Simple best practices for VoIP

Share this article:
Vlada Toncar
Vlada Toncar

The cost savings and flexibility benefits of voice-over-internet protocol (VoIP) have made the technology popular with enterprises and small businesses alike. However, as its prevalence has grown among business users, so has its popularity among hackers.

There are several high-profile examples of expensive VoIP security breaches, and a disturbing portion of them have been caused by rather elementary security flaws, like weak passwords, the failure to detect rogue calls or phone systems directly connected via public IP addresses outside of a firewall.

It is unrealistic to rely on employees to be responsible for VoIP security. They just want an easy and reliable way to make calls. Fortunately, IT managers and CSOs can do several things to shore up their phone system.

Proper configuration of the firewall is especially important in an environment where the VoIP system is remotely accessible via the internet. I recommend that only IP phones and the VoIP telephony provider's servers be allowed to access the company's private branch exchange (PBX). Strict firewall configuration is a preference, but a company may have mobile clients who change their IP addresses often.

Second, administrators should require consistent enforcement of strong password policy and set passwords themselves. There are VoIP products available that protect against password guessing by blocking an IP after a specified number of login attempts. This critical security feature limits the likelihood that unauthorized persons will gain access to a phone system and take control over it.

In addition, password-protection techniques aren't foolproof. A critical layer of defense also is creating system usage “rules” and getting real-time alerts when they are violated. If an admin knows the business will never make an international call, then disable that capability. If that is not possible, limit the number of calls. Rules like these will tip an admin off to attacks and enable a quick reaction to minimize the damage.
Share this article:
close

Next Article in Research

Sign up to our newsletters

POLL

More in Research

PCI 2014: From compliance to security

PCI 2014: From compliance to security

The consensus from our panel of experts is that PCI DSS should be just one item on a far broader effort to integrate data security into enterprise risk management.

Is SIEM up to the challenge?

Is SIEM up to the challenge?

This latest ebook from SC Magazine paints a lucid picture of today's SIEM capabilities and challenges to help you decide what might be the right implementation for your organization.

The Game is On: Advanced Persistent Threats

The Game is On: Advanced Persistent Threats

APTs give IT teams headaches, because they are extremely stealthy in nature and are almost always aimed at a very specific target. On the other hand, they are designed to ...