VoIP security is a hot topic, and rightfully so. A compromised system can cost you $$$ in phone bills, so how do you prevent a breach? Well, the answer isn’t as complicated as you’d expect. There are a lot of opinions floating around on the subject, so let me address some truths and falsehoods that may be of importance when securing your VoIP system.
If you are a small business or are installing a VoIP system in your home, there is no need for an SBC. An SBC is a great device (or virtual appliance) because it masquerades your internal VoIP infrastructure. In basic terms, a SIP trunk from a provider terminates to the SBC, which then connects to your phone system via a SIP trunk. The SBC acts as the middleman in the transaction. To an outsider, SIP header information sources from the SBC and not your internal equipment. Although an SBC is a great extra layer of security and reduces overall attack vectors, it’s not required to make VoIP reliably secure for the majority of small deployments. Terminating a SIP trunk directly to your phone system behind a hardware-based or virtual firewall provides the security that would be deemed required to keep you incurring fraudulent toll charges.
On the same topic as above, if you are going to be using SIP trunks to talk to the outside world, you’ll need a hardware or virtual firewall appliance to secure what is allowed in and out. In addition to the basics of protecting SSH, Telnet, and HTTP/HTTPS access to your phone system, you should always restrict what IP addresses can communicate directly to the phone system when it comes to SIP, and IAX (if you use it). What that means is only allowing IP addresses from your SIP provider, any remote extensions, or remote branches. Never ever expose your system directly to the internet without some type of firewall in front of it.
This is not true but isn’t a bad idea. A VPN will allow you to bypass NAT, which is the culprit in most one-way audio issues. The trick here is to tell the phone system all of the local IP subnets that it will be talking SIP. You’ll find this to be configurable on just about every Asterisk based phone system. A VPN also allows you to encrypt your session if you’re worried about the NSA listening in. An alternative would be using TLS and SRTP without a VPN, but you’ll just lose the benefit of avoiding NAT. The best way to securely deploy remote extensions is to use either a VPN or TLS. If you’re not using a VPN, make sure to define your inside IP subnets (as mentioned before), as well as your external IP address. These are all also configurable on just about any Asterisk system. Make sure you port forward SIP and RTP in your firewall to your phone system and secure your inbound rules by source IP addresses. Every system is a little different, but most Asterisk systems use 5060 UDP (SIP), and 10000-20000 UDP (RTP).
If you’re going to take on the task of managing an IP phone system in your IT infrastructure, you need to adopt the mindset of monitoring it. Especially if you have port 5060 open to the outside world, you need to be logging and enabling alerts. In the past, phone systems have been bolted to a wall in a closet that no one ever went into except the PBX vendor. Now your system is racked next to your switches and servers. For those of you who are FreePBX users, Sangoma has just started to release their RMS platform, which simplifies centralized remote monitoring of multiple FreePBX and PBXAct systems. Stay tuned for a review on this!
This isn’t actually a common belief, but it comes from a post I recently read on Spiceworks. It was claimed that a system has been made more secure by not forwarding port 5060 UDP from the firewall to the actual PBX. If this configuration was actually working, it was a minor miracle. The fact is there are usually two components of sending SIP traffic through your firewall. There is a firewall rule, allowing the traffic, and a fixed NAT association with the protocol and a device within your network. As long as you’ve made appropriate rules allowing SIP to your system, the port forwarding is simply a mechanism to help keep consistent NAT associations. In general, SIP and NAT do not play well with each other. Pro TIP: when you experience one-way audio, always look at NAT first.
I bet you never thought of this one. If you have, bonus points. While you should ALWAYS restrict SIP traffic by source IP address, it’s not necessary to do so with RTP. RTP is simply a media stream and doesn’t have the capability of initiating a SIP session, or any kind of session. Dare I say, you can leave the RTP port range open on your firewall. However, it doesn’t really hurt anything to place a source IP restriction on it.
Publish Date: February 28, 2017 5:00 AM
|1.)||Call Center Studio|
Call Center Studio
Call Center Studio is the world’s first call center built on Google and is one of the most secure and stable systems with some of the industry’s best reporting. It is one of the most full-featured enterprise grade systems (with the most calling features, one of the best call distribution, outbound dialing features and integrations—including IVR, AI Speech Recognition, blended inbound/outbound calling and includes Google’s new Dialogflow and Speech API. Call Center Studio is the absolute easiest to use (with a 10 minute setup), and is the price performance leader with lower equipment cost and less setup time.
PH: +1 512-872-7565
|Grandstream Wave Free Softphone Application||July 16, 2018 5:00 AM|
|VoIP Hardware Roundup July 2018: AND Smart IP Button, Snom D120, and more!||July 16, 2018 5:00 AM|
|Plantronics Clarity 340 Is going End of Life (EoL) Immediately||July 13, 2018 5:00 AM|
|Microsoft Releases the Free Version of Microsoft Teams to Compete with Slack||July 13, 2018 5:00 AM|
|Broadvoice Named 2018 Unified Communications Product of the Year Winner||July 12, 2018 5:00 AM|
|Spectralink WiFi Phones Solve your Healthcare Communication Challenges||July 11, 2018 5:00 AM|
|SIP phones vs VoIP phones: What’s the difference?||July 11, 2018 5:00 AM|
|[Podcast] VoIP Fulfillment and Provisioning with VoIP Supply||July 9, 2018 5:00 AM|
|How to Avoid Bad VoIP Shopping Experiences (4 Tips included!)||July 3, 2018 5:00 AM|
|Plantronics Completed the 2 Billion Polycom Acquisition||July 3, 2018 5:00 AM|