IP Phone Systems Need Security, Too


Voice over IP (VoIP) systems have become inviting targets for cyber criminals. A new report from IBM’s Security Intelligence group notes a sharp rise in attacks exploiting Session Initiation Protocol (SIP), the most common signaling protocol used for establishing communications in an IP network. The report finds that attacks targeting SIP account for more than half of the security events the group analyzed in 2016.

VoIP systems generally face the same threats as other components of the IT infrastructure — threats that would not impact a legacy PBX. Hackers can break in with the intent of stealing phone service to make voice calls, to gather and/or disclose information, modify data, analyze traffic for clues to company strategies, and potentially shut down services.

These kinds of attacks are possible because IP networks are essentially open systems — there’s really nothing to stop anyone from trying to connect. That’s why web servers, email systems and other applications on the network are constantly being attacked, and why IP communications platforms need protection.

For this reason, ShoreTel recommends that you consider special security precautions for their VoIP and unified communications (UC) systems. A layered approach featuring multiple security measures will provide the strongest defense. These layers should include:

VoIP-aware firewall: Older firewalls may not recognize SIP and other VoIP protocols and can incorrectly block this traffic. VoIP-aware firewalls recognize voice packets and give them priority over data packets. The firewall will block any packets that have malformed or suspicious protocol messaging. Additionally, these firewalls incorporate access control lists to protect VoIP servers, media gateways and other equipment from external devices that are not supposed to communicate with them.

Virtual LAN (VLAN): VLAN segmentation separates voice and data traffic, allowing implementation of voice-specific security protocols that would otherwise interfere with data traffic. Traffic shaping can be used to allot bandwidth to specific applications, so even if the network is under attack, there will be bandwidth available for voice traffic. ShoreTel’s IP phone systems are designed to automatically set up VLANs for you.

Authentication / Encryption: IP voice must be protected against unauthorized recording, playback and other forms of electronic snooping. ShoreTel does this with 128-bit media encryption, the strongest protection against electronic eavesdropping and replay attacks. ShoreTel mobility offers authentication and encryption for mobile devices accessing the IP network. The ShoreTel RoamAnywhere client enforces appropriate security policies, and the ShoreTel Mobility Router secures the communications between the client device and the enterprise UC system.

Regular maintenance: Performing regular patching and keeping security protections up to date on endpoints and the voice system itself is just good sense. The web-based ShoreTel Director allows administrators to manage all voice applications from anywhere on the network.

One of the best things you can do to prevent VoIP-based attacks is to properly evaluate the security architecture of the platform upfront. Security is built into the ShoreTel architecture with an embedded system platform, distributed intelligence and network-independent call control. The ShoreTel software runs on a hardened appliance that has no moving parts other than a fan. ShoreTel voice switches deliver 99.999 percent availability. Call control is distributed, with no single point of failure. Voice mail and automated attendant are distributed in the voice switches as well, which provides remote survivability.

When evaluating VoIP and UC systems, there is a tendency to focus on issues such as voice quality, latency and interoperability — fundamental quality-of-service considerations that companies must resolve before they can even begin to justify the move to IP telephony. However, security is equally important, and organizations must be vigilant and aware of new and changing threats to IP-based communications systems.