Simple best practices for VoIP

Share this article:
Vlada Toncar
Vlada Toncar

The cost savings and flexibility benefits of voice-over-internet protocol (VoIP) have made the technology popular with enterprises and small businesses alike. However, as its prevalence has grown among business users, so has its popularity among hackers.

There are several high-profile examples of expensive VoIP security breaches, and a disturbing portion of them have been caused by rather elementary security flaws, like weak passwords, the failure to detect rogue calls or phone systems directly connected via public IP addresses outside of a firewall.

It is unrealistic to rely on employees to be responsible for VoIP security. They just want an easy and reliable way to make calls. Fortunately, IT managers and CSOs can do several things to shore up their phone system.

Proper configuration of the firewall is especially important in an environment where the VoIP system is remotely accessible via the internet. I recommend that only IP phones and the VoIP telephony provider's servers be allowed to access the company's private branch exchange (PBX). Strict firewall configuration is a preference, but a company may have mobile clients who change their IP addresses often.

Second, administrators should require consistent enforcement of strong password policy and set passwords themselves. There are VoIP products available that protect against password guessing by blocking an IP after a specified number of login attempts. This critical security feature limits the likelihood that unauthorized persons will gain access to a phone system and take control over it.

In addition, password-protection techniques aren't foolproof. A critical layer of defense also is creating system usage “rules” and getting real-time alerts when they are violated. If an admin knows the business will never make an international call, then disable that capability. If that is not possible, limit the number of calls. Rules like these will tip an admin off to attacks and enable a quick reaction to minimize the damage.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Research

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US

More in Research

2014 audit and compliance ebook

2014 audit and compliance ebook

We explore the landscape today with which security teams must contend and compile a number of best practices and strategies you can apply to protect your company.

2014 eBook on Encryption

2014 eBook on Encryption

The experts we spoke to for this new ebook agree that when deciding what data must be encrypted, it's a question of classifying it by level of importance.

PCI 2014: From compliance to security

PCI 2014: From compliance to security

The consensus from our panel of experts is that PCI DSS should be just one item on a far broader effort to integrate data security into enterprise risk management.