Securing a customer’s IP phone network protects both the reputation and financial state of their business.
Phone fraud is a big business. A single breach of an IP phone network can cost your customers thousands of pounds in the span of a few hours. The fraud is executed by hackers who breach weak or non-existent security on an IP phone network. The hacker then uses a corporate PBX to place multiple toll calls. As these calls are placed from a corporate PBX, the provider charges the business that owns the PBX for the calls that were made. In almost all cases, the business is legally obliged to pay for those calls. The problem of phone fraud is no longer something that businesses can afford to ignore.
Practice makes perfect
The first big step towards securing your customers’ IP phone networks is starting to treat your SIP network traffic the same as you would any other network service. Every business has best practices and policies that govern general network access, email, web surfing and mobile devices. Make sure your customers have the same in place for their SIP services.
Before businesses moved from analogue phones to IP phone networks, chances are that employees could not access anything relating to their phones from the corporate computer network. Why should they be able to access the phone network now simply because its underlying protocol has changed? The best possible configuration is to have physically separate phone and data networks. If this isn’t realistic, VLANs can separate traffic. No data should be able to traverse between the two networks without passing through a network security device.
Standard network firewalls are no longer adequate to handle the security of voice traffic. At the very least, network security devices should be SIP-aware. Ideally, a Session Border Controller (SBC) should be used to secure and control access to SIP services. In addition to providing security for SIP services, an SBC can also allow for interoperability with other communications services and often improves performance.
The path less travelled
Traffic that doesn’t have to pass across the public internet is better protected than traffic that does. If your SIP trunk provider offers connectivity services in addition to their voice services, it may be possible for SIP traffic to be routed over a private network from the IP phone network all the way to the provider’s SIP servers. This traffic cannot be intercepted or misdirected by someone with malicious intent.
Sharing is caring
Select a provider who cares about SIP trunk security as much as you do. Many providers have services that will limit exposure to fraudulent activities. These services include:
› Geographical limiting, blocking calls to countries that you specify
› Call type limiting, blocking calls to toll or pay-per-use number ranges
› Volume limiting, blocking all calls if a certain threshold of calling minutes is reached in a given timeframe
Selecting a provider who is willing to share the burden of SIP trunk security with you ensures that your clients’ financial exposure is minimal even if a breach does occur.
An ounce of prevention
Ignoring the security of IP phone networks is likely to be a costly mistake. Spending some time now to protect your customers’ voice networks can provide them with better uptime and higher call quality. Most importantly, it will provide you with greater customer satisfaction.