Industry View
Industry View | VoIP Security
Bob Bradley of Sonus Networks provides practical tips for mitigating VoIP security risks
Limited encryption. In a VoIP system, standard calls are open text, so it is easier for a nefarious individual to intercept call setup and content information and obtain the significant details of a given conversation. It is important that organizations mitigate this risk with strong encryption, especially for certain phone lines over which confidential information will be exchanged, for example, between the CEO and the CFO.
Best Practices for Securing VoIP Networks
Here are some of the most commonly asked questions about designing a security plan for VoIP networks.
Where to begin?
Most organizations have developed security best practices and policies, but these policies are often not extended to cover protection of the IP network. Because there are specific issues that must be addressed to ensure VoIP is adequately protected, enterprises must also conduct a risk audit that will provide them with the information needed to secure the VoIP network.
Today, there is excellent guidance readily available to CSOs and CISOs from standards bodies (ANSI, 3GPP, ETSI, ISO), industry consortia (VoIP Security Alliance) and government agencies (NIST) on how to define and augment existing security practices to support VoIP and other session-style traffic (IM, video) in the enterprise. In many cases, the proposed best practices may already be in place, and additional investments may be as simple as extending the existing corporate security policy. Another possibility is an infrastructure change based on a VoIP-aware vulnerability assessment of all core network elements, includingswitches, routers and firewalls. Once a policy is created or updated and associated risks are identified, there are multiple paths for information security managers to take to meet their goals.
What are the options?
As in the pure data-only world, VoIP security can be achieved either through internal sources or via managed outsourcing. Carriers are beginning to offer to both enterprise-level customers and small or medium-size businesses the option of outsourcing the provisioning, deployment and ongoing monitoring of VoIP equipment on their behalf. VoIP elements such as Class 5 feature servers, registrars, IP PBXs and the network border switches (or firewalls) can be managed either at the customer premise or as a hosted service, with these elements residing in the carrier's administrative domain. Often this boils down to a matter of scope, cost and resource constraints on the end user's side.
For those businesses that plan to manage security internally, they can extend their existing infrastructure while maintaining a layered, defense-in-depth approach. The first component deployed is often a secure IP-edge element, such as a network border switch. The network border switch represents the evolution of legacy session border controller (SBC) appliances by their integration of security, call control, media support, scalability and performance.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
