How to use 25 methods to build VoIP network security

Here are 25 ways to protect VoIP:

1. Restrict all VoIP data to be transmitted to only one VLAN

Cisco recommends that you separate VLANs for voice and data, which helps to prioritize voice and data. Dividing VLANs also helps prevent cost fraud, DoS attacks, eavesdropping, and hijacking communications. The division of VLAN makes the user's computer form an effective closed circle. It does not allow any other computer to access its equipment, thus avoiding computer attacks, and the VoIP network is quite safe; even if it is attacked, it will lose drop to lowest.

2. Monitor and track the communication mode of the VoIP network

Monitoring tools and intrusion detection systems can help users identify those attempts to invade a VoIP network. Observing the VoIP logs in detail can help to discover some irregularities, such as inexplicable international calls or international calls that the company or organization basically does not contact, multiple login attempts to crack passwords, and a surge in voice.

3. Protect the VoIP server

Effective measures must be taken to ensure the security of the server to prevent intruders from inside or outside from intercepting data using sniffing technology. Because the VoIP phone has a fixed IP address and MAC address, it is easy for attackers to sneak in accordingly. It is recommended that users restrict IP and MAC addresses, do not allow casual access to the super user interface of the VoIP system, and establish another firewall in front of the SIP gateway, which will limit the intrusion into the network system to a certain extent.

4. Use multiple encryption

It is not enough to encrypt only the data packets sent. All telephone signals must be encrypted. Dialogue encryption will prevent the interceptor's voice from being inserted into the user's conversation. In this regard, the SRTP protocol can encrypt endpoint communication, and TLS can encrypt the entire communication process. Voice transmission encryption should be supported by providing strong protection at the gateway, network, and host levels.

5. Establish a redundant mechanism for VoIP networks

Always be prepared to be attacked by viruses and DoS, which may cause the network system to be paralyzed. Construct a network system capable of setting up multiple nodes, gateways, servers, power supplies, and call routers, and interconnect with more than one supplier. Regularly test each network system to ensure that it is working well. When the main service network is down, the backup facility can quickly take over the work. 6. Put the device behind the firewall

Establish separate firewalls so that communication across VLAN boundaries is limited to available protocols. In case the client is infected, this will prevent viruses and Trojans from spreading to the server. After the establishment of a separate firewall, the maintenance of the system security policy will also become simple. When needed, the firewall must be properly configured to open or close certain ports.

7. Update patches regularly

The security of a VoIP network depends on both the underlying operating system and the application software running on it. It is very important to keep the operating system and VoIP application software patches updated in time to prevent malicious programs or infectious program codes.

8. Separate the internal network from the Internet

It is a good choice to put the telephone management system and the network system outside the direct access to the Internet, and place the voice service and other servers in separate domains and restrict their access.

9. Minimize the use of softphones (softphones)

VoIP soft terminal phones are susceptible to computer hackers, even if it is located behind the company's firewall, because this kind of thing is used with ordinary PC, VoIP software and a pair of headphones. Moreover, the soft terminal phone does not separate voice and data, so it is vulnerable to viruses and worms.

10. Regular safety review

Examining the activities of super users and general users can reveal some problems. Some "phishing" attempts can be blocked, spam can be filtered, and intruders can also be blocked.

11. Assess the actual safety

Make sure that only authenticated devices and users can access those restricted Ethernet ports. Administrators are often spoofed to accept requests from soft terminal phones without permission, because hackers can easily mimic IP addresses and MAC addresses by plugging in RJ44 ports. 12. Businesses using digital security certificates

If the IP phone provider can provide a certificate to authenticate the device, users can basically be confident that their communication is safe and will not broadcast to other devices.

13. Ensure the security of the gateway

The gateway should be configured so that only approved users can make or receive VoIP calls, and list those users who have been authenticated and approved. This can ensure that other people cannot make free calls while busy. Through the combination of SPI firewall, application layer gateway, network address translation tool, SIP support for VoIP soft client, etc., to protect the gateway and the local area network behind it.

14. Manage servers separately

VoIP phone servers are often the targets of attackers because they are the heart of any VoIP network. Some inherent fatal weaknesses of the server include its operating system, services and the application software it supports. To minimize hacker attacks on the server, it is necessary to manage different servers that transmit VoIP signals separately.

15. Sort SIP (Session Initiation Protocol) communication

Thoroughly check the network SIP communication, check those abnormal packets and communication mode, these measures help to cut off those very short false sessions. Abnormal grammar and semantics, irregular events, and out-of-sequence in the SIP signal will indicate that the attack is or will start.

16. Check the call setting request of the application layer

VoIP phones are easy to be hijacked by those who can access the network from outside. The administrator needs to set up a security policy so that the call request can be accepted only if it matches the existing policy.

17. Isolate voice communication

For external communications, it depends on a virtual private network (VPN). Separate voice and data communications to prevent attempts to eavesdrop on user conversations. Relevant Cisco experts recommend that you prevent PC ports from accessing the voice VLAN.

18. Use a proxy server

By using a proxy server to process data entering and leaving the network, the user's network is protected.

19. Only run application software that needs to provide and maintain VoIP services

In fact, VoIP applications that use encrypted data may also incur DoS attacks. Attackers can hide behind encrypted cover to prevent their activities from being monitored. Cisco experts believe that when the signal is transmitted between the user agent and the SIP agent, the integrity of the authentication must be ensured through the integrated SSL channel and SIP agent.