|   Call us at 1-855-MODULIS
Business Communication Technology 2015

September 29th, 2014 by The Modulis Team

Security Issues to Address When Implementing Open Source Telephony Solutions

Security is a broad topic. With each new day, we are exposed to emerging technologies in the market and at the same pace, new threats and cyber attacks which result in frustration and loss for many organizations. A recent vulnerability discovered in SSL implementation (which became famous as the heart bleed bug) indicates the need for improved security protocols. We can’t always minimize risks, but we can put our best efforts toward achieving optimum security for better peace of mind:

  • Begin with a proper plan of action (this rule applies universally to just about anything in life)
  • Don’t use simple passwords! Include strong passwords containing numbers, letters, and special characters and avoid word associations (for example, don’t name the root server password “root”)
  • Apply good firewall rules on your Linux machine (including IP tables)
  • Install monitoring software on your server to track incoming and outgoing bandwidth. Apply proper notification rules that trigger an email to the appropriate group if your bandwidth threshold is crossed
  • Check your system logs regularly and enable notification on your server in the case of unwanted access

When it comes to VoIP deployment on open source platforms, security awareness is one of the most important concerns. If servers are not secure, issues arise. Some common threats in a VoIP deployment include:

  • Interception and modification threats
  • Interruption-of-service threats
  • Abuse-of-service threats
  • Social threats

For small organizations, major problems could arise from toll fraud or telephone service abuse whereas large governmental organizations are at high risk for their information security and integrity of voice communications. Some common security threats in open source telephony are:

  •  Default password exploitation
  • Port mirroring of the switch to which the VoIP server or proxy is connected
  • Attacks on call signaling servers
  • Attacks on media servers
  • DOS and DDOS attacks on service disruption targeting DNS, presence, redirect and proxy servers.
  • An attacker eavesdropping and performing traffic analysis of unprotected signaling and media traffic
  • Masquerading and impersonation attacks
  • Unauthorized access to servers by exploiting weak spots in servers; e.g., poor firewall rules, buffer overflow attacks, poor configurations, etc.

The following helpful illustrations depicting various sensitive areas in a VoIP deployment can be found in an excellent book on VoIP security entitled Securing VoIP Networks, by Peter Thermos and Ari Takanen (founder and CTO of Codenomicon):

Some general security best practices during the implementation of Open Source telephone solutions are:

  • Source address assurance by ingress filtering
  • Audit trail, trapping and logging
  • Trusted time stamping
  • Critical resource allocation
  • System monitoring
  • Ability to apply patches and supplementary code in a timely manner
  • Separate network for management

Some excellent security resources worth reading about Open Source and VoIP security are: