• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Menu
  • About
  • Must Read
      • IIS Performance Boost
      • RFID Security
      • Web App Security Testing
      • How to Secure Home Network
      • Prevent Cross-Site Scripting Attacks
      • Renew Self-Signed Certificates
      • Penetration Testing Tools
      • VPN Concentrator
      • Forensic Investigation Tools
      • Digital Certificates
      • Cloud Security Issues
      • Advanced Evasion Prevention
      • Firewall Types
      • Tips to Prevent Data Exfiltration
      • Classified Info Handling
      • MySQL Security
      • Definition of 7 Types of Malware
      • VOIP Security
      • Why Antivirus Software Fails
      • 15 Network Security Vulnerabilities
      • Web App Security
      • IT Security Standards
      • Types of Virtualization
      • Android Security
      • Digital Signature
      • Advanced Malware Protection
    • Close
  • Consultancy
  • Contact

32 Proven VOIP Security Best Practices

by wing

VOIP saves money if you can deploy and manage it properly, but there are certain risks that you need to take into account. As you know that VOIP is ip based voice solution and IP network is always vulnerable and point of interest to the intruders.

  1. If you are using SIP make sure you are using SIPS, or SIP wrapped in a TLS tunnel for the protection of session layer. Therefore, to secure VoIP authentication process, use SIP with SSL/TLS instead of using the standard digest authentication.
  2. SIP ‘register’ and ‘invite’ request must be authenticated by the SIP user agent. If you find that your SIP user agent is not authenticating INVITE and REGISTER request, your VOIP security can be easily breached.
  3. If you are using H323, pay attention to the way session setup authentication is being used. To protect session layer, wrap H225 in a TLD tunnel. Avoid using standard H.323 authentication that use MD5 hash and password.
  4. H225 use time stamp for NTP server to authentication. The duration of this timestamp in NTP server should be less than 15 minutes.
  5. If you are using IAX instead or H323 or SIP make sure it is using TLS tunnel for session layer protection.
  6. Never allow concurrent VOIP session with the same username and password. A single username and password should be limited to only one successful authentication.
  7. Not matter if you are using SIP, H323 or IAX, make sure your session protocols needs authentication in order to unregister a user agent or endpoint device.
  8. When user agent use LDAP store for authentication, make sure LDAP is used with SSL to protection authentication information.
  9. Use media layer encryption in order to encrypt the voice communication. Media layer encryption provides adequate privacy to the voice communication.
  10. When you use SRTP you must use TLS to make sure key exchange traverse the network in encrypted form.
  11. To prevent TRP injection attack, the RTP entropy should be implemented in such a way that it becomes difficult for attacker to guess values. Make sure you implement full 64-bits of SSRC and timestamp are generated randomly instead of sequentially.
  12. Avoid using default aliases of E.164. Make sure E.164 is customized and unique.
  13. Set the gatekeeper’s registration reject policy to reject. Remember that by setting this policy to ‘reject’ you open up the possibility of denial of service attack. So, make sure you take necessary measures to mitigate the DoS attacks before changing the registration reject policy.
  14. Use only one specific E.164 alias with a given username and password.
  15. When two endpoints try to register with the same alias name, the endpoints should receive error messages such as secuityDenial or duplicateAlias.
  16. 1x supported devices should be used in the VOIP network.
  17. You should remember that VLAN cannot secure a VOIP network. To make sure that only authorized system can be plugged into your VoIP VLAN, you need to use 802.1x technology.
  18. You should enable ARP monitoring in your VoIP network in order to prevent ARP pollution/poisoning attacks.
  19. VoIP network and data network should be in their own subnets of VLAN.
  20. Use out-of-band VOIP device management method from an isolated and secure management network. If you use in-band device management method, your in-band management should be encrypted.
  21. Use VoIP access filter (IP filter or hostname filter) to make sure only authorized machine can manage VoIP devices.
  22. Use encryption protocols (SSH, SSL (HTTPS)) for VoIP administration and management.
  23. Use SNMPv3 instead of SNMPv1
  24. Make sure data and timestamp are correct. This will ensure the integrity of all log files.
  25. VoIP management software must log all critical events and log on activities. Logs should be stored and reviewed regularly.
  26. All VoIP hard phones should use unique PIN that should be at least four digits long.
  27. Use only https for transfer boot image files from the network to the hard phones.
  28. Enable server side controls by creating an explicit permission list that tells who can make outbound calls, international calls etc. this will help prevent abuse of phone system and also control toll fraud.
  29. Turn off auto discover option for all external gatekeepers.
  30. Devices should use non-self-signed SSLv3/TLSv1 with strong ciphers.
  31. When an incorrect, expired, or self-signed SSL certificate is used for communication, connection should be dropped immediately.
  32. Use a dedicated DNS and DHCP server your VOIP network. Do not use the same DNS and DHCP for the voice and data networks.

VOIP security lowers the risk sensitive information leak to a great extent. You should not forget that many business executives share important information on phones and we have a misconception that voice call is private. I hope you will find the above information help in securing your VoIP network. If you have any feedback or suggestion about VoIP security, you can use the comments box below to share your experience.

Related Posts:

  • Top 20 Windows Server Security Hardening Best Practices
  • 3 Simple Steps to Secure Gmail Account from Hackers
  • 20 Types of Database Security to Defend Against Data Breach
  • Tips for Network Security Breach Investigation
  • 20 Ways to Secure Home Network

Filed Under: IS Audit Tagged With: security, voip

Primary Sidebar

CISSP Sample Test

Take a CISSP Sample Test

CISA IT governance Sample test



Twitter Follow @securitywing

Categories

  • AWS
  • containers
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Network Security Tips
  • Off Track
  • Telecom
  • Tutorial

Pages

  • About
  • Best IT Security Certification Exam
  • CISA IT governance Sample test
  • CISA Sample Test
  • CISSP Sample Test Online
  • Consultancy
  • Contact

Popular Posts

  • 3 Steps to Install Miniku...
  • How to install a new Goda...
  • 63 Web Application Securi...
  • How to Renew Self-Signed...
  • How to Setup AWS CloudFro...
  • Host Based IDS vs Network...
  • 8 Effective Ways to Impro...
  • Active vs Passive FTP Mod...
  • Top 10 RFID Security Conc...
  • 3 Simple Steps to Capture...

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

antivirus audit AWS backup browser check cisco cloud computer cyber data database encryption firewall home hsrp ids informaiton internet intrusion it kubernetes linux load balancing malware network protection putty risk router security security tips server ssh SSL switch tools virus vpn vulnerability web webserver website windows wordpress

Copyright © 2010-2023 ·All Rights Reserved · SecurityWing.com