Reviewing Security Concerns of UC solutions

By Dimitri Osler
January 17, 2019

VoIP communications are completely safe if implemented correctly. As with any other technologies, there are best practices which must be followed to achieve the best possible results.

You must address security concerns while developing or selecting your UC solution. While many vendors delegate security to separate entities, such as VPNs, this approach is not necessary nor recommended as a substitution to the security policies.

The system must protect itself from attacks that attempt to guess user and password combinations. This can be achieved by blocking repeated failed attempts. The IP address that is generating the attack must be added to a ban list for an ever-increasing period of time.

It is important to also pay close attention to the devices you are connecting to your system (Protecting Devices Connected to the UC System). They may not all support the required protocols and standards.

As recommended with any device connected to the Internet, the UC system’s software must be constantly updated to address any discovered vulnerabilities.

As indicated in Introducing Unified Communications Security, the solution to security concerns is not to hide your UC platform or impair its features. Instead, you should keep it up-to-date and simplistic.

VPN applications such as IPsec and OpenVPN offer a last resource for secure communications. Encrypting all the traffic generated by a device is a poor solution, as it introduces many problems including network usage overhead (up to double when using compressed codecs such as G.729) along with implementation and deployment problems. Even if a UC platform is only accessible via VPNs or from the local network, potential attackers can still exploit the vulnerabilities of a non-secure platform from inside the network.

Relying on separate platforms (such as firewalls / SBC) for security concerns further complicates deployment and increases the possibility of security holes in each of the installed components. Many of these attacks are executed by gaining access to an intranet using the credentials of a user or a single affected server. From there, the attack can be spread to other components. The golden rule is to independently protect all services, even if they are located inside the LAN. Do not rely on a big wall created to keep the bad people out; this approach is merely a ticking time bomb.

Firewalls and SBC are useful for monitoring ongoing sessions and providing third-party reports on possible security problems. However, they are not a substitute for built-in security for all the components of our Unified Communication system.

In summation, a modern communication server must be maintained just as all other servers (Mail, Web, Directory, Calendar, etc.) in an organization. Activating a support service (where applicable), installing new versions, applying security patches, and following all best practices for its deployment are essential activities.