VOIP Security

VOIP Security - Secure SIP


VOIP Security / Secure SIP

 

Would you be concerned if corporate sensitive data was leaked from voice data hacking? 


Do not make the assumption that your telephone, PBX, SIP, RTP, VoIP network providers cover security. 


> Protection for phone hacking

> VoIP calls and voicemail messages are data, susceptible to data network attacks.

> Secure VOIP for small, medium & enterprise



A bit about VOIP

Oragnisations implement VOIP because it presents significant cost savings verses PSTN services.

Whether you use a hosted IP phone service or an on-site VoIP system, protecting the voice network is much like protecting the data network. The security policies and compliance requirements still apply.

When most people hear the term VoIP, they imagine a hosted VoIP solution where the vendor hosts and operates the PBX functionality that manages call handling, voicemail and other applications. The customer’s IP enabled phones connect to the Internet and ultimately to the vendor’s servers and software. This, however is just one type of VoIP deployment.

SIP trunking delivers telephone services and unified communications to customers with SIP-enabled PBX and unified communications solutions. In this case, call management, voicemail, auto attendants and other services are provided by the PBX. The SIP trunks provide the connection between the PBX and the public telephone network, replacing the need for legacy telephone lines. This gives businesses the ability to select the IP-PBX hardware and software that works best for them, while freeing them from the expense and inflexibility of traditional phone lines and carrier relationships.

There really is no such thing as SIP vs. VoIP. SIP is an industry standard method of achieving VoIP. Businesses looking to improve their communications and reduce cost by moving to VoIP should carefully consider each of the ways it can be deployed, including SIP trunking, and select the one that provides the greatest benefit for them.



The Challenge
 
VOIP Hacking

This is the practice of gaining access and control over computer telephony systems (IP-PBX).

There are tools specifically designed to attack IP-PBX systems.


What kind of problems can VOIP hacking present an organisation?

  • Toll Fraud: once a hacker has access, the common scenario is that they are then programmed to dial premium rate phone numbers over the SIP channels and rack up many thousands of pounds worth of phone calls.
  • Denial of Service Attack: sending many thousands of calls in a short period of time in an attempt to crash or exploit a bug in software or place the network under a heavy load.
  • Voicemail Hacks and Eavesdropping (turning phones in conference rooms in fully-equipped bugging equipment)



A strong motivation for VOIP hacking
The reason it is there is that it is very easy to extract cardholder data from VoIP calls if you have access to the data stream. The favourite tool of anyone who works with networks is Wireshark, a free and extremely powerful tool. Wireshark provides the ability to easily capture network data and to extract voice calls from that data. With VoIP calls DTMF signals are normally encoded out of band using RFC2833 data (to avoid issues caused by the compression of audio) and Wireshark will pick these up as shown in the picture below:



It is also very easy to create a recording of the call from Wireshark as shown in this example screen grab:
 

PCI DSS Compliance

Part of PCI DSS Requirement 4:  Call centers will need to ensure that transmission of cardholder data across public networks is encrypted.


Security from pure breed products or telephony products?

The market is very fragmented and it’s plenty of partial remedies, but no single encompassing solutions:

  • Telephony Gateway doing something about Security
  • Telephony PBX with some Security feature
  • Security Gateway doing something about Telephony


Considerations 
Does your PBX provider, provide any end to end encryption of your VOIP traffic?




Solution Features & Benefits

 

> Protect client, employee, case and corporate sensitive IP data(Intellectual Property)

> PCI compliance for credit card info over VOIP

> Prevent DDoS and Toll Fraud.

> VoIP Security

> Solve traditional NAT issues

> Seamlessly integrates mobile workers and teleworkers with the main office

> Multi-branch VoIP networking cost-effectively connects multiple locations, around the corner or around the world

> Integrated QoS (Quality of Service)
> Compliance:
ISO27001 and compliant with Payment Card Industry Data Security Standard (PCI DSS) - accept secure card payments over the phone from clients.


> Encryption:
VOIP / SIP traffic encryption


> IPS protection:
Identifying packets with protocol anomalies


> Call Inspection: 
Caller and recipient addresses are where they claim to be

Caller and recipient are allowed to make and receive VoIP calls


> Audit & Reporting:
Generate detailed logs with packet captures on VoIP security events







Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk