Best practices to deploy IP telephony networks
With the rapidly changing ways of doing business, IP telephony has become a crucial part of any organization, for performing their day-today operations. An integrally connected organization can pave an enriching way to success.
But, most of the time security aspect related to IP based communications network, underlying infrastructure and applications are not given prior importance. In this blog, we are going to discuss why it is important to speculate about securing an IP telephony network and what are the best practices of deploying IP telephony networks. Here we go:
1. Make a development plan of an IP telephony security program as a cross‐organizational & collaborative project involving all stakeholders.
2. Carry out risk assessment that figures the entire, detailed list of threats, their probability, their possible quantitative impact and based upon this analysis, what prioritized mitigation actions should be taken for each of these threats.
3. There is a need that the organizations analyse IP telephony security from a business perspective so that they are able to give a way to their goals and aspirations. However, security strategy must be in accordance with applicable laws and regulations. And, it must be properly implemented and balanced against business risks.
4. Consider potential security risks and plan before so that any sort of threats to IP telephony infrastructure can be easily prevented, at all OSI 7 Layers .
Undoubtedly, there are ample number and types of threats that constantly interrupt the natural flow of IP telephony network. Here we are going to discuss several types of threats that IP telephony system becomes a victim of and they are:
1. Leakage of Privacy / Confidentiality – This includes voice call eavesdropping hijacking sessions.
2. Authenticity Issues which includes impersonation.
3. Network Infiltration
4. Theft which includes toll fraud or data theft
5. SPIT (Spam over Internet Telephony which includes uninvited calling
Layer 1 Security (Physical Layer)
1. Authorized access to data center and other facilities. Guards at data center or facility periphery
2. At the periphery of data center and entry/exit points, there must be alarms and sensors present
3. Adequate arrangements done for fire extinguishing
4. Automatic doors must be there with break proof glass
5. CCTV cameras wherever needed (and possible)
6. High level security access(role based) to all network equipments(including PBX).
7. Servers and other network devices should be up and running 24hrs a day
8. Network equipment in data center must be secured at user access level
Layer 2 Security(Switching Layer)
1. Data and voice components VLAN are separated
2. Port based security must be applied wherever possible
3. Dynamic ARP inspection
4. DHCP snooping
5. Limited MAC addresses per physical switch port
6. Layer 2 ACL’s (where possible)
7. Layer 2 QOS to differentiate between priority, default, and scavenger traffic (where possible)
8. Network Access Control (NAC)
9. VLAN pruning
10. Secure management access to switch interface (SSH)
Layer 3 Security (Routing Layer) Secure Layer 3 (routing) by routing protocol authentication, NTP authentication, based filtering (RFC 1918 addresses).
1. Routing protocol authentication
2. Secure access to router console, VTY (SSH)
3. Secure access to router GUI (HTTPS)
4. Filtering of RFC 1918 addresses (at aggregation from untrusted networks)
5. Route Poisoning must be avoided at any costs.
6. Layer 3 QOS is deployed for making a differentiation between desired and malicious traffic
Layer 4 -7 Security (LAN/WAN/Peripheral)
1. Firewalls to broker connection from untrusted zone to trusted zone (filtering TCP/UDP connections)
2. Servers facing Internet or extranet must be placed in DMZ.
3. One can inspect and filter/ drop packets and sessions as malicious packet content witH Network Intrusion Prevention System (NIPS).
4. IPSec/SSL VPN based off Firewall and IOS routers
5. UC proxy services (TLS proxy/Phone proxy)
6. Deep packet scanning (inspect)
7. Rate limiting by Application Inspection Control (AIC)
IP telephony Server Security (Call Control)
1. Secure communications by virtue of Certificate Authentication Proxy Function (CAPF)—TLS for signaling and SRTP for media
2. Secure access to GUI (HTTPS)
3. Secure CTI/JTAPI
4. Secure LDAP integration
5. Secure voicemail integration
6. Secure presence integration
7. Secure SIP Trunks
8. External certificates Integration (Third Party PKI chain)
9. Industry standard SSO solution Integration
10. Host Intrusion Prevention System (HIPS)—CSA/SELinux
11. Role based management and user access
Free Download: Learn how to make your business communications effective and borderless with our UCC solutions.
IP telephony Server Security (Voicemail)
1. Secure communications with endpoints—TLS for signaling and SRTP for media
2. Secure integration with call control
3. Secure access to GUI (HTTPS)
4. Secure LDAP integration
5. External Certificates Integration (Third Party PKI chain)
6. Secure voice messaging (private messages)
7. Industry standard SSO solution Integration
8. Role based management and user access
IP telephony Server Security (Presence)
1. Secure communications with endpoints—TLS for signaling and SRTP for media
2. Secure integration with call control
3. Secure access to GUI (HTTPS)
4. Secure LDAP integration
5. Integration with external certificates (Third Party PKI chain)
6. HIPS
IP telephony Server Security (Contact Center)
1. Secure integration with call control server
2. Secure recording
3. Secure endpoints for agents
4. Secure recoding
5. Platforms OS, windows based platforms (Antivirus, HIPS) must be secure.
IP Phone Security (Wired, Wireless, and Soft phone)
1. Secure endpoint with secure certificates
2. Secure endpoint with built-in certificates
3. Secure network admission
4. Secure WiFi admission (WPA, WPA2)
5. Access to settings must be restricted.
6. Phone hardening
7. Internet Phone
8. Access to system registry must be restricted (for softphone)
9. Trusted Relay Point (for softphone)
IP telephony Network Management
1. Secure access to network equipment and servers (In-Band or Out Of Band management)
2. Secure network management protocols for example: SSH, SCP, SFTP, HTTPS
3. Security for Event Management System
4. Need to make a backup and restore processes
5. There should be a system or/and a site to recover from any sort of disaster.
* Segregate voice , data & Video on different VLANs. LAN switches must be equipped with 802.1p prioritization in order to identify and prioritize traffic based on VLAN tags and to support multiple queues. Port security, DHCP snooping, DAI, and other mechanisms are enabled for defending Layer 2.
* QoS must be applied
* Taking the benefit from VPN technology—IPSec or SSL or both; with this, secure pathway is ensured for endpoints which are outside organization’s physical or logical premises, remote workers, and extranet. For encrypting voice media, voice signaling, and data traffic using IPSec, Voice and Video enabled VPN technology can be employed .
* There is a need to avoid firewalls at the boundaries and within network for granular control, protocol conformance checking and security checks. Use firewall for encrypted voice traffic support through firewall.
* For unifying endpoint security and network security enforcement, , NAC must be employed which makes one accessible to network in accordance with established security policies.
* Management traffic on its own VLAN (OOB) must be seperated. There is a need to put some effort on management access control, authorization, logging and management. In this way, one can keep a complete check on the management and the managed systems.
* The employees of any organization must remain aware of their responsibilities relevant to organization’s Intellectual Capital (IC) and Information.
Conclusion
A completely secure, robust IP telephony network is an asset to any organization. There can be no denying the fact that deploying IP telephony would make the enterprise vulnerable to some serious threats and hamper its progress. Therefore, there is a dire need of a secure IP telephony system that puts into consideration voice, data and video communications as a singular unified system and then implementing a multilayered defense construct for the system infrastructure, call management, applications and end points.
These security controls provide a fair perspective for the necessity of security and the potential threats that must be taken care of, in accordance with the organization’s goals and aspirations.
