Softphones required the use of a workstation in order to operate. The core attack vectors on this platform would be through vulnerabilities in the softphone application, operating system, network and attacks on your service provider.
Softphone configuration / protocols
Softphones can be tricky to protect, as often the user has little control over configuring how the application works. As this is the case, users should put careful consideration into which softphone they select, particularly what protocols are enabled on the program. For workstation softphones, it is recommended that the phone utilises SIP and SRTP protocols (most vendors will state if their softphone supports these, or can be asked for such information). Both these protocols (if well implemented by the vendor) will boost the security of the VoIP service significantly.
Note: Some softphones utilise their own proprietary protocols so the security strength of these programs is not well known.
|
SRTP is the Secure Real Time Protocol. SRTP improves the encryption, authentication and integrity of VoIP calls (and other communications not relevant to this booklet)
|
End-to-end security solutions
A recent development in softphone protection is in third party end-to-end VoIP security solutions. End-to-end solutions offer protected channels during the entire transmission of a connection from the caller to the receiver and vice versa. Installation of these applications is recommended, as they can offer far higher assurances of confidentiality and integrity than softphones without these installed. It is often a requirement of end-to-end solutions for both endpoints to have the security solution installed. This may make such products less practical for businesses with large volumes of outgoing calls which require high security.
Improving Insecure Networks
If you are using your softphone through public insecure networks (eg. using it from Internet cafes, open/free wireless networks) there may be additional security issues. Using a VoIP softphone on a workstation which has not been adequately hardened, or which is not owned by the VoIP enabled SME could jeopardise the privacy of calls made. If utilising VoIP from a public network, utilisation of a VPN or other end-to-end VoIP solution is recommended.
If the VoIP solution is going to be used outside of the organisation’s network, ensure that the connection from the handset or softphone to the organisation's internal VoIP server is established over a secure and encrypted connection. The use of a well configured VPN is highly recommended to achieve this. It should be noted that a VPN may add extra data overhead to the VoIP connection and could introduce some lag.
If a VPN is utilised, alongside QoS options, the QoS flags in the voice stream may be obfuscated, so QoS will no longer be in effect – that is, VoIP traffic will not necessarily be given high delivery priority, so calls may become lagged.