By Christopher Gerg, CISO and VP of Cyber Risk Management, Tetra Defense

The overwhelming popularity of VoIP Private Branch Exchange systems (PBX) in the modern workplace demonstrates that the benefits afforded to businesses over cost reductions, system flexibility, and future growth are real, mainstream, and very popular. Like any network-enabled infrastructure service, a phone system must be secured to best practice standards from security threats and vulnerabilities.

Introduction to Firewalls

The first line of defense for VoIP and Unified Communication systems is a perimeter firewall. It is designed to secure, manage, and monitor ingress and egress network traffic based on a predefined security configuration.

The firewall controls the network packet exchange between the trusted internal network and untrusted external internet. telephone systems often incorporate VoIP firewalls, Session border controllers (SBC), and secured SIP trunking to create an assured telephone ecosystem.

Software versus Hardware Firewalls

Firewalls are available as physical hardware or software appliances that can be deployed into virtual or cloud environments. Deciding which flavor to deploy depends on the use-case scenario. For global organizations with large, multi-site call centers then hardware firewalls might be a more appropriate solution, simply because of the load and bandwidth requirements of many thousands of simultaneous voice operations.

Software firewalls are extremely popular in SMB environments, the firewall is virtualized which offers incredible flexibility for scaling and phone system management. Software firewalls make regular system upgrades significantly more straightforward and enables the capability to easily roll back in the event of errors.

Potential Threats to VoIP and Unified Communications

Information security specialists often group potential threats targeting VoIP and unified communications into three categories: confidentiality, integrity, and availability. This is sometimes referred to as the CIA Triad security model.

Confidentiality specifically relates to retained telephone data such as conversation content, voicemails and call history. Phone conversations can potentially be eavesdropped on if systems are incorrectly configured or inadequately protected. Confidentiality can also be violated unintentionally through human error, carelessness, or inadequate security controls.

The Integrity of telephone systems requires that data remains unaltered at all times and that the data is correct, authentic and reliable. Threats to data integrity can include caller identification spoofing, cases such as the incoming caller ID being deliberately altered to mimic a genuine organization – such as a credit card company. Hackers can potentially use this information to impersonate proxy telephone systems to reroute (hijack) phone calls, often with the intention to defraud.

Availability relates to the uptime of the phone system, the standard threats facing computer infrastructure can cause significant harm to telephone systems. Denial of Service (DoS) attacks can wreak havoc, with hackers flooding the telephone gateway or proxy servers to take down entire call centers and overload all the SIP trunks.

How Firewalls Protect Against Those Threats

Well-architected security firewalls can thwart and repel many of these threats. Implementing technical and procedural best practices can significantly reduce the risk and exposure of your business to outages and downtime.

At a technical level, diligent management of the telephone system must be mandatory, this includes system upgrades, patching, and infrastructure hardening. The firewall adds a secured gateway into the network, but if the rest of the network is running out of date software, then the entire system is at risk.

The firewall rules on the PBX must filter specific source IP address/domain combinations, including blocking out-of-scope open ports, implementing MAC address filtering, and blocking dangerous, suspicious or unauthorized network access.

Rules must be created that block untrusted web access from outside the specified IP address range, and the firewall policy must be configured to drop all the packets and connections sent from unauthorized hosts  (IP blacklisting). Also, separating the voice and data traffic routing over the network will secure the trunks on the PBX.

To protect the confidentiality, integrity, and availability of data there are a number of countermeasures to be implemented. Strong access controls (ACLs), authentication mechanisms (MFA), and encryption of data in the process, transit, and storage are a great start to help protect confidentiality.

To safeguard the integrity, firewalls must incorporate strong authentication mechanisms and access control processes. Being protected by digital certificates and encryption of the network traffic enhances the security of data. Modern firewalls provide additional security features such as an intrusion detection system and enhanced SIEM logging capabilities.

System engineers can protect the availability of VoIP firewalls by creating a redundant and fault-tolerant network architecture. The easiest way to do this is to double down on the firewall investment by having an HA network stack.

Furthermore, many organizations are choosing to add an additional layer of protection by leveraging an external denial of service protection solution, often from third-party managed service providers that repel brute force DDoS attacks.

Best Firewall Software for VoIP and Unified Communications

In our opinion, the best software firewall for VoIP and Unified Communications is the Cisco ASA series adaptive security virtual appliance. It provides firewall functionality, as well as integration with context-specific Cisco security modules and can be scaled for enterprise-level traffic and connections.

Although licensing of Cisco products is quite expensive, the overall product experience and the level of granularity that can be implemented is staggering. Cisco is the global leader in unified communications and is the industry standard for software appliances.

The Cisco ASA series delivers advanced threat protection and integrated security features. It is perfect for network defense, vulnerability protection, and DDoS attacks and is widely used in VoIP solutions.

Best Firewall Hardware for VoIP and Unified Communications

In our opinion, the best hardware firewall for VoIP and Unified Communications is a physical Fortinet Fortivoice phone system firewall. These appliances are robust, secure and can accommodate up to 50,000 phone users.

Fortinet bundle a number of services internally which require no additional licenses including auto-attendants, music on hold, and remote extensions. There are a number of built-in web-based management tools that enable real-time call monitoring, fax services, and call recording.

Firewall Administration and Management

Firewall administration is performed using a central administrative panel that incorporates management tools for the entire phone system suite. This will typically include SLA monitoring, call monitoring, call recording, hunt group configurations, and user privileges.

Additionally, there are a number of integrated security features that streamline the deployment of WAN services. Default features include user management settings, administrative passwords, voicemail password policies, extension filtering, and tools to secure video/call conferencing services.

About the Author

Christopher Gerg is the CISO and Vice President of Cyber Risk Management at Tetra Defense. He’s a technical lead with over 15 years of information security experience, dealing with challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries. He has worked in mature information security teams and has built information security programs from scratch, leading them into maturity in a wide variety of compliance regimes.