Remote IP Phone Security with SBCs

A remote phone deployment is completely different than SIP trunking. Remote phones are dynamic in location, and require significantly more calling features. Remote phones cannot be considered as peers, since phones register for services and change IP addresses often across multiple devices and locations.

Remote phones require automatic provisioning with file servers and possibly require web access and REST API access to the IP‑PBX. The interconnectivity between a remote phone and IP‑PBX is complicated with many communication requirements.

The application of security solutions involves providing a Session Border Controller (SBC) solution that is used to define the remote phone to the IP‑PBX relationship between various networks using VoIP application layers, file provisioning and other services while ensuring signaling and media are secure. This method highlights the strength of the SBC to protect the IP‑PBX, while providing solutions for remote phones located behind other firewalls.
Security Best Practices

In this example, the IP‑PBX resides behind an SBC. The SBC is the border element between Internet (or untrusted network zones) and Local Area Networks (or trusted zones). The SBC is a network security device as well as a VoIP security device that monitors incoming and outgoing network and voice traffic and decides whether to allow or block specific traffic based on a defined set of network and voice security rules.
Security Best Practices

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

Remote IP Phone Security with Firewalls

A remote phone deployment in branch offices or work-at-home employees is completely different than SIP trunking. Remote phones are dynamic in location, and require significantly more calling features. Remote phones cannot be considered as peers, as phones register for services and change IP addresses often, across multiple devices and locations.

Remote phones require automatic provisioning with file servers and possibly require web access and REST API access to the IP‑PBX. The interconnectivity between remote phones and a IP‑PBX is complicated with many communication requirements.

The application of security solutions involves providing a firewall solution that is used to define the remote phone to IP‑PBX relationship between various networks using VoIP application layers, file provisioning, and other services, while ensuring signaling and media are secure. Meanwhile, remote phones most often are located behind other firewalls, presenting additional communication issues.

Security Best Practices

In this example, the IP‑PBX resides behind a typical network firewall. The Firewall is the border element between the Internet (or untrusted network zones) and Local Area Networks (or trusted zones). The remote phone is located on a remote network across the Internet. The firewall is monitoring network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Security Best Practices

Firewall Features & Setup

The firewall controls the traffic by redirecting SIP signaling and audio media streams to the defined destinations. In this solution, the firewall is controlling communications for allowing SIP VoIP traffic from remote phones to be directed to the IP‑PBX.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

SIP Trunk Security with Session Border Controllers

As discussed in my previous blog, SIP trunking is often a peer-to-peer connection for the primary use of delivering PSTN connectivity over VoIP, and is delivered over a couple of different methods using ITSPs and Managed Service Providers.

In this blog, I’ll be addressing a Session Border Controller (SBC) element that is used to define the peer-to-peer relationship at various networks and VoIP application layers, and additionally ensuring signaling and media are secure as well.

Security Best Practices

IP-PBX with SBC

In this example, the IP-PBX resides behind an SBC. The SBC is the border element between Internet (or untrusted network zones) and Local Area Networks (or trusted zones). The SBC is a network security device as well as a VoIP security device that monitors incoming and outgoing network and voice traffic and decides whether to allow or block specific traffic based on a defined set of network and voice security rules.

Security Best Practices

SBC Features & Setup

The SBC controls the voice traffic by processing SIP signaling and audio media streams to the defined destinations. SBCs typically use B2BUA technology for processing SIP traffic. In this solution, the SBC is intelligently controlling communications for allowing SIP trunk traffic from carriers, to be directed to the IP‑PBX.

There are many VoIP Security features the SBC adds to the SIP trunk call flow. One of the SBCs primary functions is to provide VoIP security, analyzing and protecting mission critical VoIP applications from malicious activity, so these mission critical applications are protected from direct attacks. There are several different security features on the SBC to ensure complete coverage.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

SIP Trunk Security with Firewalls

SIP Trunking is often a peer-to-peer connection for the primary use of delivering PSTN connectivity over VoIP. SIP Trunking is delivered over a couple of different methods:

Internet Telephony Service Providers (ITSP)

  • Deliver SIP Trunking over the Internet

Managed Service Providers (MSP)

  • Deliver SIP Trunking over the dedicated carriers WAN connections

The application of security solutions involves providing a firewall in combination with an IP‑PBX that’s used to define the peer-to-peer relationship at various networks and VoIP application layers, and also ensuring signaling and media are secure as well.

Security Best Practices

In the example above, the IP‑PBX resides behind a typical network firewall. The firewall is the border element between Internet or Untrusted Network Zones and Local Area Networks or Trusted Zones. The firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

Why Security is Important with VoIP

Security is one of the most frequently discussed topics, yet the importance of securing VoIP is hard to overstate. Over the course of the next six weeks, we’ll discuss VoIP Security specific to SIP Trunking and Remote Phone applications. Due to the growth of VoIP, it’s important to understand some of the common threats.

Every device and service are in part responsible for providing a secure VoIP solution, but there are a few different ways to deploy a secure VoIP solution.

Traditional telephony delivered via analog or digital involves transmission over some physical medium. Security attacks to traditional telephony such as eavesdropping, require physical presence with access to the physical lines.

Security Best Practices

Toll Fraud over traditional telephony has several forms, one common attack was to hairpin telecom traffic. This is when inbound calls into a voice network were sent back out to an alternate destination. Now that Voice Networking has merged with Computer Networking there’s an “End of Geography”. Physical presence is no longer required to gain access to a voice system. Computer Networking is an OPEN network system, as any IP Address can connect with any other IP Address.

IP Protocol (IPv4 RFC 791 & IPv6 RFC 8200) and IP Addresses are fundamental in both public and private networks used in everyday communications for both voice and data. This leads to computer networking attacks having tremendously more access and tools available to conduct malicious attacks on VoIP infrastructures.

Security Best Practices

The hackers’ objective is to search through the range of IPv4 and IPv6 IP Addresses looking for VoIP Services to target with other forms of attacks. Once a VoIP Service is discovered, other types of attacks can then follow. It’s best to understand the tools and methods used to discover VoIP Services and simply detect these methods and not acknowledge the VoIP Service back to the hacker. If the hacker does not know there’s VoIP service, they’re most likely going to overlook and move on.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/