Security of IP telephony
When IP Telephony is being implemented, voice quality and phone features are primary considerations. At times, security and disaster recovery is forgotten entirely or implemented as an afterthought. Due to the sensitivity of voice communications for most businesses, it is imperative to consider security and continuity from the beginning. The following are some of the security consideration that should be addressed as you plan your implementation of IP telephony:
- Data Classification: Consider the data classification of the information that will be contained in voice communications and voicemail. Apply controls appropriate for the classes of data that would be routinely contained in voice communications.
- Network Segmentation: Isolate voice from data on the network by creating separate VLANs for voice circuits. Use access control lists and / or firewall rules to prevent Denial of Service (DoS) attacks against the voice network.
- Server Security: Voice systems should have the same level of security applied to them as other servers and network devices on your network. This includes keeping systems patched, controlling access using strong passwords that are changed periodically, stop all unnecessary services, restrict remote access to only those administrators that require it.
- Management Interface: Many systems have a web browser interface for system management. If possible, disable HTTP access to this interface and allow only HTTPS access.
- Phone Configurations: Place passwords on phones to prevent unauthorized access / changes to phone configurations. Also, protect phone configuration server (e.g. TFTP) with secure network placement with access list and/or firewalled controls
