VoIP is the standard for office phone systems today. It offers economy, versatility, and valuable features. It’s the only reasonable choice for a new exchange. When it’s done right, it provides a very secure communication system, much safer than email. Calls within the network, as well as many outside calls, have end-to-end security.
Like any other function on the network, it takes some attention to make sure it really is secure. There are people who try to get into every network, and phone systems are as much of a target as any other point of entry. Nothing can eliminate all risk, but a careful approach to selection, installation, and management keeps it down to a very low level.
Reasons for caring about VoIP security
Any part of a network can be a jumping-off point for attacks on the rest of it. Every device needs to be kept as safe as reasonably possible. VoIP phones, like workstations, smartphones, and servers, need to be part of the network security plan.
If the exchange isn’t well secured, people can get in and use it for free. They increase the costs as well as the load on the network. Unauthorized calls can reduce the quality of service for legitimate ones.
Spies could listen in on calls, gathering business secrets or personal information. Once they’ve collected enough information, they can impersonate key employees and engage in plausible-sounding scams.
A weakly secured system is more vulnerable to a denial-of-service (DoS) attack, making it impossible to place calls. Such an attack, sustained for hours, can seriously disrupt business.
A security plan that takes VoIP into account greatly reduces these risks and ensures reliable phone service. Users can make calls with greater confidence.
Setting up the service
The first steps’ come with the selection and ordering of the service. The hosting provider needs to handle its own security well. If you set up an on-premises PBX, you take on responsibility for it and need to make sure it’s well managed. Most businesses, especially small to medium-sized ones, find that hosting is the sensible choice.
Make sure that the service which you choose offers secure protocols in the service package you select. Secure SIP does for voice connections what HTTPS does for Web access. It uses TLS security to prevent unauthorized access and ensure that the connecting parties are who they claim to be. Secure RTP, or SRTP, encrypts the content of communications, making it nearly impossible to spy on. As a bonus, it makes DoS attacks more difficult.
Setting up the network
Adding VoIP to a network requires some configuration changes. This is the time to minimize the vulnerability of voice connections on the network.
The voice network ought to be segregated from the data network. One approach is to have two separate networks, each with its own router and devices. That can require significant rewiring, though. Having voice and data on separate subnets accomplishes almost the same thing and is easier to set up. Either way, the separation improves quality of service as well as security.
Voice and data devices should have separate IP address ranges, so they don’t get mixed up with each other. If a DHCP server assigns the addresses, voice and data should each have their own DHCP allocations.
Many businesses have multiple locations, and employees would like access to the phone exchange from home or in the field. Setting up a virtual private network (VPN) or wide-area network (WAN) keeps all intra-office calls inside the network. They give an extra layer of safety, encrypting all traffic.
Securing the administrative functions is vital. Keep the number of people who have access small, and use multi-factor authentication. Allowing administrative access only from specified IP addresses further improves safety.
Securing the users
The individual devices and user accounts need ongoing attention. When configuring phones and softphone applications, each one needs to have a strong and distinct SIP password.
People like being able to access the voice network from their personal phones. Setting them up with compatible applications and VPN access makes this possible. However, a well-managed BYOD policy is necessary to keep matters under control. If someone installs a softphone app on an infected phone, that could give spies access to the voice network and more. A good policy for user-owned devices sets standards for acceptable device types, and it lets the administrator cut off any misbehaving devices.
When using their personal phones in the office, people will often prefer to go through Wi-Fi rather than the cell network and VPN. Access is more direct and faster. All Wi-Fi access points in the office should already use WPA2 encryption, and voice access is one more reason to make sure they do.
Ongoing maintenance
Security isn’t something administrators can set up and forget about. It requires regular maintenance. Vulnerabilities will turn up from time to time in both phone firmware and voice applications. Where there are known vulnerabilities, attacks soon follow. Keeping the phones and software patched with the latest security releases will keep anyone from exploiting those weaknesses.
Network monitoring and periodic security scans will alert administrators to any problems. The sooner a problem is caught, the less damage it will do. The system should maintain logs of activity to aid in diagnosing any issues. The logs need to be kept safe, since they could provide attackers with clues about weaknesses in the network.
VoIP needs the same attention to security as any other network function. When everything works right, it’s safer than a PSTN connection, since conversations never travel through analog lines. Intra-office calls are secure from end to end, and conversations with other VoIP systems often have the same level of protection. With a reasonable level of care, employees can discuss confidential matters safely.
SystemsNet hosts, maintains, and upgrades your VoIP for you, so you don’t have to worry about configuration errors or security patches. You can use your PBX in confidence. Contact us to learn how to get started.