• Introduction
  • Approach
  • Methodology
Voice over IP (VoIP) is a technology that provides an advanced and efficient communication solution compared to legacy digital/analog communications. VoIP provides additional functionality and therefore requires additional attack vectors that must be mitigated to further strengthen an organization’s security posture.

If VoIP is vulnerable to publicly known or unknown vulnerabilities, then attackers can exploit it. VoIP assessment is not performed with standard web/mobile application test cases as they use SIP protocols instead of TCP/UDP protocols. Your VoIP infrastructure is ASCII based and very similar to the HTTP protocol architecture as it uses a Request/Response Model.

Identify, fix, secure loopholes and defend your VoIP security

Certbar has a three rules of approache while testing the VoIP architecture that are configured and deployed within organizations: Internal, Managed, and Online SIP Trunking. Certbar assess the VoIP network penetration testing for identifying the VoIP network vulnerabilities after determining the scope of work and a detailed report prepared, which is including vulnerabilities details with the recommendation.

Internal VoIP Testing:
A Private Branch Exchange (PBX) is connected to the ISP lines or telephony by a SIP Trunk or Primary Rate Interface (PRI). All traffic is pushed through a designated VLAN.

Managed VoIP Services:
No internal PBX is needed, only IP phones, a switch, and a router. Connections are provided through a VPN to the service provider.

Online SIP Trunking Service:
Services such as Skype, Twilio, among others, provide an easy solution for organizations that do not want to implement any of the above solutions. SIP Trunking delivers telephone and unified communications services over an existing IP network. VoIP users can make calls directly to any phone on the Public Switched Telephone Network (PSTN) without telephone lines by connecting to a compatible hosted PBX System through a SIP Trunk.

Certbar's VoIP pentesting methodology is designed in such a manner that ensures End-to-End Assessment by Identifying and assessing the internal and external VoIP security risks in your VoIP and PSTN infrastructure.