7 Tips for Effective UC Security

Contributing Author

Unified Communications (UC) presents unique security challenges because it brings together disparate technologies. Using VoIP, video, chat, and presence/status together has proven to provide productivity gains for businesses, while, at the same time, presenting security risks. In particular, securing VoIP networks is not the same as securing data networks. Most data traffic is transported over Transmission Control Protocol (TCP), and, as such, security built-in to networking devices such as routers and firewalls are designed around TCP data-centric transport. VoIP is User Datagram Protocol (UDP) based and time sensitive. Dropping a few packets while downloading a website is, for the most part, benign. The packets can simply be retransmitted. Voice and video streams are more fragile. Dropping too many UPD packets in a voice stream can cause call quality issues. As such, securing your unified communications requires a balanced approach. You must mitigate threats while also maintaining quality of service.
Likewise, managing security for an SMB offers unique challenges when compared to the larger, enterprise space. While large businesses can often dedicate substantial resources toward securing their communications, those in the SMB space need security solutions that are both effective and simple. This actually works in favor of the SMBs since security and simplicity can work together. For example, installing an expensive and complex solution to secure your network can work against you. Improperly configured equipment can affect your call quality and potentially stop your VoIP equipment from functioning properly. Remember, accessibility is a key component to a secure network.

The following best practices can help keep your UC secure.

7 Tips for Effective UC Security

Deploy a Properly Configured Firewall

Use VPN for Remote Users

Use Strong Passwords

Update Regularly

Turn Off Unused Services

Monitor Your Call Logs

Use built-in UC security tools

Deploy a Properly Configured Firewall

Due to the variety of firewall models and topologies available, giving specific advice is difficult. So, here are some practical tips for almost any configuration.
For starters, it is always advisable to keep high importance on security. This means being technically familiar with your equipment and it’s configuration. It is a responsibility you should take with the utmost seriousness. When shopping for firewalls, favor those that offer simple configuration and are designed for your application.
A good general rule of thumb is to block all unknown traffic into your network and then only allow traffic from trusted sources. This strategy doesn’t usually work well for your web server, but your UC server should absolutely be sequestered behind your firewall. In most cases, you should only allow internet traffic from your ITSP (Internet Telephony Service Provider) or VoIP provider. This is the company that supplies your SIP trunk or hosted VoIP services. Allow access only on the ports necessary and only to the IP or block of IPs that your provider uses.
Some complex firewalls tote features such as SIP ALG (Application Level Gateway). Although SIP ALG is advertised as a security feature for VoIP, it tends to not work as advertised. Instead, ALGs have a tendency to mangle SIP packets or modify headers in a way that breaks functionality. A general best practice is to do extensive interoperability testing prior to deployment or simply disable SIP ALG in your firewall and/or router.
Although some UC servers, like Switchvox have built-in attack mitigation mechanisms, these should not be solely relied upon. Your firewall is designed to sort traffic, your UC server is not. Using each device for its intended purpose will keep your network the most secure.

Enable a VPN for remote users.

VPN stands for Virtualized Private Network. Many SMB networking devices, such as routers and firewalls, come with built-in VPN capability. Quality VPN devices are now available at affordable prices. For your remote users, and while connecting remote offices, the simplest option is to deploy a VPN device at both ends. The connected devices form an encrypted “tunnel” over the public internet. This “virtual” network keeps all of your traffic safe.
VPNs have many benefits:
1. In addition to VoIP, the remote user can access other local network resources such as network shares and intranet web applications.
2. The traffic is encrypted to maintain privacy
3. NAT issues are eliminated or diminished
4. There are only a few ports to open in the firewall to allow the VPN traffic. They can be opened to all networks because the VPN requires authentication before establishing a connection.

Use Strong Passwords

Using strong (system) passwords is an extremely effective, yet often overlooked measure that can be used to optimize UC security. Strong passwords should be used for every password required in your UC solution. Business VoIP phones should especially be protected by unique strong SIP passwords. Keep in mind that if you re-use passwords or use weak passwords then it becomes extremely easy for an attacker to get access to SIP credentials. Once authenticated with a SIP account, an attacker can make calls as though they were using that phone, including toll calls that could result in very high fees.
Another area of concern is user passwords. If your UC solution requires user login, then you will want to ensure that you require strong passwords for your users. Switchvox mitigates both of these threats by default: strong, unique SIP passwords are automatically generated and used for IP phones attached to Switchvox.

Update Regularly

A standard UC security best practice that is almost universal to all technologies is to keep software up to date. As well as obtaining bug fixes, keeping your software updated helps improve security. As potential exploits are found, security patches are then released as software updates. The most recent version is typically the most secure.
Whenever you update your UC server, you will want to follow the best practices for updating. Be aware of what has changed and how the update could impact your system; backing up the system first and performing the update during a scheduled maintenance window also helps to ensure your users will have access to your system when they need it.

Turn Off Unused Services

Another standard hardening practice is to turn off any unused services. A good rule of thumb is that if you aren’t using a feature you want to shut it down. This lessens the potential attack surface. For example, if you are using voice, video and email communications but aren’t using chat, then it is best to turn off the chat functionally in the UC server. Not only does this improve security, but this will also improve performance as you will have less protocol traffic on the network, leaving your server will be less taxed because it is doing less work.

Monitor Your Call Logs

Often attacks go unnoticed until a great amount of damage is done. By regularly reviewing system logs, you can mitigate damage to your system by catching the attack and taking action early. In particular, running regular call log reports on toll calls made by your system can help create a baseline for normal activity. You’ll then be able to notice when activity exceeds this baseline. This can signal that the system has been compromised. By looking at the call logs you can investigate further.
Sometimes you may be able to enlist the help of your upstream provider. They may be able to notify you after a predetermined limit on toll-based calls is exceeded. Unfortunately, many providers do not offer such features. Instead, it is your responsibility to monitor your logs and ensure that you are only sending the long distance calls that are intended.

Use built-in UC security tools

The best way to secure your UC devices is to use dedicated security equipment, like VPNs and firewall routers. However, taking advantage of built-in security tools can add an extra level of protection. Switchvox, for example, comes with security tools such as access control rules, automatic IP blocking, and managed tech support access. The blocked IPs tool will block IP addresses that fail multiple registration attempts. In theory, a properly configured firewall should prevent SIP scanners from being able to reach your UC server, however, this additional level of security adds peace of mind and works as a functional back-up to round out your security suite.

Share This Article

Share on email
Email
Share on print
Print
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Scroll to Top