The Dos and Don'ts of Securing Your VoIP Communications
With workplaces moving to a much more distributed model due to the pandemic, voice over IP communications need to be better secured. We discuss how to secure VoIP system with an expert from RingCentral.
Rob Marvin
By Rob Marvin
Voice-over-IP (VoIP) is one of the most cost-effective network solutions a small business can purchase, but you can quickly take a bite out of those savings if you don't enter into it with your eyes open. Understanding all the aspects of voice as they pertain to running on a data network is key to successfully deploying this technology. One of the most important aspects of VoIP, yet one that's very often given short shrift in deployment projects and planning sessions, is security.
That can be an exceptionally bad mistake these days for several reasons. First, many businesses are moving to a much more distributed networking model due to the pandemic. Users are working from home and for many companies that move may become permanent. That means your clean and consolidated office network is now connected to a potential rat's nest of home networks with unknown routers running unknown (and often default) settings, as well as connecting to a hodgepodge of personal, unmanaged devices. That can affect not only VoIP performance (meaning the clarity of a conversation), but also security across both password protection and traffic integrity.
This leads into the other problem with a distributed VoIP architecture. Most VoIP providers these days have some form of unified communications as a service (UCaaS) software client, or softphone. This isn't just a phone that runs on your PC or mobile device, though that's the most popular usage at many companies. For many providers, like RingCentral's Glip, these tools combine phone capabilities with text-based chat, shared meetings, video conferencing, scheduling, as well as file sharing and data transfer features among others. Managing security for such powerful apps is critical.
Voice-over-IP (VoIP) is one of the most cost-effective network solutions a small business can purchase, but you can quickly take a bite out of those savings if you don't enter into it with your eyes open. Understanding all the aspects of voice as they pertain to running on a data network is key to successfully deploying this technology. One of the most important aspects of VoIP, yet one that's very often given short shrift in deployment projects and planning sessions, is security.
That can be an exceptionally bad mistake these days for several reasons. First, many businesses are moving to a much more distributed networking model due to the pandemic. Users are working from home and for many companies that move may become permanent. That means your clean and consolidated office network is now connected to a potential rat's nest of home networks with unknown routers running unknown (and often default) settings, as well as connecting to a hodgepodge of personal, unmanaged devices. That can affect not only VoIP performance (meaning the clarity of a conversation), but also security across both password protection and traffic integrity.
This leads into the other problem with a distributed VoIP architecture. Most VoIP providers these days have some form of unified communications as a service (UCaaS) software client, or softphone. This isn't just a phone that runs on your PC or mobile device, though that's the most popular usage at many companies. For many providers, like RingCentral's Glip, these tools combine phone capabilities with text-based chat, shared meetings, video conferencing, scheduling, as well as file sharing and data transfer features among others. Managing security for such powerful apps is critical.
Whether it's ensuring secure user authentication and network configuration or enabling end-to-end encryption in all VoIP communication and data storage, organizations need to be diligent in both overseeing IT management and working closely with their business VoIP provider to ensure that security requirements are being met and enforced.
Michael Machado, Chief Security Officer (CSO) at RingCentral, oversees security for all of RingCentral's cloud and VoIP services. Machado has spent the past 18 years in IT and cloud security, first as a security architect and operations manager at WebEx , and then at Cisco after the company acquired the video conferencing service.
Security considerations in your company's VoIP communications start in the research and buying stage before you even select a VoIP provider, and persist through implementation and management. Machado walked through the entire process from a security perspective, stopping to explain plenty of do's and don'ts for businesses of all sizes along the way.
Selecting Your VoIP Provider
DON'T: Neglect the Shared Security Model
Whether you're a small business or a large enterprise, the first thing you need to understand—independent even of VoIP and Unified Communications-as-a-Service (UCaaS)—is that all cloud services in general need to have a shared security model. Machado said that, as the customer, your business always shares some responsibility in the secure implementation of all the cloud services you're adopting.
"It's key for customers to understand, especially when a company is smaller and has fewer resources," said Machado. "People think VoIP is a mechanical device connected to a copper line. It's not. A VoIP phone, whether it's a physical handset, a computer with software running or it, a mobile app, or a softphone application, it's not the same thing as a mechanical phone plugged into the PSTN [public switch telephone network]. It's not like a regular phone—you're going to have some responsibility for making sure the security has a closed loop between the customer and vendor."
