Security

Network Security Configuration

Updated 5 days ago
28.6K views
4.8 rating

Table of Contents

Introduction

Securing your VoIP network infrastructure is critical for protecting sensitive communications, preventing toll fraud, and ensuring business continuity. This comprehensive guide covers essential security configurations, from basic firewall rules to advanced encryption protocols, helping you build a robust security posture for your enterprise communications.

Security is Not Optional

VoIP systems are prime targets for attackers. A single security breach can result in toll fraud costing thousands of dollars per day, exposed confidential communications, or complete service disruption. Implement these security measures immediately.

Security Fundamentals

VoIP security requires a layered defense approach. Each layer addresses different threat vectors:

Physical Layer

Layer 1
Common Threats:
  • Unauthorized access
  • Device theft
  • Cable tampering
Security Controls:
  • Locked server rooms
  • Surveillance
  • Asset tracking

Network Layer

Layer 2
Common Threats:
  • DDoS attacks
  • Man-in-the-middle
  • Network sniffing
Security Controls:
  • Firewall rules
  • VLANs
  • Intrusion detection

Transport Layer

Layer 3
Common Threats:
  • Packet injection
  • Session hijacking
  • Eavesdropping
Security Controls:
  • TLS encryption
  • SRTP
  • Certificate validation

Application Layer

Layer 4
Common Threats:
  • SIP attacks
  • Toll fraud
  • Account hijacking
Security Controls:
  • Authentication
  • Rate limiting
  • Access policies

Firewall Configuration

Proper firewall configuration is your first line of defense against external attacks. Follow these steps to secure your VoIP infrastructure:

1

Define Required Ports

Open only the necessary ports for VoIP traffic. Minimize attack surface by blocking all other ports.

ServiceProtocolPort(s)Direction
SIP SignalingUDP/TCP5060-5061Both
SIP TLSTCP5061Both
RTP MediaUDP10000-20000Both
STUNUDP3478Outbound
2

Implement IP Whitelisting

Restrict access to known IP addresses or ranges. This prevents unauthorized connection attempts.

# Example firewall rule (iptables)
iptables -A INPUT -p udp --dport 5060 -s 203.0.113.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j DROP

Replace 203.0.113.0/24 with your provider's IP range

3

Enable Stateful Inspection

Use stateful packet inspection to track connection states and prevent spoofing attacks.

  • Track SIP sessions and only allow related RTP traffic
  • Drop packets from unknown connections
  • Monitor connection timeouts and clean up stale entries
4

Disable SIP ALG

SIP Application Layer Gateway often causes more problems than it solves. Disable it on your router/firewall to prevent NAT traversal issues and potential security vulnerabilities.

Rate Limiting

Implement rate limiting to prevent brute force attacks: Limit SIP REGISTER attempts to 5 per minute per IP, and SIP INVITE to 30 per minute. Use fail2ban or similar tools to automatically block abusive IPs.

Encryption Setup

Encryption protects your communications from eavesdropping and tampering. Implement both signaling and media encryption:

TLS for Signaling

SIP Security

TLS (Transport Layer Security) encrypts SIP signaling traffic, protecting authentication credentials and call metadata.

Configuration Steps:
  1. Obtain SSL/TLS certificates
  2. Configure SIP server for TLS on port 5061
  3. Enable TLS in client devices
  4. Verify certificate validation

SRTP for Media

Audio/Video Security

SRTP (Secure Real-time Transport Protocol) encrypts the actual voice and video streams, preventing eavesdropping.

Configuration Steps:
  1. Enable SRTP in PBX settings
  2. Configure encryption algorithm (AES-256)
  3. Set key exchange method (SDES/DTLS)
  4. Test encrypted calls

Certificate Management

Best Practices

  • Use certificates from trusted Certificate Authorities (CA)
  • Set up automatic certificate renewal (Let's Encrypt recommended)
  • Monitor certificate expiration dates
  • Maintain certificate revocation lists (CRL)
  • Use 2048-bit or higher RSA keys
  • Implement certificate pinning for critical connections
# Generate self-signed certificate (testing only)
openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout voip-key.pem -out voip-cert.pem -days 365 \
  -subj "/CN=voip.yourdomain.com"

Access Control & Authentication

Implement strong authentication and access control mechanisms to prevent unauthorized use:

Authentication Methods

SIP Digest Authentication

Required

Challenge-response authentication for SIP registration

  • • Use strong passwords (16+ characters)
  • • Rotate credentials every 90 days
  • • Never transmit passwords in plain text

Multi-Factor Authentication

Recommended

Additional verification layer for admin access

  • • TOTP-based (Google Authenticator)
  • • SMS verification codes
  • • Hardware security keys

IP-Based Authentication

Additional

Restrict access by source IP address

  • • Whitelist trusted IP ranges
  • • Use with password authentication
  • • Update list regularly

Certificate-Based Auth

Enterprise

Use client certificates for authentication

  • • Highest security level
  • • No password required
  • • Requires PKI infrastructure

Password Policy Requirements

✓ Strong Password Rules

  • Minimum 16 characters length
  • Mix of uppercase, lowercase, numbers, symbols
  • No dictionary words or common patterns
  • No reuse of last 10 passwords
  • Mandatory change every 90 days

✗ Weak Password Examples

  • admin123 - Too simple
  • Password1! - Common pattern
  • 12345678 - Sequential numbers
  • extension123 - Predictable
  • Welcome2024 - Dictionary word

Network Segmentation (VLAN)

