Bonus article! We have already wrapped up 20 articles, but here’s a bonus – just as good and just as free as the earlier content! 😊
I’ve mentioned multiple times that a lot of the information for these articles comes straight from the NSA document on securing VVOIP systems. In the NSA’s worldview, the fourth plane of security for VVoIP systems is to secure the call processing systems – often called session managers or session controllers.
Session Controllers are software systems – in the data world, they would be called servers – often loaded on dedicated, OEM-approved hardware. Thus, they face all the security challenges relevant to regular software servers (database, file, web, etc.) and those specific to their task – connection, management, control of media, and signaling streams. In this article, we will briefly touch upon the risks to session controllers and the mitigations thereof.
Software and application protection
As with all software servers, session controllers must deal with user management and permissions, configurations, logging, and so on. Here is a brief overview:
User accounts and passwords
Very simply, the more users that have access to the server, the higher the chances of it being compromised. Ensure limited user access, and within that, ensure as few privileges as possible for each user. Remove or disable as many default user accounts as possible. For the rest, change the passwords, making them as complex as possible. If 2FA or MFA is possible, enable them.
Server configurations
OEMs usually ship systems with maximum features enabled, but that causes security issues. Some features may enable security compromises. Make sure that only features that are necessarily required are enabled; disable the rest. For the features that are enabled, ensure that their security impact is studied and controlled.
Audit logs
Audit logs are critical for systems – to understand issues with functionality. But they can also serve a security function.
Enable logging of all accesses to the server, tracking who connected to the server and when and what changes were made. Also, ensure CDRs are enabled – they help identify and track issues like toll fraud.
The challenge with all these logs is the sheer amount of information – looking for patterns and information in them is like looking for the proverbial needle in the haystack, with the twist that we have never seen what those needles look like. SIEM systems that help aggregate all the logs are useful, especially when they have plugins that look for specific patterns in the logs – patterns that indicate issues or malicious actors.
More useful are tools that use domain-specific knowledge and AI to detect patterns – especially if they can combine the log information with traffic patterns to identify malicious activity. Obligatory pitch – Assertion is a leader in this business and if you want to know more, get in touch!
Software vulnerabilities
As with all software, vulnerabilities get discovered in session controllers as well – keep patching regularly to avoid grief from malicious actors exploiting the vulnerabilities. Similarly, make sure that the operating systems, databases, and other supporting software are also kept secure and up to date. In case the session manager uses third-party databases, make sure that connectivity is secure and the database itself is secure and, if possible, encrypted.
Network services
Another thumb rule of security – enable as few services as possible – the higher the number of services present on the session controller server, the greater its attack surface.
Disable FTP, DNS, DHCP, and SNMP. Any service that is not being used on this server.
Cryptographic Key Material
When your session controller provides encrypted communication, it also stores the cryptographic keys needed for authentication and encryption. Secured access to these keys is critical – a malicious actor with access to these keys can undermine the communication system completely, impersonating the server itself and eavesdropping on calls.
Encrypt access to these keys, back them up on systems that are not connected to the network, and use cryptographic hardware tokens when possible.
Physical Security
All the software security is worthless if bad actors get access to the physical system itself. One simple way for a bad actor to mess with the system is to shut down the server itself. Ensure strict controls on access to the server, and keep it in a monitored, access-controlled system.
Service Availability
Five nines availability is critical for voice systems, so make sure that fundamental issues like hardware and power failures do not disrupt service – hardware must be RAID, HA with redundant power supplies, and UPS systems in place.
To recover from system failures, ensure backup and recovery systems are in place and test them regularly. Naturally, make sure all backups are securely stored and encrypted.
Management Software
Managing the session controllers usually means accessing them via
- remote management tools
- web-based interfaces
- proprietary management software
Each of them is potentially an attack surface – if any approach is not being used, disable it. Make sure that all connections from the tools to the server are encrypted. Ensure that the management interfaces are allowed to connect only to specific IP addresses.
Client Registration
Most session controllers are configured to allow automatic registrations by clients – this makes it convenient for administrators who would otherwise have to provide individual endpoints, a quotidian effort. But automatic registration also opens the door to malicious actors registering their own endpoints – thereby gaining access to the session controller and other data.
To prevent this, enable mutual authentication – both client and server must authenticate each other for the connection to be successful.
Have more questions? Send me an email at securityeducation@assertion.cloud
About Assertion:
Assertion® is a leading communication security solutions provider that empowers companies to Collaborate Confidently. Our ultimate goal is to secure every conversation through our advanced AI-enabled collaboration security solutions. We also provide holistic infrastructure security for over 38 collaboration products, including full-stack collaboration security solutions for the UC and CC stack.