviewed or audited regularly. To maintain uninterrupted servers running at all times, it’s recommended to use two DHCP servers— if one server goes down, the other server can continue to lease new addresses or renew existing clients, also helping to balance server usage. Some other best practices for protocol management include using non-self-signed SSLv3/TLSv1 with strong ciphers during the handshake process initiating encryption. To prevent unprotected environments during the exchange of communication, connections should be dropped immediately if an incorrect, expired, or self-signed SSL certificate is used. A good practice is to turn off auto-discovery options for all external gatekeepers as this can prevent unauthorized access to the central management entity that oversees authentication, authorization, telephone directory, call control and routing. Lastly, placing the voice network behind a firewall and allowing only authorized access by defining explicit rules on the firewall or the security device can significantly increase your network’s protection.

While it’s impossible to overcome all security problems and some things are inevitable, setting up a plan of best practices and procedures to keep your VoIP network safe can put you a step ahead in crisis management. It’s vital to come up with a list of crucial security items to apply to your network and keep an eye out on the areas that can most effect your business communication.

 

 

Sources:
Dwivedi, H. (2009). Hacking VoIP: Protocols, attacks, and countermeasures. San Francisco: No Starch Press.