As Unified Communications (UC) and Voice over IP (VoIP) usage increases, we are seeing an increasing number of companies being hacked or defrauded. In some cases the amounts are not large, perhaps £500 to a premium rate number overnight or 8,500 over a few weeks with fraudsters that are careful with the amount they take.
In some cases, this can be much higher with companies reporting as much as $50,000 being stolen. This is usually because customers are not being told, or perhaps not understanding, what they are agreeing to when they connect their VoIP server to their providers network.
One problem is that a SIP Trunk provider (STP) is like an ISP provider: they provide connectivity. STPs usually do not provide security in the same way that ISP providers do not provide security. Even if they do some form of security at their gateway, the question is whether their security posture matches that of their customers. This is unlikely. Which is why STPs should not be relied on for providing their customer’s security.
What most STPs do is provide Session Border Control (SBC). A SBC controls real-time session traffic at the signaling, call-control, and packet layers usually as they leave the STP’s network. In fact, SBCs are critical to the deployment of VoIP networks. They allow the voice and other real-time traffic to work through firewalls that implement network address translation (NAT). However, whilst this can have incidental security advantages, they are not designed to provide security features required by enterprises, such as:
1. Threat Protection
2. Policy Enforcement
3. Access Control
Furthermore, it is common for STPs to connect multiple customers through the same SBC, providing a single point to traverse between customer networks. So in short, one customer could use the SBC to hop on to another customer’s network.
Another issue is that VoIP and email servers obviously attempt to be secure. However, it is very rare that any organisation would leave their mail server open to the internet without a firewall or UTM device to protect it. In fact, even with a firewall in front of an email server, companies will still ensure there is an email proxy on port 25 to protect their mail server. The same has to be true for the VoIP server except there are more ports. For instance, SIP signalling traffic is run over ports 5060 or 5061 (TCP or UDP) whilst data uses RTP and can be configured to run on all ports over 1024 though usually this is limited to a narrower range.
So without defending the VoIP server, you are leaving it open to attack from the Internet. In the same way that if you left a mail server open to the internet you could expect it to be under attack in fairly quick order. So when deploying a VoIP solution, consider what protection it needs just as you would when deploying any other server. Also consider what exposure you want to your STP and to any of their customers they have who might not be as scrupulous as you might hope.