SIP Trunk Security with Firewalls

SIP Trunking is often a peer-to-peer connection for the primary use of delivering PSTN connectivity over VoIP. SIP Trunking is delivered over a couple of different methods:

Internet Telephony Service Providers (ITSP)

  • Deliver SIP Trunking over the Internet

Managed Service Providers (MSP)

  • Deliver SIP Trunking over the dedicated carriers WAN connections

The application of security solutions involves providing a firewall in combination with an IP‑PBX that’s used to define the peer-to-peer relationship at various networks and VoIP application layers, and also ensuring signaling and media are secure as well.

Security Best Practices

In the example above, the IP‑PBX resides behind a typical network firewall. The firewall is the border element between Internet or Untrusted Network Zones and Local Area Networks or Trusted Zones. The firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

Why Security is Important with VoIP

Security is one of the most frequently discussed topics, yet the importance of securing VoIP is hard to overstate. Over the course of the next six weeks, we’ll discuss VoIP Security specific to SIP Trunking and Remote Phone applications. Due to the growth of VoIP, it’s important to understand some of the common threats.

Every device and service are in part responsible for providing a secure VoIP solution, but there are a few different ways to deploy a secure VoIP solution.

Traditional telephony delivered via analog or digital involves transmission over some physical medium. Security attacks to traditional telephony such as eavesdropping, require physical presence with access to the physical lines.

Security Best Practices

Toll Fraud over traditional telephony has several forms, one common attack was to hairpin telecom traffic. This is when inbound calls into a voice network were sent back out to an alternate destination. Now that Voice Networking has merged with Computer Networking there’s an “End of Geography”. Physical presence is no longer required to gain access to a voice system. Computer Networking is an OPEN network system, as any IP Address can connect with any other IP Address.

IP Protocol (IPv4 RFC 791 & IPv6 RFC 8200) and IP Addresses are fundamental in both public and private networks used in everyday communications for both voice and data. This leads to computer networking attacks having tremendously more access and tools available to conduct malicious attacks on VoIP infrastructures.

Security Best Practices

The hackers’ objective is to search through the range of IPv4 and IPv6 IP Addresses looking for VoIP Services to target with other forms of attacks. Once a VoIP Service is discovered, other types of attacks can then follow. It’s best to understand the tools and methods used to discover VoIP Services and simply detect these methods and not acknowledge the VoIP Service back to the hacker. If the hacker does not know there’s VoIP service, they’re most likely going to overlook and move on.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/