What are the VoIP security measures

Networks

Cloud telephony, i.e. telephoning via VoIP over a virtual telephone system, is becoming increasingly popular. But many companies are still skeptical and are wondering whether cloud telephony can even be as reliable as the "good old" ISDN? And isn't using the Internet a major security risk? Again and again, weak points in hardware etc. make headlines and unsettle users. We confronted Jan-Peter Koopmann, CTO at the cloud telephony provider Nfon, with the most frequently asked questions about the security of cloud telephony.

Is cloud telephony more secure than ISDN?

Can cloud-based telephony that runs over the Internet be as reliable as classic ISDN?

Koopmann: Cloud telephony can even be more secure if aspects such as a redundant network connection are considered. That was also the case in the days of ISDN, but this was usually only given to large companies - in comparison, it is much easier today to get a redundant network.

In addition, the question is whether the telephone system in the basement is really more secure than the cloud telephony from a provider with redundant offers. There are certainly examples where ISDN has never broken anything in 30 years. On the other hand, it was enough if a car drove into a junction box and nothing worked. From today's perspective, with today's technology, cloud telephony can be classified as more secure.

Where are the weak points in terms of reliability in cloud telephony?

Koopmann: In principle there are three places. On the one hand, this is the provider himself, if he has weak points, then his offer may no longer be available. The second aspect is the transport routes, for example if there is an Internet fault. But what many users tend to forget is the third point: the local, internal network infrastructure. A company can choose the best redundant cloud provider and choose the most expensive, most reliable internet service provider.

However, if the firewall or a gateway fails and a replacement is not available, then cloud telephony will not work for a long time. Although more and more company-critical services are nowadays dependent on functioning networks, too little attention is paid to their own internal infrastructure. The external transport routes can now be secured relatively cheaply via several providers or via LTE / 5G - but what if the supplier cannot supply hardware replacement?

Which of these vulnerabilities should a user pay particular attention to?

Koopmann: A user company should pay attention to its internal infrastructure, because this is where the greatest potential for error lies. At the same time, the user really has this under control himself. A lot can be done wrong here and troubleshooting is tedious. If, on the other hand, there are problems with the transport routes or the cloud telephony provider, then a company can change service provider relatively quickly.

Which cloud VoIP provider is the right one?

The providers promise heaven on earth when it comes to security and reliability, but how can I really check that the offer is not hosted in a backyard garage?

Koopmann: That depends on how much time a user can and wants to invest. First, of course, a user can look on a map in which area the provider is located and draw his conclusions from it. A large company can also request a description of the data center and will often be allowed to visit it in order to be able to convince itself on site. In addition, cloud telephony is also contract data processing, so that the applicable rights and laws apply.

All of this now helps the larger companies, but is of little use to small and medium-sized enterprises - such as tax firms. They can actually only rely on the certificates with which the provider advertises. If these turn out to be fake, it is fraud. And word of this is likely to get around in public very quickly.

Another approach is to check the reputation of the cloud provider on portals or other information offers such as specialist media. Does the envisaged provider attract attention due to lost data or constant failures? In the Internet age, this is very transparent - regardless of whether companies want it or not.

And how do I check that the guaranteed availability / reliability is not a fairy tale?

Koopmann: Here you should ask yourself the counter question: How did you check the availability of your ISDN or DSL connection in the past? Sure, it is technically possible to check the availability of cloud telephony with the help of measuring instruments. However, very few users are prepared to bear the corresponding costs. Ultimately, you are dependent on the transparency of the cloud provider here. What information does it provide besides the promise of 99, x availability?

You should also be puzzled if you never read anything about maintenance windows etc. from your provider. We are talking about technical solutions here and there cannot be one hundred percent availability. On the other hand, there is the perceived availability. Does it really affect your business if the cloud telephony provider regularly has its maintenance window between 3:00 and 3:30 a.m. On the other hand, attention should be paid to whether malfunctions occur in the course of a working day and how long the provider needs to rectify, or which troubleshooting periods he guarantees.

Does cloud telephony pose an incalculable risk?

Telephony over the Internet, PBX in the cloud. Am I not taking an incalculable risk into my house?

