We mentioned earlier all different attacks that can be focused to our VoIP network. Now is the time to see how we can apply different protection methods to avoid VoIP quality mitigation that can be started by all those attacks.
Separating voice traffic from data traffic with voice VLANs or by use of VPNs and firewall to protect voice traffic can easily prevent basically all most common attacks. One more thing that is important and often ignored is the security of voice endpoints and servers that can be increased with some simple configuration changes.
Ways to ensure the voice network security:
- Implementing Auxiliary VLAN, separate voice VLAN
- Auxiliary VLANs sends call traffic in a different VLAN from data traffic. This is always improving the quality of the call transmission and divides calls traffic into separate network. This helps secure the call from almost all Layer 2 attacks.
- Implementing firewalls
- Firewall is used to prevent bad attackers traffic from entering into our voice network while dynamically allowing the opening of UDP port numbers for individual RTP transmissions.
- IPsec protected VPNs
- IPsec protected VPNs is used to secure the flow of voice packets. Those packets can otherwise be sniffed and modified by an attacker.
- Shut down web access option
- Web access to, let’s say, a Cisco IP Phone, is a weak point in the default configuration of this device. By shutting down this option we can prevent attackers web browser to open phone’s configuration web interface and make some bad things.
- Disabling gratuitous ARP
- In this way we can mitigate a “man in the middle” attack. In this attack the attacker is sending ARP replies to the Cisco IP Phone in which he is telling that the MAC address of the phone’s gateway is the MAC address of the attacker’s PC.
- Disabling all things that you don’t use
- Disabling unneeded things can close some security holes in a system.
This was and intro to attacks prevention methods. You can expect the next few articles specialized to explain it deep every one of this methods.