With workplaces moving to a much more distributed model due to the pandemic, voice over IP communications need to be better secured. We discuss how to secure VoIP system with an expert from RingCentral.
Voice-over-IP (VoIP) is one of the most cost-effective network solutions a small business can purchase, but you can quickly take a bite out of those savings if you don’t enter into it with your eyes open. Understanding all the aspects of voice as they pertain to running on a data network is key to successfully deploying this technology. One of the most important aspects of VoIP, yet one that’s very often given short shrift in deployment projects and planning sessions, is security.
That can be an exceptionally bad mistake these days for several reasons. First, many businesses are moving to a much more distributed networking model due to the pandemic. Users are working from home and for many companies that move may become permanent. That means your clean and consolidated office network is now connected to a potential rat’s nest of home networks with unknown routers running unknown (and often default) settings, as well as connecting to a hodgepodge of personal, unmanaged devices. That can affect not only VoIP performance (meaning the clarity of a conversation), but also security across both password protection and traffic integrity.
This leads into the other problem with a distributed VoIP architecture. Most VoIP providers these days have some form of unified communications as a service (UCaaS) software client, or softphone. This isn’t just a phone that runs on your PC or mobile device, though that’s the most popular usage at many companies. For many providers, like RingCentral’s Glip, these tools combine phone capabilities with text-based chat, shared meetings, video conferencing, scheduling, as well as file sharing and data transfer features among others. Managing security for such powerful apps is critical.
Whether it’s ensuring secure user authentication and network configuration or enabling end-to-end encryption in all VoIP communication and data storage, organizations need to be diligent in both overseeing IT management and working closely with their business VoIP provider to ensure that security requirements are being met and enforced.
Michael Machado, Chief Security Officer (CSO) at RingCentral, oversees security for all of RingCentral’s cloud and VoIP services. Machado has spent the past 18 years in IT and cloud security, first as a security architect and operations manager at WebEx , and then at Cisco after the company acquired the video conferencing service.
Security considerations in your company’s VoIP communications start in the research and buying stage before you even select a VoIP provider, and persist through implementation and management. Machado walked through the entire process from a security perspective, stopping to explain plenty of do’s and don’ts for businesses of all sizes along the way.
Image of standard desktop VoIP handset
Selecting Your VoIP Provider
DON’T: Neglect the Shared Security Model
Whether you’re a small business or a large enterprise, the first thing you need to understandóindependent even of VoIP and Unified Communications-as-a-Service (UCaaS)óis that all cloud services in general need to have a shared security model. Machado said that, as the customer, your business always shares some responsibility in the secure implementation of all the cloud services you’re adopting.
“It’s key for customers to understand, especially when a company is smaller and has fewer resources,” said Machado. “People think VoIP is a mechanical device connected to a copper line. It’s not. A VoIP phone, whether it’s a physical handset, a computer with software running or it, a mobile app, or a softphone application, it’s not the same thing as a mechanical phone plugged into the PSTN [public switch telephone network]. It’s not like a regular phoneóyou’re going to have some responsibility for making sure the security has a closed loop between the customer and vendor.”
DO: Vendor Due Diligence
Once you understand that shared responsibility and want to adopt a cloud VoIP service, it makes sense to do your due diligence when selecting your vendor. Depending on your size and the expertise you have on staff, Machado explained how enterprises and small to midsize businesses (SMBs) can go about this in different ways.
“If you’re a large company that can afford to spend the time on due diligence, you can come up with a list of questions to ask every vendor, review their audit report, and have a few meetings to discuss security,” said Machado. “If you’re a small business, you might not have the expertise to analyze a [Service Organization Control] SOC 2 audit report or the time to invest in a heavy lift discussion.
“Instead, you can look at things like Gartner’s Magic Quadrant report, and look to see if they have a SOC 1 or SOC 2 report available, even if you don’t have the time or expertise to read through and understand it,” Machado explained. “The audit report is a good indication of companies making a strong investment in security versus companies that are not. You can also look for a SOC 3 report in addition to SOC 2. It’s a lightweight, certification-like version of the same standards. These are the things you can look for as a small business to start moving in the right direction on security.”
DO: Negotiate Security Terms in Your Contract
Now you’re at the point where you’ve selected a VoIP vendor and you’re considering the possibility of making a buying decision. Machado recommended that, whenever possible, businesses should try to get explicit security agreements and terms in writing when negotiating a contract with a cloud vendor.
