The Dos and Don'ts of Securing Your VoIP Communications
Phonation-over-IP (VoIP) is 1 of the virtually price-effective network solutions a minor business can buy, but you can quickly have a bite out of those savings if y'all don't enter into information technology with your eyes open. Understanding all the aspects of voice as they pertain to running on a data network is central to successfully deploying this technology. One of the well-nigh important aspects of VoIP, yet ane that's very often given short shrift in deployment projects and planning sessions, is security.
That tin be an exceptionally bad mistake these days for several reasons. Showtime, many businesses are moving to a much more distributed networking model due to the pandemic. Users are working from home and for many companies that move may become permanent. That means your clean and consolidated office network is now connected to a potential rat's nest of habitation networks with unknown routers running unknown (and oftentimes default) settings, equally well as connecting to a hodgepodge of personal, unmanaged devices. That tin touch on non only VoIP performance (meaning the clarity of a conversation), merely also security across both countersign protection and traffic integrity.
This leads into the other problem with a distributed VoIP compages. Virtually VoIP providers these days have some form of unified communications as a service (UCaaS) software client, or softphone. This isn't simply a phone that runs on your PC or mobile device, though that's the most popular usage at many companies. For many providers, like RingCentral's Glip, these tools combine phone capabilities with text-based chat, shared meetings, video conferencing, scheduling, equally well every bit file sharing and data transfer features among others. Managing security for such powerful apps is critical.
Whether it's ensuring secure user authentication and network configuration or enabling end-to-end encryption in all VoIP communication and information storage, organizations need to be diligent in both overseeing Information technology direction and working closely with their business VoIP provider to ensure that security requirements are being met and enforced.
Michael Machado, Primary Security Officer (CSO) at RingCentral, oversees security for all of RingCentral's deject and VoIP services. Machado has spent the past xviii years in IT and cloud security, outset as a security builder and operations manager at WebEx , and then at Cisco afterwards the company acquired the video conferencing service.
Security considerations in your company'southward VoIP communications starting time in the inquiry and buying stage earlier yous even select a VoIP provider, and persist through implementation and management. Machado walked through the entire procedure from a security perspective, stopping to explain enough of do'due south and don'ts for businesses of all sizes forth the way.
Selecting Your VoIP Provider
DON'T: Fail the Shared Security ModelWhether you're a small business or a large enterprise, the first thing you need to understand—independent even of VoIP and Unified Communications-every bit-a-Service (UCaaS)—is that all cloud services in general demand to have a shared security model. Machado said that, as the client, your business organisation ever shares some responsibleness in the secure implementation of all the cloud services you're adopting.
"It'due south key for customers to understand, especially when a company is smaller and has fewer resources," said Machado. "People think VoIP is a mechanical device connected to a copper line. Information technology's not. A VoIP phone, whether it's a physical handset, a computer with software running or information technology, a mobile app, or a softphone application, it'south non the aforementioned thing as a mechanical phone plugged into the PSTN [public switch phone network]. It's not similar a regular telephone—you lot're going to have some responsibility for making sure the security has a closed loop betwixt the customer and vendor."
DO: Vendor Due DiligenceOnce you lot understand that shared responsibility and desire to adopt a cloud VoIP service, information technology makes sense to exercise your due diligence when selecting your vendor. Depending on your size and the expertise you lot accept on staff, Machado explained how enterprises and small to midsize businesses (SMBs) tin can go virtually this in different ways.
"If you're a large company that can afford to spend the fourth dimension on due diligence, you tin can come upward with a list of questions to ask every vendor, review their inspect report, and have a few meetings to discuss security," said Machado. "If yous're a small business, you might not take the expertise to analyze a [Service Arrangement Control] SOC 2 audit report or the fourth dimension to invest in a heavy lift discussion.
"Instead, you can await at things like Gartner's Magic Quadrant written report, and look to run across if they have a SOC 1 or SOC 2 report available, even if y'all don't have the fourth dimension or expertise to read through and sympathise information technology," Machado explained. "The inspect report is a skillful indication of companies making a potent investment in security versus companies that are not. You tin can also look for a SOC 3 study in addition to SOC 2. It'southward a lightweight, certification-like version of the same standards. These are the things you can expect for equally a small business organisation to start moving in the correct direction on security."