Koopmann: That is a valid thought, but how secure is a company if it does not take the step into the cloud. Here apples are often compared to pears. Regardless of telephony, this question always arises: How secure is it when a company operates something itself - such as an e-mail server? Ultimately, a company has to ask itself whether it can be operated one hundred percent securely and whether the corresponding security resources are available? Large companies with an appropriate IT department are likely to have a positive answer to this question.

But how many companies are really able to do this, know where the current security holes are, and continuously install the latest security updates? Ultimately, every company - apart from banks, insurance companies, etc. - should ask itself how much time and money it can invest in security. On the other hand, one can assume that the cloud providers, regardless of whether they are telephony or other services, spend significantly more work on security, because their economic existence depends on it.

What are the specific risks (viruses / hackers, man in the middle, manipulated hardware)?

Koopmann: The subject of manipulated hardware currently does not play a role in practice, if you leave the whole secret service area aside, because it is very difficult to assess. On the other hand, users have to struggle with the whole range of classic attacks such as Trojans etc. Often the danger also threatens from within through manipulated e-mails. Once an attacker is online, telephony is also threatened. And that can be expensive. There are a number of examples where a Trojan has searched for an IP phone in the local network. From there, phone numbers in Africa were called diligently. In some cases, the amount of damage was several 10,000 euros.

As a rule, these attacks take place from the user's network. As long as the cloud provider itself takes the appropriate and necessary security measures, attacks from the user's network are the most frequently observed scenarios. And a good cloud provider will take measures to identify security problems with its customers and prevent misuse as early as possible.

What security weaknesses does cloud telephony raise?

However, attacks on cloud telephony have made headlines in the recent past. What were those weak points?

Koopmann: In August last year and January, incidents related to IP telephony hit the headlines. In August, for example, security researchers found that the physical end devices, i.e. the IP desk telephones, have many security gaps in them if you do not use softphones. That was a bit of cross-site scripting, etc., so you could access the phones and trigger attacks without major security barriers. However, this only worked if an attacker could access the phone.

If the phone's web interface was secured, these attacks were not possible. For this reason, users should always leave the phone's password protection activated, because it is a fallacy to assume that the phones are secure if they are installed in their own local network. A telephony provider who cares about security should therefore always deliver their telephones with activated password protection and not only rely on the security mechanisms of their suppliers, but also install additional protective measures.

What can the user do in terms of security?

Koopmann: Small medium-sized companies should ask the experts here. However, it does not necessarily have to be the manufacturer or service provider; it can also be the IT partner. Many system houses have also specialized in security. If this aspect is left aside, then the user who is inexperienced in security issues actually only has the option of relying on the reputation of the company.

Furthermore, he should then look in the media and other sources of information to find out how important issues such as data protection are to the provider and how transparently he communicates when things don't go as they should. In this context, transparency is an important trust factor that is often underestimated.

When is security the responsibility of the user, from where is the provider responsible? Where does the dividing line run?

Koopmann: This is a difficult field in times of cloud applications. There used to be a clear dividing line: Everything that takes place in the user's network - in concrete terms, behind the firewall - is the responsibility of the user. On the whole, that's still true. However, the question arises as to whether a cloud provider should not help users with typical mistakes that they make or can make.

An example would be users who explicitly deactivate the password protection of IP telephones. Should a cloud provider take the position that I do not care because it is the user's responsibility or should he point this out to him or, even better, ensure maximum security on his own initiative? Ultimately, in the cloud age, this is a fluid border and no longer a clear dividing line as it used to be.

Cloud VoIP Security - Softphone or Hardware?

Is there a kind of feature set of security measures in Germany that a cloud PBX provider should offer?

Koopmann: There are things that actually every provider offers. This includes, for example, the provisioning of end devices via encrypted connections. Good and reputable providers will also offer voice encryption. Encryption, redundant operation of the data center, secure provisioning - that should be standard for every provider. But the devil is in the details. How much work does the provider really do? How often does he question his own security strategy? Does he pay attention to possible mistakes made by the user?

Is a softphone or a hardware-based IP phone more secure?

Koopmann: Both types have risks, but the risks are different. So often the expectation of a telephone on the table is that it is a stupid device. In truth, the IP telephones on the table are now small Linux computers with an operating system. The big danger here is that one is often not aware that these devices pose a security problem. The majority of DDoS attacks today no longer come from Windows