VoIP security best practices
Fraudulent activity across VoIP networks is increasing, and will continue to be a major problem for service providers in the coming years. However, with proper planning and maintenance, as well as the proper monitoring tools, this threat can be successfully managed.
Introduction to VoIP security
VoIP (Voice over IP) services have been widely adopted by businesses of all sizes. As with any popular technology, VoIP is getting attention from people with the wrong intentions. As VoIP becomes a more and more common enterprise solution, it becomes more lucrative for people to exploit.
As VoIP has become more accessible and popular, security threats have become a serious problem for service providers. A single fraud event can easily cost a company between three and fifty thousand dollars. In many cases, this number can be even larger. Most experts agree that total loss from VoIP fraud is somewhere between 3 and 10 percent of income. This translates to total global losses of somewhere between 30 and 50 billion dollars per year.
This is a problem that is only increasing. According to a report from the CFCA, phone fraud is growing at a rate of 29% per year. As the popularity of VoIP continues to grow, the problem of VoIP fraud will become an increasing threat to the industry.
Meet our expert: Momentum Telecom
At TransNexus, we want to help our customers prepare their best defense against the VoIP security threats. For help, we turned to an expert in enterprise communications security, Anthony Orlando, VP of Operations and Engineering at Momentum Telecom. Anthony is responsible for Momentum’s core telecommunications network, research and development, and the Network Operating Center (NOC). Anthony is widely recognized as a VoIP pioneer. In his own words, he has lived, breathed and slept Voice over IP for more than 12 years as one of the original technical experts in the field.
Momentum Telecom uses BroadSoft’s BroadWorks application server, the most widely deployed application server for SIP services. The security best practices described in this paper are based on a BroadWorks operation, but may apply equally well to any VoIP network. The BroadWorks communications application server enables service providers to offer a comprehensive portfolio of business and consumer communications applications and value added applications from a common network platform. BroadWorks delivers communication solutions that integrate video, fax, voice and email communications for businesses and consumers worldwide whether through IP PBX/Centrex, Mobile PBX, Business Line, Trunking and consumer solutions.
VoIP is based on IP transport so it is vulnerable to all threats related to IP. However, there are certain specific threats the VoIP networks that we should be aware of. Here is a brief overview. For more information on these threats, view the Introduction to VoIP Fraud white paper.
By taking advantage of VoIP vulnerability fraudsters can send calls pretending to be someone else and can route long distance, international and premium rate calls. This can cause major financial loss in very short time. Fraud is a common problem across all industries, but it has become a major issue for VoIP users and providers.
Fraudsters who can exploit the vulnerabilities of the IP Private Branch Exchange (PBX) are able to generate a significant amount of traffic. PBX hacking is the common technique used to perpetrate the Domestic and International Revenue Share Fraud and Call Transfer Fraud as well as a number of other schemes.
Phishing is very common in email world. Phishers use social engineering to get consumers’ identities or account credentials. In the VoIP world where phishers can spoof calling party identity, these attempts become more effective. Also, the nature of VoIP makes it more difficult to track and catch such callers.
This is a common way for someone to steal credentials, identities and proprietary information. By eavesdropping on VoIP calls hackers can steal phone numbers and account pin numbers allowing them to get control of users’ accounts.
Fortunately, with proper planning and foresight, network managers can integrate VoIP capabilities into an enterprise network without compromising security, performance, or manageability. Not only can enterprises take concrete measures to secure enterprise applications from VoIP network operations – and vice-versa – they can do so while supporting high-quality voice communications.
Enforce SIP Authentication
The first step in securing your VoIP network is to enforce SIP Authentication for all VoIP endpoint devices. Authentication should occur at registration, call initiation, and service subscription. For secure password verification, use the HTTP digest method. SIP Authentication should require a device to have the following three pieces of information in order to validate a request:
- Valid SIP URI
- Authentication Username
- 20-character pseudo-random password
Properly provisioning each of your SIP devices is a vital initial step in protecting your network. To securely provision your VoIP devices, complete the following checklist.
- Eliminate insecure file transfer protocols (TFTP, FTP)
- Minimize the impact of necessary TFTP access by limiting network access to trusted parties
- Disable administrative interfaces on all endpoints
- Change passwords on all endpoint devices
- Change default password of the day seeds for eMTAs (embedded Multimedia Term Adapter)
- Disable ssh and http interfaces on eMTAs
- Finally, implement an access list to prevent unauthorized SIP requests to the eMTA. This should prevent a denial of service attack on the eMTA.
It seems simple, but ensuring that your network passwords can be one of the best ways to avoid security threats. We recommend increasing your networks password strength requirements, and well as improving your default password strength. For maximum protection, voice portal passwords should not be sequential or repeated numbers, or your own extension. To limit the impact of any compromised passwords, we recommend disabling voice portal dialing.
Perform a regular security audit
Consider performing a regular security audit on your network to ensure that it is properly configured:
- Check for weak passwords across the network. Pay special attention to the voice portal passwords, web and application access passwords, and SIP authentication passwords.
- Check for international forwarding.
- Check for accounts without authentication
Use telecom fraud prevention software
Taking steps to ensure your network is securely configured is not a 100% guarantee against VoIP security threats. You should be proactive in managing fraud threats by integrating a fraud detection toll to analyze your ongoing call traffic.
The best tools will analyze your Call Detail Records (CDRs) in near real time (processing CDRs at least every 5 minutes). In addition, the tool should allow you to customize fraud detection thresholds such as international dialing for users and groups based on legitimate calling patterns.
TransNexus has developed a number of solutions to detect and prevent fraud in VoIP networks. The most popular is SDReporter. SDReporter monitors VoIP networks for unusual spikes in call traffic to a specific destination. When a suspicious spike occurs, it sends automated Email and SNMP alerts. TransNexus solutions analyze CDRs or RADIUS records, and can identify fraud by IP address, or by group or user id. TransNexus has partnered with top industry leaders like Acme Packet and BroadSoft to ensure that the solutions operate smoothly with any network.