| 
APEC LogoAPEC TEL WG LogoVoIP Security

VoIP Security Checklist

VoIP type / Security type

Security question

Techniques, protocols or example tools to utilise

Check

Softphones

Does the softphone utilise secure protocols?

Most softphones do, but to be sure, refer to vendor websites.

•   SIP / H.323 / proprietary protocol

•   SRTP

 

Do I utilise an end-to-end security solution?

•   VPN

•   Zfone

•   ZRTP with SRTP

 

VoIP adapters / routers / modems

Does the adapter / router / modem utilise secure protocols?

•   SIP / H.323 / proprietary protocol

•   SRTP

VoIP over wireless / mobile VoIP

Can the softphone utilise secure protocols? Is it configured to do so?

•   SIP / H.323 / proprietary protocol

Is my wireless connection protected with strong encryption?

•   WPA

•   WPA2

•   VPN

 

Complete VoIP deployment

Are Firewalls VoIP capable?

•   Update to VoIP capable firewall

•   Utilise ALGs if required

Is voice data separated from other network data?

•   Utilise a VLAN to separate the data

Are gateways and gateway controllers / call manager servers hardened?

•   Use of benchmarking tools

•   Disablement of unneeded services

Has a VoIP vulnerability assessment been conducted?

•   External VoIP security analysts

Are intrusion detection systems utilised?

•   Installation of an IDS at critical nodes of  the VoIP system

Is VoIP access restricted to authorised users only?

•   Restricted zones are placed in the network

Do we protect against rogue VoIP phones?

•   Disable automatic VoIP phone recognition on the VoIP server

•   Specifically list allowed devices on the VoIP server via:

•   Device certificates; or

•   MAC address filtering.

General VoIP security controls

 

 

 

 

 

Is patching applied consistently and timely for all VoIP related technologies?

•   Operating system

•   Handsets

•   Softphones

•   Gateways

•   Routers

•   Security applications

Is the power supply of VoIP technologies protected?

Uninterruptible power supply (UPS)

Surge protector

Do we have backup or recovery plans in case of  VoIP failure?

PSTN failover

Backup Internet links

Is the physical access of VoIP infrastructure protected?

Minimise physical access to the VoIP system / infrastructure

Is call usage monitored?

Maintain and review audit logs periodically

Are staff aware of the implications of poor VoIP security? Do they use the technology safely?

Train staff on how to use the VoIP technology safely