Unified communications (UC) presents unique security challenges because it brings together disparate technologies. A UC business phone system combines VoIP, video, chat, email and presence together into one unified messaging system. As the technology has become more complex and more accessible from the public Internet, the security threat has increased. In many ways it is easier than ever to attack business communications. Companies must be diligent to protect their communications as they are vital to business operations.
While large businesses can often dedicate substantial resources toward securing their communications, those in the SMB space need solutions that are both effective and simple to manage security. Despite being in a niche field, securing UC as an SMB follows many of the same security best practices that are effective in the enterprise for a variety of technologies. In this slideshow, Digium shares seven best practices that can help SMBs keep communications flowing.
Click through for seven tips to help secure unified communications in your organization, as identified by Digium.
Due to the variety of firewall models and topologies available, giving specific advice is difficult. Here are some practical tips for almost any configuration. For starters, it’s always advisable to keep high importance on security. This means being technically familiar with the equipment and its configuration. It is a responsibility that should be taken with the utmost seriousness. When shopping for firewalls, favor those that offer simple configuration and are designed for the SMB.
A good general rule of thumb is to block all unknown traffic into the network and only allow traffic from trusted sources. This strategy doesn’t usually work well for a Web server, but a UC server should absolutely be sequestered behind a firewall. Surprisingly enough, many SMBs do not deploy a firewall. Or they deploy a firewall but open ports to all networks to allow remote users. This is almost the same as having no firewall at all. Although some UC servers have built-in attack mitigation mechanisms, these should not be solely relied upon. A firewall is designed to sort traffic; a UC server is not. Using each device for its intended purpose will keep the network the most secure. With SMBs, managing remote users is better done through a virtualized private network (VPN).
Many SMB networking devices, such as routers and firewalls, come with built-in VPN capability. Quality VPN devices are now available at affordable prices. For remote users, and while connecting remote SMB offices, the simplest option is to deploy a VPN device at both ends. The connected devices form an encrypted “tunnel” over the public Internet. This “virtual” network keeps all traffic safe.
VPNs have many benefits: In addition to VoIP, the remote user can access other local network resources such as network shares and intranet Web applications; the traffic is encrypted to maintain privacy; network address translation (NAT) issues are eliminated or diminished; and ports can be opened to all networks because the VPN requires authentication before establishing a connection.
Using strong (system) passwords is an effective, yet often overlooked security measure. Strong passwords should be used for every password required in a UC solution. Business VoIP phones should especially be protected by unique strong Session Initiation Protocol (SIP) passwords. Keep in mind that re-used passwords or weak passwords make it extremely easy for an attacker to get access to SIP credentials. Once authenticated with a SIP account, an attacker can make calls as though they were using that phone – including toll calls that could result in very high fees. Another area of concern is user passwords. If a UC solution requires a user login, then SMBs will want to ensure that they require strong passwords for their users.
A standard security best practice that is almost universal to all technologies is to keep software up to date. As well as obtaining bug fixes, keeping software updated helps improve security. As potential exploits are found, security patches are then released as software updates. The most recent version is typically the most secure.
Whenever a UC server is updated, it is important to follow the best practices for updating. Be aware of what has changed and how the update could impact the system; backing up the system first and performing the update during a scheduled maintenance window also help to ensure users will have access to the system when they need it.
Another standard hardening practice is to turn off any unused services. If a feature is not being used, it should be shut down to lessen the potential attack surface. For example, if voice, video and email communications are being used, but not chat, then it is best to turn off the chat functionality in the UC server. Not only does this improve security, but it will also improve performance, as there will be less protocol traffic on the network and the server will be less taxed because it is doing less work.
Often, attacks go unnoticed until a great amount of damage is done. By regularly reviewing system logs, damage can be mitigated by catching the attack and taking action early. In particular, running regular call log reports on toll calls made by the system can help create a baseline for normal activity. SMBs will then be able to notice when activity exceeds this baseline signaling that the system has been compromised. SMBs can investigate further by looking at the call logs.
Sometimes SMBs may be able to enlist the help of their upstream provider to notify them after a predetermined limit on toll-based calls is exceeded. Unfortunately, many providers do not offer such features. Instead, it is the responsibility of the SMB to monitor logs and ensure that they are only sending the long distance calls that are intended.
The best way to secure UC devices is to use dedicated security equipment, like VPNs and firewall routers. However, taking advantage of built-in security tools can add an extra level of protection. The blocked IPs tool will block IP addresses that fail multiple registration attempts. In theory, a properly configured firewall should prevent SIP scanners from being able to reach a UC sever; however, this additional level of security adds peace of mind and works as a functional backup to round out a security suite.