Generally the security of these deployments is relatively higher than other VoIP solutions, and can be equivalent to the security offered by PSTN telephony.

Utilise a VLAN

For both inbound and outbound IP connectivity, separating the Voice data from other data (e.g. web surfing, email, file sharing traffic) via a VLAN will allow better bandwidth management, and will generally improve voice quality. Some phones can automatically perform VLAN segmentation.

Separating voice streams and data streams in VLANs

Utilise compatible network firewalls

Firewalls are used to inspect packets and either allow them into your network, or reject them. If your firewall is configured incorrectly, VoIP traffic may not be able to pass into or out of your network, rendering the VoIP system inoperable. Ensure that your corporate firewall can handle the VoIP communication protocols that your VoIP solution is using (for example SIP or H.323, TLS etc.). New generations of network firewalls are often designed with VoIP security in mind and offer many voice security features. Due to the nature of how VoIP connections operate, it may not be possible for regular corporate firewalls to support VoIP connectivity. In such a case, it may be necessary to utilise an Application Layer Gateway (ALG) embedded into the firewall. ALGs are highly specialised and can enable VoIP to function smoothly without losing security assertion.  

Harden underlying systems

Protection of gateways, gateway controllers and transmission lines in between these is essential. The underlying system should be hardened (patched to the most recent release / patch), and turning off any unneeded services. Hardening can be completed with the help of operating system benchmark utilities such as the Center for Internet Security benchmark tools http://www.cisecurity.org/

Conduct a vulnerability assessment

A vulnerability assessment (VA) for VoIP applications, systems and networks can help identify weaknesses in VoIP implementations if the security of the system is critical to the organisation. If such a VA is conducted, it is important to clearly define the scope and intent and allocate sufficient timing and funding to ensure the test is worthwhile.

Utilise an IPS

Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) triggers alarms if suspicious activities or events take place. VoIP specific IDS / IPS are expected to be created in future. An IPS or IDS could potentially introduce network overhead and may deteriorate the VoIP service.

Develop secure network layouts

Network structure planning of VoIP infrastructure can significantly reduce the attack vectors available to malicious users. VoIP servers and infrastructure are best placed in a restricted zone on the network, which have been configured to allow only authorised users in.