High Security

Due to the open nature of IP networks, the security of voice over IP (e.g. how to prevent DoS attacks, anti-theft hits, anti-eavesdropping, etc.) is a major concern in the development process. This is especially true for government agencies and medium and large enterprises, which have higher requirements for voice over IP security.

So what exactly are the security policies?

The common voice establishment and control signaling for voice over IP communications is the SIP protocol, which is an open protocol system. Any hacker can use these tools to obtain detailed information about the various components of IP voice communications (voice servers, voice gateways, IP phones, etc.): IP addresses, TCP/UDP ports of service applications, etc.

A DoS denial of service attack is a simple but very effective disruptive attack on networks today that will cause a computer or network to fail to provide normal services. A DoS attack on the various components of a voice over IP communications system will cause the operating system resources on these devices to be consumed. Some administrators set up their firewalls with all ports open for simplicity, in case they inadvertently block useful ports that affect VoIP communications. This exposes the entire device to the network and those ports that are not in use are vulnerable to denial of service attacks.

3.Enabling static/dynamic defences

Anti-call theft
In the old days of traditional telephony, there was a need to prevent theft of calls by means of hook-ups. In the age of Voice over IP, although there is no way for IP phones to make calls by hooking up a line, it is possible to gain access to the phone by stealing the user's extension number and password. To avoid IP phone theft calls, you need to protect your account information (like protecting your bank card account). For businesses, it is a good idea to tie the account number to an IP address (or even a MAC address) so that even if the account is stolen, you cannot make calls from elsewhere.

Common ways to prevent phone calls from being stolen include
- Setting up a whitelist for Web/SSH access
- Regularly changing Web login passwords and IP extension passwords, and enabling anti-violence cracking features
- Set up call permissions and rules for managing the length and frequency of long distance calls
- Enabling rights management
- Enable User-Agent header domain protection and SIP address granting

Anti-message eavesdropping
To intercept voice data during call setup or SIP calls, it is necessary to be located where the call is passing through, i.e. at the telephone service vendor or SIP end. As the connection may change the traffic routing, there are only a few implementable points for intercepting SIP calls, i.e. at the SIP client, at the proxy front-end or at the ISP used by both endpoints. This problem can be solved by end-to-end encryption of SIP.

Common ways of preventing information eavesdropping are
- Using TLS/SRTP data encryption
- Use with an enterprise session border controller SBC (the SBC is described as a "voice firewall" and offers a variety of security policies such as black and white lists, static/dynamic defenses, protection against DoS/DDoS/media streaming attacks, TLS/SFTP encryption, etc.)
- VPN network if available (of course, VPN account information must also be protected)

Dedicated staff for regular maintenance
In doing these security defenses, we also recommend that enterprises have dedicated management of their voice over IP equipment so that they can pay regular attention to abnormal information about the equipment, including: hardware failures, changes in the network environment or SIP registration, abnormal logins, SIP attacks, excessive concurrent or long-distance call volumes, operation logs and other information, so that suspicious situations need to be dealt with in a timely manner.