UC and VVoIP systems

NSA Releases Guidance on Modern Call-Processing Cybersecurity

The National Security Agency has issued guidance on securely deploying unified communications and voice and video over internet protocol call-processing systems.

UC and VVoIP systems offer modern communication capabilities by combining voice, video conferencing and instant messaging features commonly used in the workplace.

The NSA said that UC/VVoIP systems are vulnerable to unauthorized access because they rely on open-source and standard protocols.

In its guidance document titled “Deploying Secure Unified Communications/Voice and Video over IP Systems,” the NSA warned that UC/VVoIP systems are more vulnerable than their legacy telephony counterparts, which used dedicated infrastructure and were more isolated from other networks.

In contrast, UC/VVoIP systems are integrated into an enterprise’s existing IP infrastructure, providing numerous avenues for malicious hackers to eavesdrop on conversations, impersonate users or conduct denial-of-service attacks.

UC/VVoIP systems also share the weaknesses of their respective IP systems, which can include vulnerabilities to exploits such as spyware and viruses.

The NSA recommended that UC/VVoIP users set up virtual local area networks to segment voice and video traffic from data traffic.

Users should also create access control lists and routing rules to make it more difficult for malicious hackers to access VLAN devices from the outside.

The NSA also released an abridged version of the UC/VVoIP cybersecurity information sheet.

Other guidelines include adding a second layer of protection, protecting the public switched telephone network gateways and internet perimeters, staying up to date with patches, encrypting signaling and media traffic, maintaining backups of software configurations, managing DOS attacks and controlling physical access.