DO: Vendor Due Diligence
Once you understand that shared responsibility and want to adopt a cloud VoIP service, it makes sense to do your due diligence when selecting your vendor. Depending on your size and the expertise you have on staff, Machado explained how enterprises and small to midsize businesses (SMBs) can go about this in different ways.
"If you're a large company that can afford to spend the time on due diligence, you can come up with a list of questions to ask every vendor, review their audit report, and have a few meetings to discuss security," said Machado. "If you're a small business, you might not have the expertise to analyze a [Service Organization Control] SOC 2 audit report or the time to invest in a heavy lift discussion.
"Instead, you can look at things like Gartner's Magic Quadrant report, and look to see if they have a SOC 1 or SOC 2 report available, even if you don't have the time or expertise to read through and understand it," Machado explained. "The audit report is a good indication of companies making a strong investment in security versus companies that are not. You can also look for a SOC 3 report in addition to SOC 2. It's a lightweight, certification-like version of the same standards. These are the things you can look for as a small business to start moving in the right direction on security."
DO: Negotiate Security Terms in Your Contract
Now you're at the point where you've selected a VoIP vendor and you're considering the possibility of making a buying decision. Machado recommended that, whenever possible, businesses should try to get explicit security agreements and terms in writing when negotiating a contract with a cloud vendor.
"Small company, big company, it doesn't matter. The smaller the company, the less power you'll have to negotiate those specific terms but it's a 'don't ask, don't get' scenario," said Machado. "See what you can get in your vendor agreements with regards to security obligations from the vendor."
Implementing VoIP Security
DO: Use Encrypted VoIP Services
When it comes to deployment, Machado said there's no excuse for a modern VoIP service to not offer end-to-end encryption. Machado recommended that organizations look for services that support Transport Layer Security (TLS) or Secure Real-Time Transport Protocol (SRTP) encryption, and that do it, ideally, without upselling for core security measures.
"Don't always go for the cheapest service; it can be worthwhile to pay a premium for a more secure VoIP. Even better is when you don't have to pay a premium for security in your cloud services," said Machado. "As a customer, you should just be able to enable encrypted VoIP and off you go. It's also important that the provider is using not just encrypted signaling, but also encrypting media at rest. People want their conversations to be private, not traversing the internet with plain text voice. Make sure your vendor will support that level of encryption and that it's not going to cost you more."
DON'T: Mix Your LANs
On the network side of your deployment, most organizations have a mix of handsets and cloud-based interfaces. Many employees may just be using a VoIP mobile app or softphone, but there will often be a mix of desk phones and conference phones connected to the VoIP network as well. Machado said it's crucial not to mix form factors and connected devices within the same network design.
"You want to set up a separate voice LAN. You don't want your hard-voice phones co-mingling on the same network with your workstations and printers. That's not good network design," said Machado. "If you go that route, there are problematic security implications down the line. There's no reason for your workspaces to be talking to one another. My laptop doesn't need to talk to yours; it's not the same as a server farm with applications talking to databases."
Instead, Machado recommends…
DO: Set Up Private VLANs
A private VLAN (virtual LAN), as Machado explained, lets IT managers better control their networks because it effectively segments a specific kind of traffic (in this case VoIP) onto its own network. While there are other ways to keep your VoIP traffic protected with regards to congestion from other app traffic running over your network (we're talking about Quality of Service (QoS) here), separating VoIP traffic is the goal and nothing keeps traffic separate like putting it on its own network. The private VLAN acts as a single access and uplink point to connect the device to a router, server, or network.
"From an endpoint security architecture perspective, private VLANs are a good network design because they give you the ability to turn on this feature on the switch that says 'this workstation can't talk to the other workstation.' If you have your VoIP phones or voice-enabled devices on the same network as everything else, that doesn't work," said Machado. "It's important to set up your dedicated voice LAN as part of a more privileged security design."
DON'T: Leave Your VoIP Outside the Firewall
Your VoIP phone is a computing device plugged into Ethernet or your Wi-Fi network. As a connected endpoint, Machado said it's important for customers to remember that, just like any other computing device, it also needs to be behind the corporate firewall.
