Busting myths about SIP trunking security

Posted on April 27, 2016 by Andrea Mocherman

Session initiation protocol trunking has a bad reputation. But like other forms of emerging technologies, people who don’t quite understand how it works tend to perpetuate fear rather than learn how it can be a vital communications backbone to any business. There are stories of SIP being at the center of tremendously damaging cases of telephone fraud, and some have claimed SIP opens up network vulnerabilities and lets anyone listen in on calls. I’d like to dispel many of these common myths, discuss security best practices and examine how SIP trunking is a powerful tool that can streamline internal and external communications across multiple departments.

Truth be told, SIP trunking is a trusted technology that is growing in popularity faster than any other phone service – IHS Infonetics reports that the SIP trunking services market is expected to top $8 billion by 2018. In a recent survey, the analyst firm noted 62% of enterprises are expected to use SIP by 2017 for a portion of their voice connectivity requirements. There is an irrefutable macro movement to SIP trunking, but is it opening up businesses to significant risk?

SIP trunking provides connections from telephony applications and infrastructure to the public switched telephone networks to enable communication services, i.e. making and receiving calls, sending and receiving text messages, recording emergency information, etc. Contrary to what you may have read, SIP trunking only provides for transmission of information you want to send and receive, and is, therefore, not a vulnerability to network security; it’s a controlled two-way gateway to the PSTN. If you have weak network security, it does increase your risk for toll fraud loss, but in this case toll fraud is likely the least of your worries. Good network security is protection against all unauthorized access to your networks and resources, including access to your PBX.

As any IT expert will tell you, security is only as good as its weakest link, and SIP trunking is as safe as you make it. More often than not the horror stories told about voice-over-Internet Protocol and SIP vulnerabilities stem from improperly secured networks – not a result of SIP trunking-related issues. SIP trunking security is more than a question of securing SIP connections – to keep SIP credentials and all other sensitive information out of the hands of fraudsters, the entire network must be secured, including Internet phone lines.

Below are some best practices businesses should follow to ensure that their networks – and by extension their IP communications – are secure:

1. Ensure software and firmware is up-to-date
Hackers and fraudsters work tirelessly to find weaknesses in network-based software, and when a weak point is a discovered, word spreads quickly and criminals spring into action. In addition to offering feature enhancements, software updates ensure that security vulnerabilities are patched. It’s critical to be vigilant in updating customer retention management, unified communications, PBX and any other software that runs on or accesses organizational networks – this also applies to firmware, so make sure router and PBX firmware is current. Failure to maintain current software and firmware versions is the single biggest contributor to toll fraud.

2. Create and require complex passwords
A handful of alphanumeric characters is all that stands between your data and a long line of cyber criminals anxious to infiltrate your systems, disrupt your business and steal your organization’s phone credentials.

As processors become more powerful, exhaustive brute-force attacks against high-level encryption become more feasible. The most immediate threat comes from crawlers, which can automatically attempt standard and default passwords in every password field it finds until getting it right, often in a matter of minutes.

Create policies that require complex passwords on all accounts – including desk phones and voicemail accounts – and require that passwords are changed regularly.

3. Authenticate account access based on IP addresses
After securing your IP network sufficiently, you can thwart unwanted intruders by restricting access to telephony resources from internal IP addresses. Doing that will allow only the people within your network to utilize your calling and messaging resources. If that isn’t possible because of mobile users logging in from a dynamic IP address, create and maintain a blacklist of IP addresses identified as potential threats. Third-party or custom tools also can monitor log files and automatically block IP addresses that have failed a pre-set number of password attempts.

4. Only permit trusted SIP providers
Your PBX is a potential entry point for security threats and it needs to be locked down. Firewalls should be set to only permit trusted SIP connections by adding them to an IP whitelist so intruders are unable to connect to unauthorized accounts.

5. Understand your signaling and media
A solid best practice is to secure the transmission path as much as possible when sending calls over the – always unencrypted – PSTN. By using a provider that sends signaling and media to the PSTN in two streams of disassociated information when making outbound calls, voice data can be obscured from identification. That way, if criminals intercept signaling at the provider level, all they’ll have is numbers and IDs, not the audio.

Research providers and how they handle call transmission and decide which criteria are most important for your organization. If you want end-to-end encryption, SIP plus SRTP is the most secure, especially when the call won’t touch the PSTN.

6. Establish secure connections
The adoption of cloud, “bring-your-own-device” and remote/mobile workers are placing greater demands on network availability – which also means greater potential risks on network security. Because employees on the move demand nimble connections, establish secure connection protocols like secure socket layers for all access to any point in your network from anywhere.

For fixed remote extensions such as home and satellite offices, you can gain control over the connection by setting up virtual private networks rather than broadcasting connection credentials over the public Internet. If a dedicated connection is infeasible, use a nonstandard SIP port (i.e. not 5060 or 5061) to disguise the transmission and access point.

With these practices in place, you can feel secure that your organization can realize the benefits of SIP without worrying about the security of your business.