Outbound SIP Trunk Security
When a SIP application is exposed to the public internet, it is highly advisable to consider additional security implementations that will help protect your systems applications against unauthorized access. Malicious third parties are often looking for poorly secured VoIP systems to exploit.
The DIDWW Outbound SIP Trunk service offers 2 layers of authentication for increased security:
Digest authentication method (mandatory) - incoming SIP requests are challenged and must be authenticated with a username and password.
IP based authentication (optional) - traffic will only be allowed when originating from a specified IP address.
Additional protective limitations that may be applied when using DIDWW Outbound SIP Trunks are as follows:
24-hour limit - this limit defines the maximum amount of fund expenditure allowed per trunk, per rolling 24- hour period. Once the set limit is reached, the traffic is blocked until the user manually re-enables the traffic flow. Please note that active calls are not disconnected by DIDWW and may cause your 24h limit to go beyond its set threshold.
Capacity limit – this limit defines the maximum number of simultaneous calls per trunk.
Other precautionary measures that can be administered in your infrastructure:
Perform a regular traffic review for unusual activities.
By regularly checking call reports and comparing call volumes for different date/time periods, significant variations in call activity are easily noticed. This information may provide insight into areas of misuse, and aid in applying traffic security services and parameters.
Disable international calling and enable geo-fencing.
Limiting outbound calling to specific destination countries will prevent malicious parties from benefitting from toll fraud. Geo-fencing may also be used on network firewalls and email servers to prevent connections to countries with a high incidence of fraud.
Update firmware on VoIP phones and avoid connecting devices directly to the internet without using a router or firewall.
Updating the device firmware ensures that the most currently-available security patches are installed, and that any vulnerability gaps are closed before a phone system goes live. Ensure that an IP phone is connected to the Internet using router or a firewall. IP phones are managed through a web interface that can be accessed remotely if directly connected to the Internet. Any default administration passwords should be changed.
Implement firewalls specifically for VoIP systems.
There are numerous firewalls that are available specifically for VoIP systems that will not only protect these systems from malicious parties, but will balance the network traffic load to ensure high quality of service.
Educate users on best practices to enhance cyber security.
Proper user education regarding security credentials and what to expect from normal quality of service on VoIP calls can help keep a communications system secure. Educated end users provide an extra set of eyes that are able to notice abnormal activity, indicating that the system has been compromised