Blog

VoIP Security is a Different Animal - ECG

Written by Mark Lindsey | Apr 20, 2009 4:00:00 AM

A lot of Network Security Expert grew up protecting conventional
enterprise applications. Clients are PCs. Servers are web servers, or
run MS Exchange. Maybe they get involved in web proxies. Perhaps they
have to create a special rule for Microsoft SQL Server.

VoIP Security is entirely different. The ports, connections, services,
and behavior are completely different than conventional PC services.

Does your Security Consultant understand SIP or MGCP? (Certain ports
have to be opened to allow access -- but they shouldn't allow access
for the whole Internet.)

Do they understand how RTP ports are allocated? (There's no standard
defined set of RTP ports.)

Do they understand how SIP phones acquire their configurations? (Do
this wrong, and you may be exposing all of your customers to fraud and
interception of calls.)

Do they understand how Session Border Controllers work, and what
traffic they should allow through?

Do they understand how SIP authentication works? (Get this wrong, and
you might be giving away free phone service.)