"The VoIP phone has a user interface [UI] for users to log in and for admins to do system administration on the phone. Not every VoIP phone has firmware to protect against brute-force attacks," said Machado. "Your email account will lock after a few attempts, but not every VoIP phone works the same way. If you don't put a firewall in front of it, it's like opening that web application to anyone on the internet who wants to script a brute force attack and log in."
For companies faced with deploying such devices in workers' homes, this process is necessarily more complicated. First, consider mandating a softphone instead of going to the trouble of shipping out a slew of handsets. With a cheap pair of headphones equipped with microphones, softphones are every bit as effective and easy to use as a regular phone. They're also on a PC or mobile device that's probably connected wirelessly to the home network, which means it'll automatically be behind the home router's firewall.
However, IT should make it a point to ensure that every home wireless router not only implements a firewall, but does so in a VoIP friendly way. That means some testing for IT staffers across different router devices, but once that's done they should be able to help home users implement the proper settings fairly quickly over the phone.
VoIP Service Management
DO: Change Your Default Passwords
Regardless of the manufacturer from which you receive your VoIP handsets, the devices will ship with default credentials like any other piece of hardware that comes with a web UI. To avoid the kind of simple vulnerabilities that led to the Mirai botnet DDoS attack, Machado said the easiest thing to do is simply to change those defaults.
"Customers need to take proactive steps to secure their phones," said Machado. "Change the default passwords immediately or, if your vendor manages the phone endpoints for you, make sure they're changing those default passwords on your behalf."
DO: Keep Track of Your Usage
Whether it's a cloud phone system, on-premises voice system, or a private branch exchange (PBX), Machado said that all VoIP services have an attack surface and eventually may get hacked. When that happens, he said one of the most typical attacks is an account takeover (ATO), also known as telecom fraud or traffic pumping. This means that, when a VoIP system is hacked, the attacker tries to place calls that cost that owner money. The best defense is to keep track of your usage.
"Say you're a threat actor. You've got access to voice services and you're trying to make calls out. If your organization is watching its usage, you'll be able to spot if there's an unusually high bill or see something like a user on the phone for 45 minutes with a location that no employees have any reason to call. It's all about paying attention," said Machado.
"If you're 'cloud-ifying' this (meaning, not using a traditional PBX or on-premises-only VoIP), then have a conversation with your service provider asking what you're doing to protect me," he added. "Are there knobs and dials I can turn on and off with regards to service? Are you doing back-end fraud monitoring or user behavior analytics looking for anomalous usage on my behalf? These are important questions to ask."
DON'T: Have Over-Broad Security Permissions
On the subject of usage, one way to cap potential ATO damage is to turn off permissions and features you know your business doesn't need, just in case. Machado gave international calling as an example.
"If your business doesn't need to call all parts of the world, then don't turn on calling to all parts of the world," he said. "If you only do business in the US, Canada, and Mexico, do you want every other country available for calling or does it just make sense to shut it off in the case of ATO? Don't leave any over-broad permissions for your users for any technology service, and anything that's not necessary for your business use qualifies as over-broad."
DON'T: Forget About Patching
Patching and keeping current with updates is critical with any kind of software. Whether you're using a softphone, VoIP mobile app, or any kind of hardware with firmware updates, Machado said this one's a no-brainer.
"Are you managing your own VoIP phones? If the vendor releases firmware, test and deploy it quickly—these often deal with patches of all types. Sometimes, security patches come from a vendor managing the phone on your behalf so, in that case, be sure to ask who controls patching and what the cycle is," said Machado.
Patching is also critical for the slew of home routers to which your network will likely be connecting in a distributed deployment. The best-case scenario is to control the brand and model of these routers so IT can automate the patching process and verify that each device is in compliance. If that can't happen, however, the next step is constant user communication and scheduled phone help to aid home users in updating their routers themselves.
DO: Enable Strong Authentication
Strong two-factor authentication and investing in heavier identity management is another smart security practice. Beyond just VoIP, Machado said authentication is always an important factor to have in place.
"Always turn on strong authentication. That's not any different if you're logging into your cloud PBX or your email or your CRM. Look for those features and use them," said Machado. "We're not just talking about phones on your desk; we're talking about web applications and all the different parts of the service. Understand how the pieces come together and secure each piece in turn."
