6 Steps to SIP trunking securityHow securing your network secures your phone lines.

There are stories that SIP has set off a cyber crime wave of corporate espionage and telephone fraud. They say SIP opens up network vulnerabilities, and that SIP trunking lets anyone listen in on calls. It’s not true.

The truth about SIP security.

SIP trunking is growing in popularity faster than any other toll phone service. Experts project SIP trunking will be the sole PSTN connection in 42% of businesses by 2016*. Beyond cutting costs and adding features, decision makers are sold on SIP trunking’s ability to centralize PSTN access, failover instantly, and provision channels as needed to deal with spikes in call volume. They are comfortable implementing SIP because they know it doesn’t add vulnerabilities or put their organization at risk for fraud.

Security is only as good as the weakest link. In most cases, when it comes to information security, organizational networks are the weakest link. SIP trunking security is not only a question securing SIP connections. To keep SIP credentials, and all sensitive information, out of the hands of fraudsters, the entire network must be secured.

*http://www.nojitter.com/post/240162594/sip-trunking-research-shows-rapid-growth-through-201

SIP trunking only transmits information you want to transmit.

SIP trunking is not an open door cut into firewalls, it’s a controlled 2-way gateway to the PSTN.

SIP trunking doesn’t make it easier to eavesdrop on call audio.

The myths about SIP trunking can be misleading.

2

Developments in business communications technology have created new usage patterns that require anywhere, anytime access to internal networks. Cloud-based SaaS, BYOD, and a remote and mobile workforce, are all placing greater demands on network availability while poking holes in network security.

Insecure internal and cloud-based networks are the access point fraudsters use to seize control of communications accounts and sensitive corporate data. These six steps will reinforce network fortifications, and save accounting departments from using up the bonus budget to cover fraud liability.

Securing IP communications starts with network security.

1. Update all software

In addition to feature enhancements, software updates are released to patch security vulnerabilities. On a daily basis, people all over the world are working to find weakness in network-based software. When they find it, word spreads fast, and a targeted cyber crime wave ensues. Reputable software companies employ people to find vulnerabilities first, so they can update their product to keep customers safe.

It is important to update CRM, UC, PBX, or any other software that run on or access organizational networks. The latest version will be the most secure from attacks. This applies to firmware too. So make sure router firmware is up-to-date.

3

2. Create complex passwords

Local network and voice device security is critical when blocking intruders from tapping your calls. Technology exists that can crack a 15 character password in a matter of minutes. It requires far more computing power than is realistically in the hands of attackers, but as Moore’s Law states, computers grow more powerful every day. As processors become more powerful, exhaustive brute-force attacks against high-level encryption will become more feasible.

An immediate threat is the ability to find dictionary words and common passwords that open account access. It is all too easy to build a crawler that will automatically attempt standard and default passwords (like 1234, etc.) in every password field it finds, until it gets one right.

Create policies that require complex passwords on all accounts, including desk phones and voicemail accounts, and require that passwords are changed regularly.

3. IP authentication

Authenticating account access based on IP address is an excellent way to deflect unwanted intruders. Lock down access by assigning a static IP address to each user, or user group, and establish a strict whitelist of approved addresses allowed network entry.

Alternatively (if mobile users need to login from a dynamic IP address), build a blacklist of IP addresses known to exhibit threatening behavior (or see step 4v). Lists can be found online, and/or third party or custom built tools can be employed to monitor log files and automatically block IP addresses that have failed a preset number of password attempts.

4. Only permit trusted SIP providers

A PBX is a potential entry point for security threats that needs to be locked down. Set firewalls to only permit trusted SIP connections by adding them to an IP whitelist so that intruders will be unable to connect to unauthorized accounts.

4

6. Establish secure connections

Business networks are being accessed from more and more locations as employees, and their work habits, become increasingly mobile. For fixed remote extensions such as home and satellite offices, you can gain control over the connection by setting up Virtual Private Networks rather than broadcasting connection credentials over the public Internet. If a dedicated connection is infeasible, use a non-standard SIP port (i.e. not 5060 or 5061) to disguise the transmission and access point.

5. Understand your signaling and media

Research providers and how they handle call transmission, decide which criteria are most important for you. If you want end-to-end encryption, SIPS plus SRTP is the the most secure, especially when the call won’t touch the PSTN.

It’s good practice to secure the transmission path as much as you can when sending calls over the (always unencrypted) PSTN. By using a provider that sends signaling and media to the PSTN in two streams of disassociated information when making outbound calls, voice data can be obscured from identification. That way, if criminals intercept signaling at the provider level, all they’ll have is numbers and IDs, not the audio.

When employees access your organization’s internal network from less established locations such as a public Wi-Fi connection (e.g., in a coffee shop), anyone watching the network can see and capture credentials sent via clear text. Because employees on the move demand nimble connections, establish secure connection protocols like SSL for all access to any point in your network from anywhere.

5

The average cost of a toll fraud attack on a VoIP phone system in 2014 is roughly $36,000*. More often than not, the horror stories told about VoIP vulnerabilities stem from improperly secured networks. There are so many pros that it’s hard to find an argument against connecting telecommunications through a strong SIP provider. Securing your network against intruders secures every component of your network, including Internet phone lines.

For more information on telephone security and other industry insights and updates, subscribe at blog.flowroute.com.

SIP trunking is as safe as you make it.

*http://it.toolbox.com/blogs/voip-news/voip-security-what-could-possibly-go-wrong-61802

As the world’s first pure SIP carrier, Flowroute delivers advanced SIP trunking that answers the needs of communications developers, SaaS service providers, and high-tech enterprises. Flowroute’s unique technology and network services provide communications experts unparalleled performance, transparency and control of the voice communications that power their businesses.

For more information about why we’re the experts’ SIP trunking choice:

www.flowroute.com

blog.flowroute.com

1-855-FLOW-ROUTE (356-9768)

hello@flowroute.com

© Copyright 2015 Flowroute Inc. All rights reserved. FLOWROUTE and the swirl design logo are trademarks of Flowroute Inc. 6