By 2025, cybercrime will make more money than the global illegal drug trade. And given how the VoIP market is slated to grow (a 15% CAGR), it’s easy to see why it’s going to be a hotbed of cybercrime activity. This explains why premier security agencies like the NSA are focused on making VVoIP security a priority.
The NSA’s VVoIP security guidelines are a must-know for the modern cybersecurity professional. Through this educational mini-series on the NSA guidelines, we aim to decode these guidelines for you so you have an informed understanding of the guidelines and how they apply to your VoIP systems.
Last week, we spoke about the four major areas the guidelines focused on. Today, we go deeper, to get to the 5 core principles that lie at the center of these guidelines.
The 5 core principles of the NSA VVoIP security guidelines
A quick recap: The four areas the NSA guidelines focus on:
- Enterprise session controllers
However, if you looked closely at all the risk mitigation approaches that the guidelines recommend, they boil down to five fundamental principles. Here’s what they are:
1. Network separation
Keep your voice/video and data networks separate:
- A key idea is separating UC/VVoIP systems and data systems. Virtual local area networks (VLANs) allow multiple networks to use the same physical layers (e.g., switches, routers) but remain logically separated.
- Use VLANs to separate voice and video traffic from data traffic. Ensure that voice admin login are accessible only through a VLAN.
- Place network devices such as PCs, file servers, and email servers that don’t specifically support VVoIP on a separate VLAN. Place VVoIP servers in a different VLAN depending on the VVoIP protocol they implement.
- Use separate DMZs (demilitarized zones) for voice and data.
2. Access limitation
Make it as hard as possible for outsiders to access your VoIP systems
- Dividing the network into multiple VLANs is useless if the traffic to them is not restricted.
- Tighten the session manager to allow logins only from authorized User Agents (on endpoints). Use access control lists and routing rules to limit access to devices across VLANs.
3. VoIP perimeter security
Deploy and monitor Session Border Controllers (SBC) effectively. Session Border Controllers are critical for ensuring call signaling protocol standards for traffic entering and exiting the UC/VVoIP network.
Deploy an SBC to monitor UC/VVoIP traffic at the perimeter and between service provider networks. Place an SBC in a DMZ even if it is connected only to the carrier. Use threat detection solutions to audit call data records (CDRs). Even better, continuously monitor the traffic going through your SBC and review and modify its configuration accordingly.
4. Encryption and authentication
Have systems in place to detect spoofing, impersonation, and eavesdropping attacks. Use encryption and authentication of all signaling and media traffic to prevent eavesdropping and impersonation, and deploy multi-factor authentication while authenticating access to UC/VVoIP servers.
While this is an important step, encryption and authentication are not always enough to detect complex attacks. Monitor calls to and from your VoIP network via the SBC to detect and analyze abnormal or suspicious patterns.
5. Vulnerability patching and physical protection
Keep systems up-to-date and hard to reach Keep systems up to date via timely patching
- Verify and harden the security of devices before you add them to the network. For physical protection of critical network components, use electronic means (identification cards, biometrics, etc) to control physical access to secure areas with VVoIP infrastructure.
- Maintain backups of software configurations and installations to ensure uptime and availability.
Change, Choice, and Principles
There are three constants in life: change, choice, and principles - Stephen Covey
It’s quite the same for cybersecurity.
- The threat landscape is constantly changing
- There are choices to make at every stage.
Solid foundational principles make navigating both easier — and that’s just what the NSA guidelines help you with. We hope you find this distillation of VoIP security principles useful and helpful.
Next week, we’ll talk about perimeter security and how managing the security of your VoIP perimeter is a truly pro-‘active’ approach to security.
- The NSA guidelines
- AssertionTalks: Decoding the NSA guidelines with the Assertion team
- VLAN – Virtual LAN for VoIP networks
We secure your communication networks, protecting you from data theft, revenue loss, and reputational damage. Assertion SBC Security™ is a fully automated, self-learning, and cloud-based system that provides Advanced Threat Protection for your Session Border Controllers. By protecting the SBC, Assertion SBC Security™ ensures that your communication network risk is contained at the perimeter itself. It:
- Identifies and blocks Robocalls and Scam calls
- Stops Telephony Denial of Service attacks and Toll Fraud attempts in real-time
- Detects and eliminates threats to Remote workers