The National Security Agency (NSA) has released a new report giving organizations insight into the current best practices around the security of unified communications (UC) and voice and video over IP (VVoIP).
The report, titled Deploying Secure Unified Communications/Voice and Video over IP Systems, also looks at the potential risks to improperly secured UC/VVoIP systems.
Modern communications infrastructure in most organizations is tightly integrated with other IT networks, increasing the attack surface for hackers to gain access. The NSA said that UC/VVoIP devices would pose the same hacking risks to organizations through spyware, viruses, software vulnerabilities, or other malicious means if left inadequately secured.
"Malicious actors could penetrate the IP networks to eavesdrop on conversations, impersonate users, commit toll fraud and perpetrate denial of service attacks," the NSA said in a statement.
"Compromises can lead to high-definition room audio and/or video being covertly collected and delivered to a malicious actor using the IP infrastructure as a transport mechanism."
The report outlined the tips and tricks organizations should undertake to enhance security, such as segmenting voice and video traffic from data traffic and separate IP address ranges to limit access to a common set of devices.
Five lessons learned from the pivot to a distributed workforce
Improve employee experience and support IT teams for a more adaptable distributed workforce
In addition to using VLANs, administrators should also use access control lists and routing rules to limit access to devices across VLANs. According to the NSA, this makes it more difficult for a malicious actor to access open services on phones and servers from outside the VLAN.
Another best practice the NSA outlined is implementing layer 2 protections and address resolution protocol (ARP) and IP spoofing defenses. It also recommended only using switches with these protections.
The NSA also said that PSTN gateways should authenticate all UC/VVoIP connections and not allow calls directly from IP phones without the UC/VVoIP server’s permission.
The agency also urged organizations to use only vendor-signed patches downloaded from trusted sources.
The NSA said taking advantage of a UC/VVoIP system’s benefits, such as cost savings in operations or advanced call processing, comes with potential risk.
"A UC/VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to better secure your UC/VVoIP deployment,” the agency said.
