Skip to main content

This section of the ISM provides guidance on video conferencing and Internet Protocol telephony.

Video conferencing and Internet Protocol telephony gateways

Where a video conferencing or IP telephony network is connected to another video conferencing or IP telephony network belonging to a different security domain the gateways section of the Guidelines for Gateways applies.

Where an analog telephone network, such as the Public Switched Telephone Network (PSTN), is connected to a data network the gateways section of the Guidelines for Gateways does not apply.

Video conferencing and Internet Protocol telephony infrastructure hardening

Hardening can be applied to video conferencing units, handsets, software and servers in order to reduce their attack surface. For example, by ensuring that a Session Initiation Protocol (SIP) server:

  • has a fully patched operating system
  • has fully patched software
  • runs only required services
  • uses encrypted non-replayable authentication
  • applies network restrictions that only allow secure SIP traffic and secure Real-time Transport Protocol (RTP) traffic from video conferencing units and IP phones on a Virtual Local Area Network (VLAN) to reach the server.

Security Control: 1562; Revision: 0; Updated: Dec-19; Applicability: O, P, S, TS
Video conferencing and IP telephony infrastructure is hardened.

Video and voice-aware firewalls

The use of video and voice-aware firewalls ensures that only video and voice traffic (e.g. signalling and data traffic) is allowed for a given call and that the session state is maintained throughout the transaction.

The requirement to use a video or voice-aware firewall does not necessarily require separate firewalls to be deployed for video conferencing, IP telephony and data traffic. Organisations are encouraged to implement one firewall that is video and data-aware; voice and data-aware; or video, voice and data-aware depending on their needs.

Security Control: 0546; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used.

Protecting video conferencing and Internet Protocol telephony traffic

Video conferencing and IP telephony traffic is vulnerable to eavesdropping but can be protected with encryption. When encrypting video conferencing and IP telephony traffic, voice control signalling can be protected using Transport Layer Security and the ‘sips://’ identifier to force the encryption of all legs of the connection. Similar protections are available for RTP and the Real-time Control Protocol.

Security Control: 0547; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Video conferencing and IP telephony signalling and data is encrypted.

Establishment of secure signalling and data protocols

Use of secure signalling and data protocols protect against eavesdropping, some types of denial of service, person-in-the-middle attacks and call spoofing attacks.

Security Control: 0548; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Video conferencing and IP telephony functions are established using secure signalling and data protocols.

Video conferencing unit and Internet Protocol phone authentication

Blocking unauthorised or unauthenticated devices by default will reduce the likelihood of unauthorised access to a video conferencing or IP telephony network.

Security Control: 0554; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.

Security Control: 0553; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings.

Security Control: 0555; Revision: 3; Updated: Dec-19; Applicability: O, P, S, TS
Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.

Security Control: 0551; Revision: 7; Updated: Jan-20; Applicability: O, P, S, TS
IP telephony is configured such that:

  • IP phones authenticate themselves to the call controller upon registration
  • auto-registration is disabled and only authorised devices are allowed to access the network
  • unauthorised devices are blocked by default
  • all unused and prohibited functionality is disabled.

Security Control: 1014; Revision: 5; Updated: Sep-18; Applicability: S, TS
Individual logins are used for IP phones.

Traffic separation

Video conferencing and IP telephony networks should be logically or physically separated from other networks to ensure availability and sufficient quality of service.

Security Control: 0549; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Video conferencing and IP telephony traffic is separated physically or logically from other data traffic.

Security Control: 0556; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS
Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic.

Internet Protocol phones in public areas

IP phones in public areas may give an adversary the opportunity to exploit them for social engineering purposes (since the call may appear to be internal) or to access poorly protected voicemail boxes.

Security Control: 1015; Revision: 6; Updated: Dec-19; Applicability: O, P, S, TS
Traditional analog phones are used in public areas.

Security Control: 0558; Revision: 5; Updated: Dec-19; Applicability: O, P, S, TS
If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented.

Microphones and webcams

Microphones (including headsets and Universal Serial Bus [USB] handsets) and webcams can pose a security risk in classified areas. An adversary can email or host a malicious application on a compromised website and use social engineering techniques to convince users into installing the application on their workstation. Such malicious applications may then activate microphones or webcams that are attached to the workstation to act as remote listening and recording devices.

Security Control: 0559; Revision: 4; Updated: Sep-18; Applicability: O, P, S
Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.

Security Control: 1450; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.

Developing a denial of service response plan

Telephony is considered a critical service for any organisation. A denial of service response plan will assist in responding to a video conferencing and IP telephony denial of service, signalling floods, and established call teardown and RTP data floods.

Resources and services that can be used to monitor for signs of a denial of service can include:

  • router and switch logging and flow data
  • packet captures
  • proxy and call manager logs and access control lists
  • video and voice-aware firewalls and gateways
  • network redundancy
  • load balancing
  • PSTN failover.

Security Control: 1019; Revision: 7; Updated: Sep-18; Applicability: O, P, S, TS
A denial of service response plan is developed and implemented that includes:

  • how to identify signs of a denial of service
  • how to identify the source of a denial of service
  • how capabilities can be maintained during a denial of service
  • what actions can be taken to clear a denial of service.

Further information

Further information on the use of telephones and telephone systems can be found in the telephone systems section of these guidelines.

Further information on the use of mobile devices can be found in the Guidelines for Enterprise Mobility.

Further information on encryption can be found in the Guidelines for Cryptography.

Further information on firewalls and gateways can be found in the Guidelines for Gateways.

Further information on the use of web conferencing solutions can be found in the Australian Cyber Security Centre (ACSC)’s Web Conferencing Security publication at https://www.cyber.gov.au/acsc/view-all-content/publications/web-conferencing-security.