Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Strategies for UC


Published on

Why is security important in the SMB (small and medium-sized business) space? In the days of legacy phone systems, voice
information was transmitted over the dedicated PSTN (Public Switched Telephone Network). In many ways
the PSTN is the largest, most robust communications infrastructure on the planet and it is still in use today. With the advent of VoIP (Voice over IP), telecommunications is moving away from this legacy platform onto the Internet. The SMB business phone system, rather than being separate equipment, is now another network device able to interoperate with many new and emerging technologies.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Security Strategies for UC

  1. 1. Security StrategiesforUC
  2. 2. Security Strategies for UCIntroduction 3A History Lesson in Telephony Security 5Common Threats Against UC Systems 8UC Security Basics 12UC Security: What You Need to Know 18
  3. 3. In the days of legacy phone systems, voiceinformation was transmitted over the dedicated PSTN(Public Switched Telephone Network). In many waysthe PSTN is the largest, most robust communicationsinfrastructure on the planet and it is still in use today. Withthe advent of VoIP (Voice over IP), telecommunications ismoving away from this legacy platform onto the Internet.The SMB business phone system, rather than beingseparate equipment, is now another network device able tointeroperate with many new and emerging technologies.Why is securityimportant in the SMB(small and medium-sizedbusiness) space?Security StrategiesforUC
  4. 4. Security StrategiesforUnderstanding Why UC Systems are VulnerableA UC business phone system combines voice, video, chat,email and presence together into one unified messaging system.As the technology has become more complex, and moreaccessible from the public Internet, the security threat hasincreased. In many ways it is easier than ever to attack businesscommunications. Companies must be diligent to protect theircommunications as they are vital to business operations.
  5. 5. A History Lesson in Telephony SecuritySecurity has long been a problem for telecommunications networks.Even in the legacy days of the PSTN, threats existed. Attackers who wereable to compromise phone systems were known as “phreaks.” Not allphone phreakers were malicious. Many simply sought to study thetechnology. A few were able to manipulate the system for financial gain.Early telephone networks used in-band frequencies to transmit calllevel signaling. For example, AT&T used a single 2600hz tone onthe line to signal that the line was ready to dial long distance calls.A famous phone phreaker, John Draper, discovered that the toywhistle found in a Cap’n Crunch®cereal box could beused to emit a 2600hz tone. By blowing the whistle intothe phone, he was able to make free long distance calls.Why is UC Security Important?
  6. 6. This vulnerability helped usher in greater use of DTMF(Dual Tone Multi-Frequency) signaling. By using two tones insteadof one, the call control signaling was more difficult to reproduce,but not for long. Phreaks soon built devices called the “Blue Box.”This device was able to produce DTMF tones necessary to gaincontrol over the telecommunications system. Steve Wozniak, wholater went on to help found Apple Inc., is known for being aphreaker using blue boxes.A History Lesson in Telephony Security
  7. 7. To avoid this vulnerability, the telecom networkmoved to out-of-band signaling; however, DTMFstill exists today. The tones you hear when you pressthe keys on a touch tone phone are DTMF tones.Many mobile and VoIP phones still use these tonessimply because they are familiar to us, even thoughthey are not needed for signaling.The historical lesson to learn is that technologymust evolve to stay ahead of those who seek toexploit it. Although historical phreaks like JohnDraper and Steve Wozniak are a type of folk hero,modern attackers can do real damage to your systemand cost your business large amounts of money. Astechnologies evolve, so do the malicious attackers.It is imperative to stay up-to-date on informationsecurity in order to protect your business’ assets.A History Lesson in Telephony Security
  8. 8. Toll FraudToll Fraud is a common attack against business phonesystems. In this type of attack the malicious agentattempts to gain access to your long-distance,toll-bearing trunks. If they are able to make callsusing your long-distance account then they can getfree calls and you end up paying long distance feesto your upstream provider. This can be especiallydamaging if international calls are made. Companieswith VoIP systems that are compromised by toll fraudare often left liable for tens of thousands, or evenhundreds of thousands of dollars in long distance fees.There are many threats that can affect a businessphone system. Four of the most popular are: Toll Fraud,Denial of Service, Man in the Middle, and Social Engineering.Knowing what kind of damage can be done serves toillustrate the importance of securing your phone system.Common threats against UC systems
  9. 9. Denial of ServiceA “DoS” or Denial of Service attack isone in which an attacker compromisesyour system in such a way as to make itinaccessible to your users. DoS attackscan be targeted at specific services, suchas stopping the ability to dial out trunks,or access to remote UC features, or in aworst case scenario, can bring down theentire system so that even interoffice callscannot be made. When your system isunavailable to users due to a DoS attackyou will see this cost in terms of lost timeand productivity. Not to mention the lossof reputation in the eyes of your customerswho are unable to communicate with you.Common threats
  10. 10. Man in the MiddleA Man in the Middle attack occurs whenan attacker is able to intercept yourtraffic and then passes it along. You maynot know that a Man in the Middle attackis occurring because your services appearto be working like normal. However, if anattacker is able to intercept authenticationcredentials they could use this informationto perform a DoS or Toll Fraud attack.Additionally, the attacker could gainaccess to private or privileged information.Common threats
  11. 11. Common threatsSocial EngineeringThe easiest way to exploit a technologyis to attack humans instead of attackingthe technology. Modern, sophisticatedattackers will often try to gain access toyour system via social engineering ratherthan technical exploits. An example wouldbe a malicious attacker calling one of yourusers pretending to be your IT department.They might ask the user for their passwordin order to fix an imaginary problem. Theunsuspecting user offers their authenticationcredentials freely. The attacker nowhas access to your system.
