NSA releases guidance for securing Unified Communications and VVoIP

The US National Security Agency (NSA) released guidance for securing Unified Communications/Voice and Video over IP Systems (VVoIP).

NSA last week released guidance for securing their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP).

Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems provide enterprises communications and collaboration tools, they combine voice, video conferencing, and instant messaging in a unique workplace. These platforms are widely used in government agencies and by organizations in the supply chain of several government offices, for this reason, the agency wants to support them in securing their infrastructure.

However, these tools enlarge the surface of attack of the organizations the use them, threat actors could exploit vulnerabilities and misconfiguration to take over the network of a target infrastructure.

Attackers could target these systems to deliver malware, impersonate users, eavesdrop on conversations, conduct fraud, and more.

“However, the same IP infrastructure that enables UC/VVoIP systems also extends the attack surface into an enterprise’s network, introducing vulnerabilities and the potential for unauthorized access to communications. These vulnerabilities were harder to reach in earlier telephony systems, but now voice services and infrastructure are accessible to malicious actors who penetrate the IP network to eavesdrop on conversations, impersonate users, commit toll fraud, or perpetrate a denial of service effects.” reads the guidance published by the NSA. “Compromises can lead to high-definition room audio and/or video being covertly collected and delivered using the IP infrastructure as a transport mechanism.

The guide is separated into four parts and provides for each of them mitigations and best practices to use implement. The four parts are:

• Preparing networks
• Establishing perimeters
• Using enterprise session controllers (ESCs)
• Adding UC/VVoIP endpoints for deployment of a UC/VVoIP system

The guide urges a security by design for these tools, detailed planning and deployment activities, and recommends continuous testing and maintenance.

The NSA recommends using VLANs to limit lateral movement between UC/VVoIP systems and the data network, and to place access controls on the type of traffic. The agency also recommends implementing layer 2 protections, implementing authentication mechanisms for all UC/VVoIP connections and implementing an effective patch management process.

The guide recommends the adoption of authentication and encryption for signaling and media traffic, the deployment of fraud detection solutions, the enforcement of physical security for the systems composing the platforms, and the use of solutions for detecting and prevent DoS attacks.

The agency also recommends testing the infrastructure every time a new device has to be added in the operational networks.

“Using the mitigations and best practices explained here, organizations may embrace the benefits of UC/VVoIP while minimizing the risk of disclosing sensitive information or losing service.” concludes the guide.

The NSA agency has also released an information sheet that summarizes the guide and the recommendation it includes:

• Segment the network;
• Implement layer 2 protections;
• Protect the PSTN and Internet perimeters;
• Stay up to date with patching;
• Authenticate and encrypt signaling and media traffic;
• Prevent fraud;
• Ensure availability;
• Manage denial of service attacks; Control physical access;
• Verify features and configurations in a test bed.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Unified Communications)

[adrotate banner=”5″]

[adrotate banner=”13″]