6 Best practices to ensure SIP trunk security

Posted on September 23, 2020

SIP trunking is a trusted technology that is growing in popularity among enterprises and channel partners. According to a new global survey of 40,000 IT managers by Eastern Management Group (EMG), SIP traffic is projected to grow 25 percent by 2024.

Despite its widespread adoption and favorable projections, some are still skeptical about the security of SIP trunking.

Those who have integrated this technology know SIP trunking is secure and only transmits the information desired to send and receive. Therefore, SIP is not considered a vulnerability to network security. However, the process of integrating SIP trunking into established organizational procedures can create network vulnerabilities if not done properly.

There are a number of steps businesses can take to further ensure their telecom resources are safe from cyberattacks. Below are six security best practices businesses and service providers can follow to ensure their networks are secure:

1. Manage and maintain software and firmware updates

Hackers and fraudsters will work tirelessly to find weaknesses in cloud-based software. When a weak point in the network is discovered, word spreads quickly. Consistent and timely software and firmware updates ensure that security vulnerabilities are patched as soon as they are recognized by the SIP trunking provider. For this reason, it is critical to be vigilant in updating customer retention management, unified communications, PBX and any other software that runs on or accesses organizational networks. Failure to maintain current software and firmware versions is the single biggest contributor to toll fraud.

2. Require complex passwords

A handful of alphanumeric characters is all that stands between the security of your data and a long line of hackers anxious to infiltrate your systems. As processors become more powerful, exhaustive brute-force attacks against high-level encryption are also more feasible. One of the most immediate security threats comes from crawlers, which use automated programs to attempt standard and default passwords in every password field until it gets it right, which often happens in a matter of seconds.

To avoid a breach, create policies that require complex passwords on all accounts – including desk phones and voicemail profiles. It is also wise to change passwords regularly. As any IT expert will tell you, security is only as good as its weakest link. More often than not the horror stories told about VoIP and SIP vulnerabilities stem from improperly secured networks – not as a result of SIP trunking-related issues.

3. Authenticate account access based on IP addresses

After sufficiently securing your IP network, unwanted intruders can be restricted by limiting the IP addresses authorized to access telephony resources. This will allow only the people within your network to utilize your calling and messaging resources. If restricting access by IP address is not possible due to remote users logging in from dynamic IP addresses, create and maintain a blacklist of IP addresses identified as potential threats. Third-party or custom tools also can monitor log files and automatically block IP addresses that have failed a pre-set number of password attempts.

4. Only permit trusted SIP providers

Your PBX is a potential entry point for security threats, and it needs to be locked down. Firewalls should be set to only permit trusted SIP connections by adding them to an IP whitelist. This will ensure unauthorized intruders are unable to connect to sensitive accounts.

5. Understand your signaling and media

Use a provider that sends signaling and media to the PSTN in two streams of disassociated information. Since the PSTN cannot be encrypted, this adds additional security to outbound calls and voice data by obscuring the content from identification. If hackers intercept signaling at the provider level, they will only have numbers and IDs, not the audio.

It is important to research SIP trunking providers and understand how they handle call transmission. There are various methods of call transmission and some may be a better fit depending on your organization’s needs. For example, if you need end-to-end encryption, SIP plus SRTP (or Secure Real-Time Transport Protocol) is the most secure, especially to ensure the call will not touch the PSTN.

6. Establish secure connections

Rapid cloud adoption and “bring-your-own-device” policies are placing greater demands on network availability. Unfortunately, this complexity in network availability also means greater potential risks on network security. To secure the nimble connections of employees on the move, establish secure connection protocols like secure socket layers for access to your network from anywhere.

For fixed remote extensions such as home and satellite offices, you can gain control over the connection by setting up virtual private networks rather than broadcasting connection credentials over the public internet. If a dedicated connection is not feasible, use a nonstandard SIP port (i.e. not 5060 or 5061) to disguise the transmission and access point.

SIP trunking security is more than a question of securing SIP connections. To keep SIP credentials and all other sensitive information out of the hands of fraudsters, the entire network must be secured. Good network security is protection against all unauthorized access to your networks and resources, including access to your PBX. With these practices in place, you can feel confident that your organization can realize the benefits of SIP without worrying about the security of your business.