Bonus article! We have already wrapped up 20 articles, but here’s a bonus – just as good and just as free as the earlier content! 😊 

I’ve mentioned multiple times that a lot of the information for these articles comes straight from the NSA document on securing VVOIP systems. In the NSA’s worldview, the fourth plane of security for VVoIP systems is to secure the call processing systems – often called session managers or session controllers. 

Session Controllers are software systems – in the data world, they would be called servers – often loaded on dedicated, OEM-approved hardware. Thus, they face all the security challenges relevant to regular software servers (database, file, web, etc.) and those specific to their task – connection, management, control of media, and signaling streams. In this article, we will briefly touch upon the risks to session controllers and the mitigations thereof. 

Software and application protection 

As with all software servers, session controllers must deal with user management and permissions, configurations, logging, and so on. Here is a brief overview:  

User accounts and passwords 

Very simply, the more users that have access to the server, the higher the chances of it being compromised. Ensure limited user access, and within that, ensure as few privileges as possible for each user. Remove or disable as many default user accounts as possible. For the rest, change the passwords, making them as complex as possible. If 2FA or MFA is possible, enable them. 

Server configurations 

OEMs usually ship systems with maximum features enabled, but that causes security issues. Some features may enable security compromises. Make sure that only features that are necessarily required are enabled; disable the rest. For the features that are enabled, ensure that their security impact is studied and controlled. 

Audit logs  

Audit logs are critical for systems – to understand issues with functionality. But they can also serve a security function. 

Enable logging of all accesses to the server, tracking who connected to the server and when and what changes were made. Also, ensure CDRs are enabled – they help identify and track issues like toll fraud. 

The challenge with all these logs is the sheer amount of information – looking for patterns and information in them is like looking for the proverbial needle in the haystack, with the twist that we have never seen what those needles look like. SIEM systems that help aggregate all the logs are useful, especially when they have plugins that look for specific patterns in the logs – patterns that indicate issues or malicious actors. 

 

More useful are tools that use domain-specific knowledge and AI to detect patterns – especially if they can combine the log information with traffic patterns to identify malicious activity. Obligatory pitch – Assertion is a leader in this business and if you want to know more, get in touch!  

Software vulnerabilities 

As with all software, vulnerabilities get discovered in session controllers as well – keep patching regularly to avoid grief from malicious actors exploiting the vulnerabilities. Similarly, make sure that the operating systems, databases, and other supporting software are also kept secure and up to date. In case the session manager uses third-party databases, make sure that connectivity is secure and the database itself is secure and, if possible, encrypted. 

Network services 

Another thumb rule of security – enable as few services as possible – the higher the number of services present on the session controller server, the greater its attack surface. 

Disable FTP, DNS, DHCP, and SNMP. Any service that is not being used on this server.  

Cryptographic Key Material 

When your session controller provides encrypted communication, it also stores the cryptographic keys needed for authentication and encryption. Secured access to these keys is critical – a malicious actor with access to these keys can undermine the communication system completely, impersonating the server itself and eavesdropping on calls. 

 

Encrypt access to these keys, back them up on systems that are not connected to the network, and use cryptographic hardware tokens when possible.  

Physical Security 

All the software security is worthless if bad actors get access to the physical system itself. One simple way for a bad actor to mess with the system is to shut down the server itself. Ensure strict controls on access to the server, and keep it in a monitored, access-controlled system.

Read Ahead at Assertion Blog - Protecting Communication Systems – Securing Session Controllers