Remote IP Phone Security with Firewalls

A remote phone deployment in branch offices or work-at-home employees is completely different than SIP trunking. Remote phones are dynamic in location, and require significantly more calling features. Remote phones cannot be considered as peers, as phones register for services and change IP addresses often, across multiple devices and locations.

Remote phones require automatic provisioning with file servers and possibly require web access and REST API access to the IP‑PBX. The interconnectivity between remote phones and a IP‑PBX is complicated with many communication requirements.

The application of security solutions involves providing a firewall solution that is used to define the remote phone to IP‑PBX relationship between various networks using VoIP application layers, file provisioning, and other services, while ensuring signaling and media are secure. Meanwhile, remote phones most often are located behind other firewalls, presenting additional communication issues.

Security Best Practices

In this example, the IP‑PBX resides behind a typical network firewall. The Firewall is the border element between the Internet (or untrusted network zones) and Local Area Networks (or trusted zones). The remote phone is located on a remote network across the Internet. The firewall is monitoring network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Security Best Practices

Firewall Features & Setup

The firewall controls the traffic by redirecting SIP signaling and audio media streams to the defined destinations. In this solution, the firewall is controlling communications for allowing SIP VoIP traffic from remote phones to be directed to the IP‑PBX.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

SIP Trunk Security with Session Border Controllers

As discussed in my previous blog, SIP trunking is often a peer-to-peer connection for the primary use of delivering PSTN connectivity over VoIP, and is delivered over a couple of different methods using ITSPs and Managed Service Providers.

In this blog, I’ll be addressing a Session Border Controller (SBC) element that is used to define the peer-to-peer relationship at various networks and VoIP application layers, and additionally ensuring signaling and media are secure as well.

Security Best Practices

IP-PBX with SBC

In this example, the IP-PBX resides behind an SBC. The SBC is the border element between Internet (or untrusted network zones) and Local Area Networks (or trusted zones). The SBC is a network security device as well as a VoIP security device that monitors incoming and outgoing network and voice traffic and decides whether to allow or block specific traffic based on a defined set of network and voice security rules.

Security Best Practices

SBC Features & Setup

The SBC controls the voice traffic by processing SIP signaling and audio media streams to the defined destinations. SBCs typically use B2BUA technology for processing SIP traffic. In this solution, the SBC is intelligently controlling communications for allowing SIP trunk traffic from carriers, to be directed to the IP‑PBX.

There are many VoIP Security features the SBC adds to the SIP trunk call flow. One of the SBCs primary functions is to provide VoIP security, analyzing and protecting mission critical VoIP applications from malicious activity, so these mission critical applications are protected from direct attacks. There are several different security features on the SBC to ensure complete coverage.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

SIP Trunk Security with Firewalls

SIP Trunking is often a peer-to-peer connection for the primary use of delivering PSTN connectivity over VoIP. SIP Trunking is delivered over a couple of different methods:

Internet Telephony Service Providers (ITSP)

  • Deliver SIP Trunking over the Internet

Managed Service Providers (MSP)

  • Deliver SIP Trunking over the dedicated carriers WAN connections

The application of security solutions involves providing a firewall in combination with an IP‑PBX that’s used to define the peer-to-peer relationship at various networks and VoIP application layers, and also ensuring signaling and media are secure as well.

Security Best Practices

In the example above, the IP‑PBX resides behind a typical network firewall. The firewall is the border element between Internet or Untrusted Network Zones and Local Area Networks or Trusted Zones. The firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

Why Security is Important with VoIP

Security is one of the most frequently discussed topics, yet the importance of securing VoIP is hard to overstate. Over the course of the next six weeks, we’ll discuss VoIP Security specific to SIP Trunking and Remote Phone applications. Due to the growth of VoIP, it’s important to understand some of the common threats.

Every device and service are in part responsible for providing a secure VoIP solution, but there are a few different ways to deploy a secure VoIP solution.

Traditional telephony delivered via analog or digital involves transmission over some physical medium. Security attacks to traditional telephony such as eavesdropping, require physical presence with access to the physical lines.

Security Best Practices

Toll Fraud over traditional telephony has several forms, one common attack was to hairpin telecom traffic. This is when inbound calls into a voice network were sent back out to an alternate destination. Now that Voice Networking has merged with Computer Networking there’s an “End of Geography”. Physical presence is no longer required to gain access to a voice system. Computer Networking is an OPEN network system, as any IP Address can connect with any other IP Address.

IP Protocol (IPv4 RFC 791 & IPv6 RFC 8200) and IP Addresses are fundamental in both public and private networks used in everyday communications for both voice and data. This leads to computer networking attacks having tremendously more access and tools available to conduct malicious attacks on VoIP infrastructures.