  12. 12. UC Security BasicsIt’s important to understand some common terminologyyou’ll hear referenced when talking security. For example,the acronym CIA (Confidentiality, Integrity and Availability)is used to describe the desirable attributes of an effectiveinformation security implementation. As you read the rest ofthe terms and their descriptions below, think about howeach of these concepts apply to your business.
  13. 13. UC Security BasicsConfidentialityUser data should be confidential.The only people who should be able toaccess your confidential information arethose for whom it is intended. In the caseof business Unified Communications (UC)systems the data could be voice trafficor chat messages. Confidentiality isimportant both to protect trade secretsand personal privacy. In the same wayyou might close your office door in orderto have a confidential conversation, youwould likewise expect that a phone callbetween two parties would be similarlyprivate. You would not want an uninvitedthird party to be able to eavesdropon the conversation.
  14. 14. IntegrityThe integrity of information refers to thequality being unchanged. If you receive anemail from a colleague, you should havea reasonable expectation that the text youare reading is the actual message theysent. A malicious attacker interceptingyour message and modifying it couldcause havoc.
  15. 15. AvailabilityHaving a secure network withconfidentiality and integrity is of littlevalue if your services are unavailable toyour users. A DoS (Denial of Service)attack is one in which an attacker preventsaccess. For example, imagine an attackerwho gains physical access to your servercloset and disconnects the power to yourUC server. The disruption to your phoneservice would impact your ability toprovide customer service.
  16. 16. AvailabilityAvailability is also important to keep inmind when selecting security equipment.There is a such thing as “too much security.”For example, imagine you wanted to securethe hard disk of your PC. You could removethe disk, encase it in cement and bury it inthe ground. The data on the disk would behighly confidential—no unauthorized personwould be able to get to it. It would havehigh integrity, and be nearly impossiblefor an attacker to modify the data on thedisk. However, it would also be completelyunavailable and as such this security tacticis a futile one. It may seems obviousthat “cement” is a poor choice forsecuring UC equipment, however often thesame type of over-handed security policesare put in place, making the data so “secure”no one can get to it, even your users.
  17. 17. Mitigation vs EliminationA truly secure network is one that is notonly protected from attack but is alsoaccessible when it needs to be. In thisspirit, the goal of information securityshould be mitigation not elimination. To“mitigate” a threat means “to lessen ormake smaller.” It’s never possible tocompletely eliminate all threats againstyour UC system. If an attacker isdetermined enough they will find a wayto break in to your system, however mostattackers are not determined. In generalVoIP security threats most commonlyarise from attackers looking for an easy,unsecured target. By implementing abaseline of security best practices youmake your system unattractive to potentialattackers looking for an easy target.