DO: Negotiate Security Terms in Your ContractNow yous're at the signal where you lot've selected a VoIP vendor and yous're considering the possibility of making a buying decision. Machado recommended that, whenever possible, businesses should endeavor to go explicit security agreements and terms in writing when negotiating a contract with a cloud vendor.
"Small company, big company, it doesn't matter. The smaller the company, the less ability you lot'll have to negotiate those specific terms but it's a 'don't ask, don't get' scenario," said Machado. "See what you tin can get in your vendor agreements with regards to security obligations from the vendor."
Implementing VoIP Security
DO: Employ Encrypted VoIP ServicesWhen it comes to deployment, Machado said in that location'south no excuse for a modern VoIP service to not offer cease-to-end encryption. Machado recommended that organizations await for services that support Transport Layer Security (TLS) or Secure Real-Time Transport Protocol (SRTP) encryption, and that do it, ideally, without upselling for core security measures.
"Don't always go for the cheapest service; it can be worthwhile to pay a premium for a more than secure VoIP. Even better is when you don't have to pay a premium for security in your cloud services," said Machado. "As a customer, you should just exist able to enable encrypted VoIP and off you go. Information technology's likewise important that the provider is using not only encrypted signaling, merely besides encrypting media at rest. People want their conversations to be private, not traversing the cyberspace with apparently text voice. Make sure your vendor will support that level of encryption and that information technology'south not going to cost you more."
DON'T: Mix Your LANsOn the network side of your deployment, most organizations take a mix of handsets and cloud-based interfaces. Many employees may just be using a VoIP mobile app or softphone, but in that location volition often be a mix of desk phones and briefing phones connected to the VoIP network likewise. Machado said it's crucial non to mix form factors and connected devices within the aforementioned network design.
"You want to set up a divide voice LAN. Y'all don't want your hard-vocalism phones co-mingling on the same network with your workstations and printers. That's non practiced network pattern," said Machado. "If you go that route, there are problematic security implications down the line. In that location's no reason for your workspaces to be talking to i another. My laptop doesn't need to talk to yours; it'south non the aforementioned as a server subcontract with applications talking to databases."
Instead, Machado recommends…
DO: Set Upward Private VLANsA private VLAN (virtual LAN), every bit Machado explained, lets It managers better control their networks considering it effectively segments a specific kind of traffic (in this case VoIP) onto its own network. While there are other ways to keep your VoIP traffic protected with regards to congestion from other app traffic running over your network (we're talking about Quality of Service (QoS) here), separating VoIP traffic is the goal and nothing keeps traffic separate similar putting information technology on its own network. The private VLAN acts every bit a unmarried access and uplink point to connect the device to a router, server, or network.
"From an endpoint security architecture perspective, individual VLANs are a skilful network design because they give you the ability to turn on this feature on the switch that says 'this workstation tin can't talk to the other workstation.' If you have your VoIP phones or voice-enabled devices on the same network equally everything else, that doesn't work," said Machado. "It'southward important to gear up your dedicated voice LAN as office of a more privileged security blueprint."
DON'T: Leave Your VoIP Exterior the FirewallYour VoIP phone is a computing device plugged into Ethernet or your Wi-Fi network. Every bit a connected endpoint, Machado said it'due south important for customers to remember that, just like any other computing device, it also needs to be behind the corporate firewall.
"The VoIP telephone has a user interface [UI] for users to log in and for admins to exercise system administration on the telephone. Non every VoIP phone has firmware to protect confronting animal-forcefulness attacks," said Machado. "Your email business relationship will lock subsequently a few attempts, but not every VoIP phone works the same way. If yous don't put a firewall in front of it, information technology'due south like opening that spider web application to anyone on the internet who wants to script a brute force set on and log in."
For companies faced with deploying such devices in workers' homes, this process is necessarily more complicated. Offset, consider mandating a softphone instead of going to the trouble of shipping out a slew of handsets. With a cheap pair of headphones equipped with microphones, softphones are every bit as constructive and like shooting fish in a barrel to apply equally a regular telephone. They're also on a PC or mobile device that'southward probably connected wirelessly to the home network, which means it'll automatically exist backside the abode router's firewall.