“Small company, big company, it doesn’t matter. The smaller the company, the less power you’ll have to negotiate those specific terms but it’s a ‘don’t ask, don’t get’ scenario,” said Machado. “See what you can get in your vendor agreements with regards to security obligations from the vendor.”
Concept art depicting cloud-based security measures
Implementing VoIP Security
DO: Use Encrypted VoIP Services
When it comes to deployment, Machado said there’s no excuse for a modern VoIP service to not offer end-to-end encryption. Machado recommended that organizations look for services that support Transport Layer Security (TLS) or Secure Real-Time Transport Protocol (SRTP) encryption, and that do it, ideally, without upselling for core security measures.
“Don’t always go for the cheapest service; it can be worthwhile to pay a premium for a more secure VoIP. Even better is when you don’t have to pay a premium for security in your cloud services,” said Machado. “As a customer, you should just be able to enable encrypted VoIP and off you go. It’s also important that the provider is using not just encrypted signaling, but also encrypting media at rest. People want their conversations to be private, not traversing the internet with plain text voice. Make sure your vendor will support that level of encryption and that it’s not going to cost you more.”
DON’T: Mix Your LANs
On the network side of your deployment, most organizations have a mix of handsets and cloud-based interfaces. Many employees may just be using a VoIP mobile app or softphone, but there will often be a mix of desk phones and conference phones connected to the VoIP network as well. Machado said it’s crucial not to mix form factors and connected devices within the same network design.
“You want to set up a separate voice LAN. You don’t want your hard-voice phones co-mingling on the same network with your workstations and printers. That’s not good network design,” said Machado. “If you go that route, there are problematic security implications down the line. There’s no reason for your workspaces to be talking to one another. My laptop doesn’t need to talk to yours; it’s not the same as a server farm with applications talking to databases.”
Instead, Machado recommendsÖ
DO: Set Up Private VLANs
A private VLAN (virtual LAN), as Machado explained, lets IT managers better control their networks because it effectively segments a specific kind of traffic (in this case VoIP) onto its own network. While there are other ways to keep your VoIP traffic protected with regards to congestion from other app traffic running over your network (we’re talking about Quality of Service (QoS) here), separating VoIP traffic is the goal and nothing keeps traffic separate like putting it on its own network. The private VLAN acts as a single access and uplink point to connect the device to a router, server, or network.
“From an endpoint security architecture perspective, private VLANs are a good network design because they give you the ability to turn on this feature on the switch that says ‘this workstation can’t talk to the other workstation.’ If you have your VOIP business phone system Doha Qatar or voice-enabled devices on the same network as everything else, that doesn’t work,” said Machado. “It’s important to set up your dedicated voice LAN as part of a more privileged security design.”
DON’T: Leave Your VoIP Outside the Firewall
Your VoIP phone is a computing device plugged into Ethernet or your Wi-Fi network. As a connected endpoint, Machado said it’s important for customers to remember that, just like any other computing device, it also needs to be behind the corporate firewall.
“The VoIP phone has a user interface [UI] for users to log in and for admins to do system administration on the phone. Not every VoIP phone has firmware to protect against brute-force attacks,” said Machado. “Your email account will lock after a few attempts, but not every VoIP phone works the same way. If you don’t put a firewall in front of it, it’s like opening that web application to anyone on the internet who wants to script a brute force attack and log in.”
For companies faced with deploying such devices in workers’ homes, this process is necessarily more complicated. First, consider mandating a softphone instead of going to the trouble of shipping out a slew of handsets. With a cheap pair of headphones equipped with microphones, softphones are every bit as effective and easy to use as a regular phone. They’re also on a PC or mobile device that’s probably connected wirelessly to the home network, which means it’ll automatically be behind the home router’s firewall.
However, IT should make it a point to ensure that every home wireless router not only implements a firewall, but does so in a VoIP friendly way. That means some testing for IT staffers across different router devices, but once that’s done they should be able to help home users implement the proper settings fairly quickly over the phone.
Stock photo of VoIP handset being accessed by worker’s hand
VoIP Service Management
DO: Change Your Default Passwords
Regardless of the manufacturer from which you receive your VoIP handsets, the devices will ship with default credentials like any other piece of hardware that comes with a web UI. To avoid the kind of simple vulnerabilities that led to the Mirai botnet DDoS attack, Machado said the easiest thing to do is simply to change those defaults.