  18. 18. UC Security: What You Need to KnowIn particular, securing VoIP networks is not thesame as securing data networks. Most datatraffic is transported over TCP and as such, securitybuilt-in to networking devices such as routers andfirewalls are built around TCP data-centric transport.VoIP is UDP-based and time sensitive. Dropping afew packets while downloading a website is for themost part benign—the packets can simply beretransmitted. Voice and video streams are morefragile. Dropping too many UDP packets in a voicestream can cause call quality issues. As such,securing your unified communications requires abalanced approach. You must mitigate threatswhile also maintaining quality of service.Likewise, managing security for an SMB offersunique challenges when compared to the larger,enterprise space. While large businesses can oftendedicate substantial resources toward securing theircommunications, those in the SMB space needsecurity solutions that are both effective and simple.This actually works in favor of the SMBs sincesecurity and simplicity can work together. Forexample, installing an expensive and complexsolution to secure you network can work againstyou. Improperly configured equipment can affectyour call quality and potentially stop your VoIPequipment from functioning properly. Remember,accessibility is key to a secure network.Unified communications presents unique security challenges because it bringstogether disparate technologies. Using VoIP, video, chat and presence together hasproven to provide productivity gains for businesses, but also presents security risks.
  19. 19. 1. Deploy a Properly Configured Firewall2. Enable a VPN for Remote Users3. Use Strong Passwords4. Update Regularly5. Turn Off Unused Services6. Monitor Your Call Logs7. Use built-in UC security tools7 Tips for Effective UC SecurityDespite being in aniche field, securingunified communicationsas an SMB followsmany of the samesecurity best practicesthat are effective in theenterprise for a varietyof technologies.The following bestpractices can helpkeep communicationsflowing.
  20. 20. Due to the variety of firewall modelsand topologies available, givingspecific advice is difficult. So, hereare some practical tips for almost anyconfiguration. For starters, it’s alwaysadvisable to keep high importance onsecurity. This means being technicallyfamiliar with your equipment and it’sconfiguration. It is a responsibility youshould take with the utmost seriousness.When shopping for firewalls favor thosethat offer simple configuration andare designed for the SMB.1Deploy a Properly Configured Firewall
  21. 21. A good general rule of thumb is to blockall unknown traffic into your network andthen only allow traffic from trusted sources.This strategy doesn’t usually work well foryour web server, but your UC server shouldabsolutely be sequestered behind yourfirewall. In most cases, you should onlyallow Internet traffic from your ITSP(Internet Telephony Service Providor) orVoIP provider. This is the company thatsupplies you SIP truck or hosted VoIPservices. Allow access only on the portsnecessary and only to the IP or block ofIPs that your provider uses.1Deploy a Properly Configured Firewall
  22. 22. Some complex firewalls tout features suchas SIP ALG (Application Level Gateway).Although SIP ALG is advertised as asecurity feature for VoIP, it tends to notwork as advertised. Instead, ALGs have atendency to mangle SIP packets or modifyheaders in a way that breaks functionality.A general best practice is to do extensiveinteroperability testing prior to deploymentor simply disable SIP ALG in your firewalland/or router.1Deploy a Properly Configured Firewall
  23. 23. Surprisingly enough, many small, andeven medium-sized businesses do notdeploy a firewall. Or, they deploy a firewall,but open ports to all networks to allowremote users. This is almost the same ashaving no firewall at all. Although some UCservers, like Switchvox have built-in attackmitigation mechanisms, these should not besolely relied upon. Your firewall is designedto sort traffic, your UC server is not. Usingeach device for its intended purpose willkeep your network the most secure. In theSMB, managing remote users is betterdone through a VPN.1Deploy a Properly Configured Firewall
  24. 24. VPN stands for Virtualized Private Network. Many SMBnetworking devices, such as routers and firewalls, comewith built-in VPN capability. Quality VPN devices are nowavailable at affordable prices. For your remote users, andwhile connecting remote SMB offices, the simplest optionis to deploy a VPN device at both ends. The connecteddevices form an encrypted “tunnel” over the public Internet.This “virtual” network keeps all of your traffic safe.VPNs have many benefits:1. In addition to VoIP, the remote user can access other local network resources such as network shares and intranet web applications.2. The traffic is encrypted to maintain privacy3. NAT issues are eliminated or diminished4. Also, there are only a few ports to open in thefirewall to allow the VPN traffic. They can beopened to all networks because the VPN requiresauthentication before establishing a connection.2Enable a VPN for remote users
