IP-based unified communications (UC) systems enable a variety of operational and cost benefits by uniting telephony, email, voicemail, messaging, mobility, conferencing and more into a single, coherent communications platform. However, as organizations look to take advantage UC’s benefits, they should not overlook security concerns.
In IP-based phone systems, voice calls become data packets that travel over the network — subject to the same risks as any other data. Thus, the IP phone system is only as secure as the underlying network and server hardware. The infrastructure must be protected against data breaches, denial-of-service (DoS) attacks, malware and other threats.
More recently, there has also been a sharp rise in attacks exploiting the most common signaling protocol used for establishing communications in an IP network. IBM’s Security Intelligence group reported recently that more than half of the security events the group analyzed in 2016 targeted the Session Initiation Protocol (SIP).
Conventional security measures such as firewalls and intrusion detection and prevention systems alone aren’t enough to protect real-time communications systems. Securing UC platforms requires a layered approach with multiple security measures such as enterprise session border controllers (eSBCs), special firewalls, virtual LANs, virtual private networks (VPNs) and more.
An eSBC acts as a gatekeeper between customer and carrier networks in order to implement security and regulate traffic. Deployed as either dedicated hardware devices, software applications or virtualized network functions, eSBCs help secure the network edge, regulate traffic in and out of the network, and normalize signaling and media used in real-time communications.
An eSBC is particularly necessary for securing the SIP trunk that connects the IP-PBX to the traditional Public Switched Telephone Network (PSTN) over an Internet connection. This link is vulnerable because SIP packets are typically delivered in plain text, making it easier for them to be attacked or manipulated by hackers. An eSBC secures the connection by terminating and re-originating each communications session, processing traffic in real time to identify incoming threats. It also offers deep packet inspection, policy enforcement and other security functionality.
A VoIP-aware firewall is another important layer of UC security. Older firewalls may not recognize SIP and other VoIP protocols and can incorrectly block this traffic. VoIP-aware firewalls recognize voice packets and give them priority over data packets, while also blocking any packets that have malformed or suspicious protocol messaging.
Virtual LAN (VLAN) segmentation separates voice and data traffic, allowing implementation of voice-specific security protocols that would otherwise interfere with data traffic. Traffic shaping can be used to allot bandwidth to specific applications, so even if the network is under attack, there will be bandwidth available for voice traffic.
Passing voice through a VPN helps secure communications from remote employees by creating an encrypted tunnel over the public Internet. Standard data-encryption mechanisms inherent in the collection of protocols used to implement a VPN are easily applied to voice traffic.
Most important, securing a UC platform requires ongoing due diligence. Organizations should require strong passwords for SIP credentials, ensure that all updates to UC server software are applied promptly, turn off any features not in use, monitor call logs and use the system’s built-in authentication and encryption features.
Organizations often overlook security considerations with UC systems, focusing instead on voice quality and network overhead issues. In a recent Nemertes Research survey of IT security leaders, respondents rarely cited UC attacks as a top security concern. That’s a mistake. Strong security measures are the key to preventing breaches so you don’t have to deal with them after the fact.