Security Best Practices

The hackers’ objective is to search through the range of IPv4 and IPv6 IP Addresses looking for VoIP Services to target with other forms of attacks. Once a VoIP Service is discovered, other types of attacks can then follow. It’s best to understand the tools and methods used to discover VoIP Services and simply detect these methods and not acknowledge the VoIP Service back to the hacker. If the hacker does not know there’s VoIP service, they’re most likely going to overlook and move on.

If you enjoyed this blog, and would like to learn more about Security Best Practices for VoIP, download our whitepaper here: sangoma.com/voip-security-best-practices/

Choosing the Right IP Phone: Part 2 – IT & Business Manager Features

In Part 1 of our blog, Choosing the Right IP Phone, we discussed how to choose an IP phone based on end user features. This blog will focus on choosing an IP phone from the viewpoint of IT administrators and business managers. When IT administrators or business managers choose an IP phone for their organization, end user features are certainly a consideration in order to keep their staff happy and productive.

Features such as conference calling, call forwarding etc. are significant to the selection process, ease of deployment, maintenance and end user control also hold a lot of weight. Since they are responsible for managing their business’ phone system, administrators are looking for IP phones which provide features the employees need, along with the dependability and ease of deployment.

Ease of Deployment

There are a few features to look for when thinking about easy deployment of IP phones within an organization.

First, it is important to understand if your workforce is located remotely or all within the same office. If it is the latter, most vendors will support DHCP provisioning and/or PnP provisioning, which is very useful in tightly locked down networks. If staff is located remotely, a phone that supports redirection service is beneficial as it allows phones to be automatically provisioned as soon as they are plugged into an internet connection regardless of their location in the world. It is important to note the security mechanisms the manufacturer has in place, since many IP phone vendors simply rely on MAC address validation, which means hackers can pretend to be that phone and create toll fraud and cost your business a lot of money.

Also, for remote installations, VPN support is a useful feature as it not only creates a level of security between the phone and the business phone system, but also simplifies the configuration for the administrator by keeping the audio and signaling routed together to/from the phone system.

Maintenance

As businesses grow or consolidate, new employees arrive or change roles, resulting in the need for IP phone settings to be constantly updated. It is important that the chosen IP phone can be quickly provisioned from a central location so that the administrator can eliminate the requirement of traveling onsite. This is beneficial when adding new employees to a group or adding an entire department and groups of phones. Also, the ability to quickly validate phone settings and update firmware and security on a global and granular level is important as well.

End User Control

An IT administrator’s time is important, and the more time spent enabling and configuring features on behalf of an end user, the less resources are available to tend to other IT issues. Features such as call forwarding, follow me and conference bridges should be accessible by the end user. Business manager features like checking call queue stats, or changing time conditions, should not require IT support. Unless there are specific security policies in place, empowering the end user is the best approach to maximizing the productivity of phone system administrators as well and the end user.

Compatibility

Last, but not least, verify that not only is the IP phone supported by the business phone system, but that it is compatible with all the features intended for use. A checklist should include some questions such as:

  • Will the IP phone integrate with the current UC features the phone system is providing or will it provide further advantages?
  • Is the IP phone supported within the phone system’s central provisioning tool and support all the adjustable parameters available?
  • Will the IP phone support end user devices such as wireless headsets or Bluetooth for mobile connectivity?

Sangoma’s s-Series IP Phones

For businesses using FreePBX and PBXact phone systems, Sangoma IP phones provide ALL the above-mentioned features, and more. For provisioning, Sangoma’s redirection service allows remote users to fully provision new phones simply by plugging them into the internet, without any IT assistance what-so-ever, other than having their extension setup within the phone system itself. And since each phone is factory imaged with a unique identification key, there is no worry about hackers taking advantage of your phone system. Built-in VPN also takes care of security and setup challenges.
Sangoma s705 IP Phone

Sangoma’s IP phones are the most tightly integrated IP phones for FreePBX and PBXact. They come with over a dozen applications (coined ‘PhoneApps’) that empower the end user with advanced feature control. They allow the user to completely control features directly from the LCD display and programmable button, such as Call forwarding, 5-way conferencing, hot-desking, Presence, Time Conditions and more. For full details on PhoneApps including demo videos visit: https://www.sangoma.com/products/phoneapps/

Since the s-Series phones are designed specifically for FreePBX and PBXact, there is 100% compatibility with the phone system, not to mention the added value of enhanced features they provide. IT and business managers can efficiently manage user’s phones, everything from pushing new firmware to re-configuring individual programmable buttons, centrally from the phone system and without ever needing to reboot the phones too.

When deciding to purchase IP phones for your business, it is important to consider the right balance of end user features as well as those for the administrators of the phone system.
For more information on Sangoma s-Series IP phones for FreePBX and PBXact visit: https://www.sangoma.com/products/phones/