  25. 25. GH289401 78OLN23 NE577 UND5543L12 B16D5833XR KRNHI6 AXE29421 I!IL69960 3DF3DX345JJ COLUMB#4 28DYTN88 7EW2014 BEB0288YTK5431 CLEMS88 HGH289401 78O577 UND5543L5833XR KRNHI421 I!IL6996X345JJ COLUMYTN88 7EW20188YTK5431 CLVNN 7W4355*9Another area of concern is user passwords.If your UC solution requires user login, then you will want toensure that you require strong passwords for your users.Switchvox, Digium’s UC solution, mitigates both of these threatsby default: strong, unique SIP passwords are automaticallygenerated and used for Digium phones attached to Switchvox.Using strong (system) passwords is anextremely effective, yet often over lookedsecurity measure. Strong passwordsshould be used for every instance requiredin your UC solution. Business VoIP phonesshould especially be protected by uniquestrong SIP passwords. Re-used or weakpasswords make it extremely easy for anattacker to get access to SIP credentials.Once authenticated with a SIP account,attackers can make high fee toll calls asthough they were using that phone.3Use Strong Passwords
  26. 26. A standard security best practice thatis almost universal to all technologiesis to keep software up to date. As wellas obtaining bug fixes, keeping yoursoftware updated helps improve security.As potential exploits are found, securitypatches are then released as softwareupdates. The most recent version istypically the most secure.Whenever you update your UC server youwill want to follow the best practices forupdating. Be aware of what has changedand how the update could impact yoursystem; backing up the system first, andperforming the update during a scheduledmaintenance window also helps to ensureyour users will have access to your systemwhen they need it.4Update Regularly
  27. 27. Another standard hardening practiceis to turn off any unused services.A good rule of thumb is that if you aren’tusing a feature you want to shut it down.This lessens the potential attack surface.For example, if you are using voice, videoand email communications but aren’tusing chat, then it is best to turn off thechat functionally in the UC server. Notonly does this improve security, but thiswill also improve performance as you willhave less protocol traffic on the networkand your server will be less taxedbecause it is doing less work.5Turn Off Unused Services
  28. 28. Often attacks go unnoticed until a greatamount of damage is done. Regularlyreviewing system logs could allow you todetect an attack early. Running regularreports on toll calls can help create abaseline for normal activity. You’ll then beable to notice excessive activity.Sometimes you may be able to enlistthe help of your upstream provider.They may be able to notify you after apredetermined limit on toll-based callsis exceeded. Unfortunately, manyproviders do not offer such features.Instead it is your responsibility to monitoryour logs and ensure that long distancecalls are intended.6Monitor Your Call Logs
  29. 29. The best way to secure your UCdevices is to use dedicated securityequipment, like VPNs and firewallrouters. However, taking advantage ofbuilt-in security tools can add an extralevel of protection. Digium Switchvox,for example, comes with security toolssuch as Access Control Rules, AutomaticIP blocking and managed tech supportaccess. The blocked IPs tool will blockIP addresses that fail multiple registrationattempts. In theory, a properly configuredfirewall should prevent SIP scannersfrom being able to reach your UC server,however this additional level of securityadds peace of mind and works as afunctional back-up to round outyour security suite.7Use built-in UCsecurity tools
  30. 30. Security is your responsibility.Not all security advice is applicable in all situations.Discern for yourself whether the information offeredin this eBook is appropriate for your scenario andmake the judgment that is best for you.Has this eBook been helpful for you?Share your security concerns andquestions with us on Twitter @DigiumFor more information on Unified Communicationssolutions, visit
  31. 31. Digium®. We’re changing the way businesses communicate.Want more informationon Switchvox?Take a virtual tour ofthis powerful UnifiedCommunications us—we’re here to help.Talk with a Switchvox specialist:1 877 344 48611 256 428 6271sales@digium.comFounded in 1999, Digium is the creatorand primary developer of Asterisk, theindustry’s first open source telephonyplatform. More than one million customersin 125 countries have deployed Asterisk-based systems. Digium is committed toending the days of expensive, proprietarytelecom. The Switchvox family of UnifiedCommunications solutions is built onAsterisk and is designed to provideenterprise class features at affordableprices for small and medium businesses.The award-winning line of Switchvox IPPBX phone systems provides more thana phone system—it delivers a UnifiedCommunications platform that integratesmultiple features that increase productivityand lower monthly communication costs.It’s the affordable solution with a provenreturn on investment for businesseswith 10 to 400 users.Learn more at©2013 Digium, Inc. All rights reserved. Digium, Asterisk and Switchvox are trademarks of Digium, Inc.All other trademarks are property of their respective owners.