The NSA shares guidance on protecting voice and video communications

The National Security Agency (NSA) shares mitigations and best practices that system administrators must follow when protecting Unified Communications (UC) and Voice and Video over IP (VVoIP) call processing systems. ..

UC and VVoIP are call processing systems used in enterprise environments for a variety of purposes, from video conferencing to instant messaging to project collaboration.

Because these communication systems are tightly integrated with other IT devices in the enterprise network, they inadvertently target areas of attack by introducing new vulnerabilities and the possibility of secret access to organizational communications. Increase to.

Improperly protected UC / VVoIP devices are exposed to the same security risks and, if not properly protected and configured, threat attackers through spyware, viruses, software vulnerabilities, and other malicious means. Become the target of.

As a U.S. intelligence agency, “a malicious attacker could break into an IP network and eavesdrop on conversations, impersonate a user, commit a charge fraud, or perform a denial of service attack.” Description..

“A breach could covertly collect high-resolution room audio and video and deliver it to a malicious attacker using the IP infrastructure as a transfer mechanism.”

Administrators are advised to take the following important steps to minimize the risk of breaching your organization’s enterprise network by abusing your UC / VVoIP system:

• Use virtual local area networks (VLANs) to segment your enterprise network and separate voice and video traffic from data traffic
• Use access control lists and routing rules to limit access to devices across the VLAN
• Implements Layer 2 Protection and Address Resolution Protocol (ARP) and IP Spoofing Protection
• Protects PSTN gateways and Internet perimeters by authenticating all UC / VVoIP connections
• Keep your software up-to-date to mitigate UC / VVoIP software vulnerabilities
• Authenticates and encrypts signaling and media traffic to prevent spoofing and eavesdropping by malicious attackers
• Deploy a Session Border Controller (SBC) to monitor UC / VVoIP traffic and use a fraud detection solution to audit call data records (CDRs) to prevent fraud.
• Maintain backups of software configurations and installations to ensure availability
• Use rate limiting to manage denial of service attacks and limit the number of incoming calls to prevent overloading your UC / VVoIP server
• Use identification cards, biometrics, or other electronic means to control physical access to networks and secure areas with UC / VVoIP infrastructure
• Check the testbed for new (and potentially rogue) device capabilities and configuration before adding it to the network

“Taking advantage of UC / VVoIP systems, such as operational cost savings and advanced call processing, can pose additional risks,” said the NSA. Conclusion..

“The UC / VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to make your UC / VVoIP deployment more secure.”

Much broader security best practices and mitigations on how to prepare networks, establish network boundaries, use enterprise session controllers, and add endpoints when deploying UC / VVoIP systems. Cybersecurity Information Sheet Released Today by NSA..

In January, the NSA announced how to detect Replace the old Transport Layer Security (TLS) protocol version Use the latest safe variant.

The agency also warned the company: Use a self-hosted DNS-over-HTTPS (DoH) resolver Block attackers’ DNS traffic eavesdropping and manipulation attempts.