However, IT should go far a point to ensure that every home wireless router not just implements a firewall, but does and then in a VoIP friendly way. That means some testing for IT staffers beyond different router devices, but once that'due south washed they should be able to help home users implement the proper settings fairly speedily over the phone.
VoIP Service Direction
DO: Modify Your Default PasswordsRegardless of the manufacturer from which you receive your VoIP handsets, the devices volition send with default credentials similar any other slice of hardware that comes with a web UI. To avoid the kind of unproblematic vulnerabilities that led to the Mirai botnet DDoS attack, Machado said the easiest thing to do is just to change those defaults.
"Customers need to take proactive steps to secure their phones," said Machado. "Change the default passwords immediately or, if your vendor manages the phone endpoints for yous, make certain they're changing those default passwords on your behalf."
DO: Keep Track of Your UsageWhether information technology'south a cloud phone system, on-premises voice system, or a private co-operative exchange (PBX), Machado said that all VoIP services have an attack surface and eventually may get hacked. When that happens, he said one of the most typical attacks is an account takeover (ATO), besides known as telecom fraud or traffic pumping. This means that, when a VoIP system is hacked, the attacker tries to identify calls that cost that owner money. The best defense force is to keep rail of your usage.
"Say you're a threat actor. Yous've got admission to voice services and y'all're trying to make calls out. If your organization is watching its usage, y'all'll be able to spot if there'due south an unusually high neb or see something similar a user on the phone for 45 minutes with a location that no employees have any reason to call. It's all nearly paying attention," said Machado.
"If y'all're 'cloud-ifying' this (meaning, non using a traditional PBX or on-premises-just VoIP), then take a conversation with your service provider request what you're doing to protect me," he added. "Are there knobs and dials I can plough on and off with regards to service? Are you doing back-cease fraud monitoring or user behavior analytics looking for anomalous usage on my behalf? These are important questions to ask."
DON'T: Have Over-Broad Security PermissionsOn the subject field of usage, 1 mode to cap potential ATO impairment is to turn off permissions and features you know your business doesn't need, just in case. Machado gave international calling as an instance.
"If your business doesn't need to call all parts of the world, then don't plow on calling to all parts of the world," he said. "If you only exercise business concern in the United states of america, Canada, and Mexico, do you want every other land available for calling or does it just make sense to shut it off in the case of ATO? Don't leave any over-broad permissions for your users for whatsoever technology service, and anything that's non necessary for your business use qualifies as over-broad."
DON'T: Forget Nearly PatchingPatching and keeping current with updates is disquisitional with whatsoever kind of software. Whether you're using a softphone, VoIP mobile app, or whatsoever kind of hardware with firmware updates, Machado said this i'due south a no-brainer.
"Are you managing your own VoIP phones? If the vendor releases firmware, test and deploy it quickly—these oft deal with patches of all types. Sometimes, security patches come from a vendor managing the phone on your behalf and so, in that case, be certain to ask who controls patching and what the cycle is," said Machado.
Patching is too critical for the slew of home routers to which your network will probable exist connecting in a distributed deployment. The all-time-case scenario is to command the brand and model of these routers then IT can automate the patching process and verify that each device is in compliance. If that can't happen, however, the next stride is constant user communication and scheduled phone help to assistance home users in updating their routers themselves.
Practise: Enable Strong AuthenticationStrong ii-factor authentication and investing in heavier identity direction is another smart security do. Beyond simply VoIP, Machado said authentication is always an important cistron to accept in place.
"E'er turn on strong hallmark. That'south not whatever unlike if you're logging into your cloud PBX or your electronic mail or your CRM. Look for those features and use them," said Machado. "We're non just talking virtually phones on your desk; we're talking almost web applications and all the different parts of the service. Understand how the pieces come up together and secure each piece in plow."
About Rob Marvin
Source: https://sea.pcmag.com/news/13715/the-dos-and-donts-of-securing-your-voip-communications
Posted by: smithbusionea.blogspot.com
0 Response to "The Dos and Don'ts of Securing Your VoIP Communications"
Post a Comment