It continues to surprise me when I hear about an enterprise connecting its UC systems directly to a SIP trunking service. Don't these folks know about the myriad ways IP communications can be threatened by hackers and fraudsters? Case in point: A UK-based Internet telephony service recently took a customer to court over £35,000 (nearly $60,000) worth of fraudulent calls. While the customer prevailed in court, the case illustrates the prevalence of nefarious forces that prey on poorly secured IP communications systems.
UC networks are susceptible to a variety of security threats – hackers and fraudsters may try to manipulate real-time communications signaling or media flows, or they may attempt to disrupt network infrastructure to impair operations, eavesdrop on conversations, or commit service theft. Here are six best practices to bolster UC environment security:
1. Define your network "enforcement point." The enforcement point may provide demarcation between zones of varying trust such as the Internet (public) and the internal (private) network or other trust zones such as a guest network, a demilitarized zone (DMZ), or a bring your own device (BYOD) network.
2. Hide your network topology. Hackers can plan attacks by ascertaining information about network equipment (determining equipment types and software versions) or by detecting a company's IP addressing scheme. By hiding your network topology, you remove the protocol fields that may assist in "fingerprinting," thereby significantly improving network security.
3. Encrypt endpoint communications. Businesses should encrypt communications flows when transiting public networks to prevent eavesdropping and impersonation. Encryption should also be considered on private networks to verify identity and prevent eavesdropping on privileged communications.
4. Prevent Denial of Service (DoS) attacks and overload. DoS or distributed DoS (DDoS) attacks as well as non-malicious events – such as registration floods – can impair IP communications infrastructure (border elements, application servers, and endpoints) and disturb critical applications and services. Attackers may try to flood a network from one or more endpoints or send malformed messages (protocol fuzzing) to overwhelm network devices. Network managers can help ensure continued service availability by deploying E-SBCs that help identify DoS and DDoS attacks and help stop and/or prevent them by appropriately throttling or blocking traffic.
5. Ensure high availability. In the event of an equipment failure, physical attack, or persistent DoS/DDoS attack, a strong redundancy strategy can help restore service quickly. Enterprises should also consider rolling out a disaster recovery plan with redundant sites to maintain continuous service availability to subscribers.
6. Enable secure management. Implementing technology to secure IP network borders isn't helpful if it is not possible to update and adjust that technology as needed without compromising the security of the network. Ensure your network security plan includes processes for securely managing the technology by physically separating the interfaces so administrative functions can be performed "out of band" without disrupting other connections.
A SIP trunking service can improve public switched telephone network (PSTN) service reliability, optimize performance and service quality, and reduce operational costs. But with the increase in data breaches and system hacks today, we can't forget about protecting these networks to ensure privacy and service continuity.
Carl Blume is director, enterprise product marketing, Oracle Communications.
