S 3.56 Administrator training on the use of VoIP

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Telephony forms the basis for communication in an organisation regardless of which technology the PBX system is based on. That is why it is essential to ensure that the administrators have received adequate training so that they are able to optimally use the functions and security features needed.

The training should provide sufficient knowledge of the procedures, tools, and technologies necessary for the configuration and operation of the VoIP components. This also applies to manufacturer-specific aspects of individual products that are used as VoIP components.

In order to be able to use VoIP efficiently, detailed knowledge of networks is required. This knowledge must also be incorporated into the training programme. VoIP components are often used on standard IT systems running stand-alone operating systems. More information on the composition of the training programme can be found in the respective IT-Grundschutz modules about the operating systems.

In general, the training programme should contain the following subjects at a minimum:

• Basic information on VoIP compression and the transmission of voice messages, including such possible side-effects like jitter, delay, and echo
• Basic information on the protocols used in the application layer (for example RTP, SIP, and H 3.23)
• Administration
  • security-relevant basic principles and concepts of administration, knowledge of the commands for the configuration, operation, maintenance, and troubleshooting of each VoIP component. A training course should contain a well-balanced combination of theory and practical applications.
  • knowledge of the administration of the IT systems on which the VoIP components are to be operated.
  • overview of the relevant legal aspects when using VoIP such as data protection, for example
  • management of the devices, tools
  • logging
  • securing and administration of configuration data
  • attack scenarios (e.g. denial-of-service attacks, ARP spoofing, IP spoofing, DNS spoofing, viruses, and other malware)
  • basic principles regarding the topic of virtual private networks (VPNs)
  • basic principles of handling encrypted data (encryption using SRTP or IPSec, for example) and possible tools for handling encrypted data
• Network technology
  • basic principles of structuring networks and quality of service
  • basic principles of IP and the protocols based on it (IP addressing, ICMP, TCP, UDP)
  • virtual network segmentation (VLAN)
• Troubleshooting
  • sources of error and their causes
  • measurement and analysis tools, tools for automatically checking the individual components of the security gateway for proper function
  • test strategies for troubleshooting

Even if these tasks are distributed among a group of administrators, it is essential for all administrators to possess general knowledge of these subjects. The individual key aspects can then be expanded and maintained building upon this general knowledge. For many products, the manufacturers or specialised providers offer a wide range of modular and in-depth seminars. The number of qualified training programmes offered by a manufacturer is also a criterion that can be taken into account when deciding which of the manufacturers will be used.

When purchasing IT components, a sufficiently large budget must be planned for the training measures, and a training plan for administrators must be created.

Review questions:

• Do the administrators responsible have sufficient technical knowledge in the field of VoIP?