Here’s what we all know: The attack path to target systems begins with breaching the network perimeter. But what if this is successful 93% of the time? According to a 2022 study of financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies, and other sectors, “in 93% of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources”.
This finding should be worrying for VoIP security for two reasons:
- The same study found that it takes two days to penetrate a company’s internal network
- 50% of VoIP perimeter devices, Session Border Controllers (SBCs), are unsecured, as per the State of SBC Security study conducted by a collaboration security company, Assertion Inc.
It’s never been clearer: VoIP perimeters need cybersecurity attention and investment. And that’s what makes perimeter security a primary focus of the NSA’s first-ever UC-VoIP cybersecurity guidelines. Read on to understand the approach the guidelines take toward VoIP perimeter security and what they look like in action.
The role of SBCs in VoIP perimeter security
As organizations adopt advanced communications platforms to enable global business operations and remote work, SBC adoption has seen a steady rise — to regulate all forms of real-time communications including VoIP, video, and collaboration sessions.
Session border controllers are essential and enforce call signaling protocol standards for traffic entering and exiting the local UC/VVoIP network. By enforcing call signaling protocol standards, a layer of protection is provided to the servers residing on the internal network that process UC/VVoIP communication packets.
In addition, SBCs support secure connectivity from local UC/VVoIP servers to remote service providers and other external UC/VVoIP systems – NSA VVoIP guidelines, 2021
SBCs are critical to VoIP security for three reasons:
- Being located at the perimeter, they can track calls entering and exiting the network. Monitoring and analyzing logs and call records to play a key role in identifying threats and attacks.
- More importantly, they understand and inspect SIP traffic at a level that traditional network firewalls do not.
- When properly configured, utilized, and secured, SBCs are powerful devices to detect, block, and prevent attacks and intrusions on VVoIP systems, thereby securing the data processed via the VVoIP network.
The NSA VVoIP guidelines on using SBCs for perimeter security
Here’s how the key security recommendations of data-voice separation, access control, encryption, and secure management from the NSA guidelines apply to SBC security.
1. Network separation: Place SBCs in a dedicated demilitarized zone (DMZ) – to ensure separation between logical external gateways and internal capabilities.
Additionally, it’s recommended that you place an SBC in a DMZ – even if you use it only for SIP trunking and connect it only to your carrier.
2. Access control: SBCs that accept registrations from remote users face threats that any internet-exposed device faces. Attackers attempt to register with VoIP systems as legitimate users by trying various combinations of user names and passwords. Control access to your SBCs, say by modifying configurations to tighten URI and User-agent filters to block requests from unauthorized endpoints.
3. Cloud posture: Establish secure connections to the cloud by implementing trusted paths and channels that support encryption and two-way authentication such as IPsec, TLS, DTLS, HTTPS, and SSH. Access control mechanisms should be employed to restrict access to the systems hosted in the cloud.
Additionally, dynamically configure the SBC’s configurations as per the OEM security guidelines, industry best practices, and the traffic passing through it.
4. Logging and monitoring: Routinely review SBC logs to detect and trace any potential compromise.
Monitor each and every call that enters or exits the VoIP system via the SBC and block those to/from locations/countries with high incident rates of fraud. However, this isn’t always feasible — especially when you consider organizations with global workforces and customers. Real-time reputation-based filtering is a far more effective solution –but monitoring and analyzing millions of logs and calls is no easy feat. That’s why the guidelines also recommend using fraud detection solutions to audit call data records (CDRs) that can detect fraud in near real-time.
VoIP security is complex, considering the rise in telecom fraud and the rapidly evolving nature of threats. The NSA’s guidelines provide a solid foundation of principles for comprehensive security, but ultimately it comes down to how comprehensively and consistently you implement them. It’s important to remember that investing in perimeter security is a small price to pay to keep threats and attackers where they belong – outside your organization.
We secure your communication networks, protecting you from data theft, revenue loss, and reputational damage. Assertion SBC Security™ is a fully automated, self-learning, and cloud-based system that provides Advanced Threat Protection for your Session Border Controllers. By protecting the SBC, Assertion SBC Security™ ensures that your communication network risk is contained at the perimeter itself. It:
- Identifies and blocks Robocalls and Scam calls
- Stops Telephony Denial of Service attacks and Toll Fraud attempts in real-time
- Detects and eliminates threats to Remote workers