Separate VoIP traffic from data traffic using VLANs to improve security and quality of service:

Recommended Network Architecture

VLAN 10 - Voice Traffic
Priority: High

IP Phones, VoIP endpoints, SIP trunks

VLAN 20 - Data Traffic
Priority: Normal

Computers, printers, general network traffic

VLAN 30 - Management
Priority: Medium

PBX servers, network equipment, admin access

VLAN 40 - Guest Network
Isolated

Guest WiFi, visitor devices (no VoIP access)

VLAN Configuration Benefits

Security Benefits
  • Isolate VoIP from malware-infected devices
  • Prevent eavesdropping from data VLAN
  • Easier to implement access controls
  • Reduced attack surface
Performance Benefits
  • Dedicated bandwidth for voice traffic
  • QoS prioritization easier to implement
  • Reduced broadcast traffic interference
  • Better troubleshooting capabilities

Monitoring & Logging

Continuous monitoring and comprehensive logging are essential for detecting and responding to security incidents:

What to Monitor

Failed Login Attempts

Alert threshold: 5 per hour

  • • Track by IP and username
  • • Auto-block after 10 attempts
  • • Send admin notifications

Unusual Call Patterns

Alert threshold: Anomalies

  • • International calls (if rare)
  • • High call volume spikes
  • • After-hours activity

System Changes

Alert: All changes

  • • Configuration modifications
  • • User permission changes
  • • Firewall rule updates

Essential Log Types

SIP Messages
Retention: 90 days

REGISTER, INVITE, BYE, and other SIP transactions. Helps diagnose authentication and call setup issues.

Call Detail Records (CDR)
Retention: 1 year

Caller, called party, duration, timestamps, billing info. Essential for fraud detection and billing.

Security Events
Retention: 2 years

Failed logins, blocked IPs, firewall denies, encryption failures. Critical for compliance and incident response.

System Performance
Retention: 30 days

CPU, memory, bandwidth, concurrent calls. Helps identify capacity issues and potential DoS attacks.

SIEM Integration

Forward logs to Security Information and Event Management (SIEM) system for centralized monitoring:

  • Splunk, ELK Stack, or QRadar integration
  • Real-time correlation of security events
  • Automated incident response workflows
  • Compliance reporting and auditing

Common VoIP Security Threats

Understanding common attack vectors helps you prioritize security measures:

Toll Fraud

Attackers gain unauthorized access and make expensive international calls, potentially costing thousands per day.

Prevention Measures:
  • Restrict international calling by default
  • Implement spending limits per extension
  • Monitor for unusual call patterns 24/7
  • Use strong authentication (never default passwords)
  • Disable unused extensions and trunks

DDoS Attacks

Distributed Denial of Service floods your VoIP infrastructure, making legitimate calls impossible.

Mitigation Strategies:
  • Use DDoS protection service (Cloudflare, AWS Shield)
  • Implement rate limiting on SIP INVITE/REGISTER
  • Deploy Session Border Controller (SBC)
  • Have redundant infrastructure with failover
  • Monitor traffic patterns for anomalies

Eavesdropping

Intercepting and listening to unencrypted VoIP calls to steal confidential information.

Protection Methods:
  • Enable TLS for SIP signaling (mandatory)
  • Enable SRTP for media streams (mandatory)
  • Use VPN for remote workers
  • Implement network segmentation (VLANs)
  • Regular security audits of network infrastructure

Vishing (Voice Phishing)

Social engineering attacks using caller ID spoofing to impersonate legitimate organizations.

Defense Tactics:
  • Implement STIR/SHAKEN call authentication
  • Train employees to recognize vishing attempts
  • Verify caller identity through secondary channels
  • Block known spam caller IDs
  • Use call screening and authentication prompts

Compliance Requirements

Many industries require specific security standards for VoIP communications:

HIPAA

Healthcare data protection

Critical Priority
  • Encrypt all patient-related communications
  • Maintain audit logs for 6 years
  • Implement access controls and authentication
  • Regular risk assessments required

PCI DSS

Payment card security

High Priority
  • Never transmit card data over VoIP unencrypted
  • Segment payment systems from VoIP network
  • Regular penetration testing
  • Maintain firewall configurations

GDPR

Personal data privacy

High Priority
  • Protect personal data in call recordings
  • Implement data retention policies
  • Allow data deletion upon request
  • Report breaches within 72 hours

SOC 2

Service organization controls

Medium Priority
  • Document security policies and procedures
  • Regular security audits
  • Incident response procedures
  • Vendor management program

ISO 27001

Information security management

High Priority
  • Establish information security management system
  • Risk assessment and treatment
  • Security awareness training
  • Continuous improvement process

Security Configuration Checklist

Use this comprehensive checklist to ensure your VoIP infrastructure is properly secured:

Network Security

Encryption & Authentication

Monitoring & Logging

Operational Security

Critical: Schedule Regular Security Audits

Security is an ongoing process, not a one-time setup. Schedule quarterly security reviews and annual penetration testing.

Monthly
Review logs, update firewall rules, check for updates
Quarterly
Full security audit, password rotation, policy review
Annually
Penetration testing, compliance audit, infrastructure review

Need Security Consultation?

Our security experts can perform a comprehensive audit of your VoIP infrastructure and help implement enterprise-grade security measures.

Related Articles

Troubleshooting

Troubleshooting Audio Quality Issues

10 min read
Advanced

Advanced QoS Configuration

15 min read
Enterprise

Disaster Recovery Planning

12 min read