This week on the Digium blog we have been featuring a discussion of security as it relates to UC systems. In this post we will visit some tips and best practices specific to small and medium-sized buisnesses (SMBs) for securing their unified communications systems.
Unified communications presents unique security challenges because it brings together disparate technologies. Using VoIP, video, chat and presence together has proven to provide productivity gains for businesses, but also presents security risks. In particular, securing VoIP networks is not the same as securing data networks. Most data traffic is transported over TCP and as such, security built-in to networking devices such as routers and firewalls are built around TCP data-centric transport. VoIP is UDP based and time sensitive. Dropping a few packets while downloading a website is for the most part benign – the packets can simply be retransmitted. Voice and video streams are more fragile. Dropping too many UPD packets in a voice stream can cause call quality issues. As such, securing your unified communications requires a balanced approach. You must mitigate threats while also maintaining quality of service.
Likewise, managing security for an SMB offers unique challenges when compared to the larger, Enterprise space. While large businesses can often dedicate substantial resources toward securing their communications, those in the SMB space need security solutions that are both effective and simple. This actually works in favor of the SMBs since security and simplicity can work together. For example, installing an expensive and complex solution to secure you network can work against you. Improperly configured equipment can affect your call quality and potentially stop your VoIP equipment from functioning properly. Remember, accessibility is a key component to a secure network.
Despite being in a niche field, securing unified communications as an SMB follows many of the same security best practices that are effective in the Enterprise for a variety of technologies. The following best practices can help keep your communications flowing.
7 Tips for Effective UC Security
- Deploy a Properly Configured Firewall
- Use VPN for Remote Users
- Use Strong Passwords
- Update Regularly
- Turn Off Unused Services
- Monitor Your Call Logs
- Use built-in UC security tools
Deploy a Properly Configured Firewall
Due to the variety of firewall models and topologies available, giving specific advice is difficult. So, here are some practical tips for almost any configuration. For starters, always advisable to keep high importance on security. This means being technically familiar with your equipment and it’s configuration. It is a responsibility you should take with the utmost seriousness. When shopping for firewalls favor those that offer simple configuration and are designed for the SMB.
A good general rule of thumb is to block all unknown traffic into your network and then only allow traffic from trusted sources. This strategy doesn’t usually work well for your web sever, but your UC server should absolutely be sequestered behind your firewall. In most cases, you should only allow internet traffic from your ITSP (Internet Telephony Service Providor) or VoIP provider. This is the company that supplies you SIP truck or hosted VoIP services. Allow access only on the ports necessary and only to the IP or block of IPs that your provider uses.
Some complex firewalls tote features such as SIP ALG (Application Level Gateway). Although SIP ALG is advertised as a security feature for VoIP, it tends to not work as advertised. Instead, ALGs have a tendency to mangle SIP packets or modify headers in a way that breaks functionality. A general best practice is to do extensive interoperability testing prior to deployment or simply disable SIP ALG in your firewall and/or router.
Surprisingly enough, many small, and even medium-sized businesses do not deploy a firewall. Or, they deploy a firewall, but open ports to all networks to allow remote users. This is almost the same as having no firewall at all. Although some UC servers, like Switchvox have built-in attack mitigation mechanisms, these should not be solely relied upon. Your firewall is designed to sort traffic, your UC server is not. Using each device for its intended purpose will keep your network the most secure. In the SMB, managing remote users is better done through a VPN.
Enable a VPN for remote users.
VPN stands for Virtualized Private Network. Many SMB networking devices, such as routers and firewalls, come with built-in VPN capability. Quality VPN devices are now available at affordable prices. For your remote users, and while connecting remote SMB offices, the simplest option is to deploy a VPN device at both ends. The connected devices form an encrypted “tunnel” over the public internet. This “virtual” network keeps all of your traffic safe.
VPNs have many benefits:
1. In addition to VoIP, the remote user can access other local network resources such as network shares and intranet web applications.
2. The traffic is encrypted to maintain privacy
3. NAT issues are eliminated or diminished
4. Also, There are only a few ports to open in the firewall to allow the VPN traffic. They can be opened to all networks because the VPN requires authentication before establishing a connection.
Use Strong Passwords
Using strong (system) passwords is an extremely effective, yet often over looked security measure. Strong passwords should be used for every password required in your UC solution. Business VoIP phones should especially be protected by unique strong SIP passwords. Keep in mind that if you re-use passwords or use weak passwords then it becomes extremely easy for an attacker to get access to SIP credentials. Once authenticated with a SIP account, an attacker can make calls as though they were using that phone – including toll calls that could result in very high fees.
Another area of concern is user passwords. If your UC solution requires user login, then you will want to ensure that you require strong passwords for your users. Switchvox, Digium’s UC solution, mitigates both of these threats by default: strong, unique SIP passwords are automatically generated and used for Digium phones attached to Switchvox.
A standard security best practice that is almost universal to all technologies is to keep software up to date. As well as obtaining bug fixes, keeping your software updated helps improve security. As potential exploits are found, security patches are then released as software updates. The most recent version is typically the most secure.
Whenever you update your UC server you will want to follow the best practices for updating. Be aware of what has changed and how the update could impact your system; backing up the system first, and performing the update during a scheduled maintenance window also helps to ensure your users will have access to your system when they need it.
Turn Off Unused Services
Another standard hardening practice is to turn off any unused services. A good rule of thumb is that if you aren’t using a feature you want to shut it down. This lessens the potential attack surface. For example, if you are using voice, video and email communications but aren’t using chat, then it is best to turn off the chat functionally in the UC server. Not only does this improve security, but this will also improve performance as you will have less protocol traffic on the network and your server will be less taxed because it is doing less work.
Monitor Your Call Logs
Often attacks go unnoticed until a great amount of damage is done. By regularly reviewing system logs you can mitigate the damage by catching the attack and taking action early. In particular, running regular call log reports on toll calls made by your system can help create a baseline for normal activity. You’ll then be able to notice when activity exceeds this baseline. This can signal that the system has been compromised. By looking at the call logs you can investigate further.
Sometimes you may be able to enlist the help of your upstream provider. They may be able to notify you after a predetermined limit on toll-based calls is exceeded. Unfortunately, many providers do not offer such features. Instead it is your responsibility to monitor your logs and ensure that you are only sending the long distance calls that are intended.
Use built-in UC security tools
The best way to secure your UC devices is to use dedicated security equipment, like VPNs and firewall routers. However, taking advantage of built-in security tools can add an extra level of protection. Digium Switchvox, for example, comes with security tools such as Access Control Rules, Automatic IP blocking and managed tech support access. The blocked IPs tool will block IP addresses that fail multiple registration attempts. In theory, a properly configured firewall should prevent SIP scanners from being able to reach your UC sever, however this additional level of security adds peace of mind and works as a functional back-up to round out your security suite.
Have a UC security tip to share? Please leave your security advice, tips or best practices to help others in a comment below. Keep in mind that ultimately security is your responsibility. You should discern wether the advice offered in this post or in the comments is applicable to your scenario and make the judgement that is best for you.