This document outlines 6 steps to secure SIP trunking and your network: 1) Update all software regularly to patch vulnerabilities, 2) Create complex, regularly changed passwords for all accounts, 3) Authenticate accounts based on IP address using whitelists and blacklists, 4) Only permit trusted SIP providers via firewall rules, 5) Understand how your provider handles signaling and media transmission and choose the most secure options, and 6) Establish secure connections like SSL for any remote access to your network. Taking these steps will reinforce network security and prevent fraudsters from accessing sensitive data and accounts.

1. 6 Steps to
SIP trunking security
How securing your network secures your phone lines.

2. There are stories that SIP has set
off a cyber crime wave of corporate
espionage and telephone fraud.
They say SIP opens up network
vulnerabilities, and that SIP trunking
lets anyone listen in on calls.
It’s not true.
The truth about SIP security.
SIP trunking is growing in popularity faster than any other toll phone service. Experts project
SIP trunking will be the sole PSTN connection in 42% of businesses by 2016*. Beyond cutting
costs and adding features, decision makers are sold on SIP trunking’s ability to centralize PSTN
access, failover instantly, and provision channels as needed to deal with spikes in call volume. They
are comfortable implementing SIP because they know it doesn’t add vulnerabilities or put their
organization at risk for fraud.
Security is only as good as the weakest link. In most cases, when it comes to information security,
organizational networks are the weakest link. SIP trunking security is not only a question securing
SIP connections. To keep SIP credentials, and all sensitive information, out of the hands of fraudsters,
the entire network must be secured.
*http://www.nojitter.com/post/240162594/sip-trunking-research-shows-rapid-growth-through-201
SIP trunking only transmits
information you want to
transmit.
SIP trunking is not an open
door cut into firewalls, it’s a
controlled 2-way gateway
to the PSTN.
SIP trunking doesn’t make
it easier to eavesdrop on
call audio.
The myths about
SIP trunking can
be misleading.
2

3. Developments in business communications technology have created new usage patterns that
require anywhere, anytime access to internal networks. Cloud-based SaaS, BYOD, and a remote
and mobile workforce, are all placing greater demands on network availability while poking holes
in network security.
Insecure internal and cloud-based networks are the access point fraudsters use to seize control
of communications accounts and sensitive corporate data. These six steps will reinforce
network fortifications, and save accounting departments from using up the bonus budget to
cover fraud liability.
Securing IP communications
starts with network security.
1. Update all software
In addition to feature enhancements, software updates
are released to patch security vulnerabilities. On a daily
basis, people all over the world are working to find
weakness in network-based software. When they find
it, word spreads fast, and a targeted cyber crime wave
ensues. Reputable software companies employ people
to find vulnerabilities first, so they can update their
product to keep customers safe.
It is important to update CRM, UC, PBX, or any other
software that run on or access organizational networks.
The latest version will be the most secure from
attacks. This applies to firmware too. So make
sure router firmware is up-to-date.
3

4. 2. Create complex passwords
Local network and voice device security is critical
when blocking intruders from tapping your calls.
Technology exists that can crack a 15 character
password in a matter of minutes. It requires far more
computing power than is realistically in the hands of
attackers, but as Moore’s Law states, computers grow
more powerful every day. As processors become
more powerful, exhaustive brute-force attacks against
high-level encryption will become more feasible.
An immediate threat is the ability to find dictionary
words and common passwords that open account
access. It is all too easy to build a crawler that will
automatically attempt standard and default passwords
(like 1234, etc.) in every password field it finds, until it
gets one right.
Create policies that require complex passwords
on all accounts, including desk phones and
voicemail accounts, and require that passwords
are changed regularly.
3. IP authentication
Authenticating account access based on IP address
is an excellent way to deflect unwanted intruders.
Lock down access by assigning a static IP address to
each user, or user group, and establish a strict whitelist
of approved addresses allowed network entry.
Alternatively (if mobile users need to login from a
dynamic IP address), build a blacklist of IP addresses
known to exhibit threatening behavior (or see step 4v).
Lists can be found online, and/or third party or custom
built tools can be employed to monitor log files and
automatically block IP addresses that have failed a
preset number of password attempts.
4. Only permit trusted SIP providers
A PBX is a potential entry point for security threats
that needs to be locked down. Set firewalls to only
permit trusted SIP connections by adding them
to an IP whitelist so that intruders will be unable to
connect to unauthorized accounts.
4

5. 6. Establish secure connections
Business networks are being accessed from more
and more locations as employees, and their work
habits, become increasingly mobile. For fixed remote
extensions such as home and satellite offices, you
can gain control over the connection by setting
up Virtual Private Networks rather than broadcasting
connection credentials over the public Internet.
If a dedicated connection is infeasible, use a
non-standard SIP port (i.e. not 5060 or 5061)
to disguise the transmission and access point.
5. Understand your signaling and media
Research providers and how they handle call
transmission, decide which criteria are most
important for you. If you want end-to-end encryption,
SIPS plus SRTP is the the most secure, especially when
the call won’t touch the PSTN.
It’s good practice to secure the transmission path as
much as you can when sending calls over the (always
unencrypted) PSTN. By using a provider that sends
signaling and media to the PSTN in two streams of
disassociated information when making outbound
calls, voice data can be obscured from identification.
That way, if criminals intercept signaling at the provider
level, all they’ll have is numbers and IDs, not the audio.
When employees access your organization’s internal
network from less established locations such as
a public Wi-Fi connection (e.g., in a coffee shop),
anyone watching the network can see and capture
credentials sent via clear text. Because employees
on the move demand nimble connections, establish
secure connection protocols like SSL for all access
to any point in your network from anywhere.
5

6. The average cost of a toll fraud attack on a VoIP phone system in 2014 is roughly $36,000*.
More often than not, the horror stories told about VoIP vulnerabilities stem from improperly
secured networks. There are so many pros that it’s hard to find an argument against
connecting telecommunications through a strong SIP provider. Securing your network
against intruders secures every component of your network, including Internet phone lines.
For more information on telephone security and other industry insights and updates,
subscribe at blog.flowroute.com.
SIP trunking is as safe as you make it.
*http://it.toolbox.com/blogs/voip-news/voip-security-what-could-possibly-go-wrong-61802
As the world’s first pure SIP carrier,
Flowroute delivers advanced SIP trunking
that answers the needs of communications
developers, SaaS service providers, and
high-tech enterprises. Flowroute’s unique
technology and network services provide
communications experts unparalleled
performance, transparency and control of
the voice communications that power their
businesses.
For more information about why we’re
the experts’ SIP trunking choice:
www.flowroute.com
blog.flowroute.com
1-855-FLOW-ROUTE (356-9768)
hello@flowroute.com
© Copyright 2015 Flowroute Inc. All rights reserved. FLOWROUTE and the swirl design logo are trademarks of Flowroute Inc. 6