Nowadays the Private Security Industry in South Africa is thriving. Homeowners and Businesses alike are signing up for sophisticated systems to protect their assets. Most people are taking a layered approach to their security, such as electric fences, CCTV solutions and armed response. Similarly to the Security Industry, the deployment of VoIP solutions has also greatly increased. Unfortunately, some of the key factors that make VoIP so attractive have also become it’s Achilles heel. VoIP allows for flexibility and accessibility and as such can expose it to misuse by criminal elements. It is for this reason that it has become increasingly important to consider VoIP security to prevent financial losses.
Imagine you are at a restaurant; a stranger walks up to your table, grabs your mobile phone and starts making calls all over the world. After a few minutes, they put your phone back down on the table and walk away. Not only has a complete stranger depleted your airtime; you’ll also have to pay for the calls that they have made. This scenario might seem exaggerated as it’s highly unlikely anyone would just sit back and let this happen. However, in reality with VoIP and other related Internet-based services, it’s a common occurrence. As much as we are security conscious in other aspects of our lives, VoIP and network security it’s often overlooked. The consequence of this oversight could have serious financial implications.
A Layered approach to VoIP Security is Essential
Just like you treat your home or business’s physical security VoIP security needs a layered approach. Here are a few suggestions we would recommend implementing to assist in mitigating against a VoIP security breach:
- Securing your network and restrict access to the LAN (network) from the internet. This involves strict Firewall rules which will deny unauthorised traffic from entering your network. Furthermore, ensure that the destination NAT (dstnat) is very strict. Also, ensure that common ports are not used if you have remote access to your VoIP devices.
- Services such as API, FTP, ssh, telnet, HTTP and winbox should be customised not to be accessible via their traditional ports. If not in use disable them. In addition, it’s advisable not to use traditional ports like 80, 22, 23 and so forth. These ports are easily identifiable and have well-known usernames and passwords.
- We would strongly advise that you read the following forums if you run MikroTik within your network: Forum 1, Forum 2 and Forum 3. Most importantly, ensure that you are running the latest MikroTik firmware, older versions have a number of vulnerabilities.
- Disable SIP ALG on your router or modem. This setting not only affects SIP signalling which can cause issues such as one-way voice. It also makes a VoIP device easily identifiable from the internet. If a VoIP device responds to a port scan it makes it easier to identify on the internet. This is how perpetrators can identify the type of device on-site and how easy they can compromise it.
Ensure that your PBX is secure if you don’t have a Switch Telecom Hosted Switchboard
- First and foremost, change all default login passwords on your PBX and handsets. If your network is being breached, a customised login password will prevent or delay access to the PBX
- Customise the inbuilt Firewall of your PBX if possible.
- Make sure that you are aware of any vulnerabilities your onsite PBX might have. As an example: https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass.
- If you do not need remote extensions, ensure that the PBX does not allow remote extension registration. It is also possible to grant certain network access to the PBX to prevent unauthorised access from unwanted networks.
- Customise outbound rules. If your PBX allows for it then implement pin dialling.
- If possible disable IP Calling on your handsets. This will prevent the phone from responding to port scans which will ensure that the devices are not accessible on the internet.
- And lastly, change the Local SIP Port to any random port. Changing the local SIP port from the traditional 5060-5063 ports makes the phone inaccessible to port scans.
Your VoIP Provider should offer innovative security measures to help protect against Security Breaches
A specialist VoIP provider will set up credit limits on client accounts. They should also properly maintain security patches. Most importantly, the VoIP provider should speedily identify and combat any untoward activity. Switch Telecom has developed and implemented an Auto-Provisioning system for phone setup. Apart from saving time and minimising onsite support, the system secures phones through the implementation of various security settings. The auto-provisioning system is able to provision most Yealink and Grandstream phone models.
Further to Auto-Provisioning, Switch Telecom offers various other innovative ways to ensure the security of your VoIP Solution. Call barring options, IP access control lists, custom outbound rules (only on the Switch Telecom Hosted Switchboard), tight credit management, authorised account contacts are just some of the ways we layer the security of our solutions.
VoIP Security is a Team Effort
Even though Switch Telecom continues to make advances in ensuring VoIP security on all its solutions, a layered approach is essential. And it’s for this reason that all stakeholders should ensure the security of their devices and networks in order to safeguard against security breaches.
Our team of experts are always on hand to assist with advice when it comes to your VoIP security. Feel free to Contact us to discuss.