Glossary / Security
🔒 Security covers the tools, protocols, and methods that protect your business phone system from attacks, eavesdropping, and fraud. This section contains 14 terms, from encryption standards like TLS and SRTP to common threats like toll fraud and brute force attacks.
On this page: TLS · SRTP · SRTP/SDES · SRTP/DTLS · VoIP Fraud/Toll Fraud · Brute Force Attack · SIP Scanning/Port Scanning · Registration Hijacking · Eavesdropping/Call Interception · DoS/DDoS Attack · Fail2Ban · Digest Authentication · Certificate/TLS Certificate · VPN for VoIP · ACL
TLS (Transport Layer Security)
A cryptographic protocol that encrypts the signalling part of a VoIP call. TLS protects SIP messages (call setup, registration, caller ID) as they travel between your phone and the server. Without TLS, these messages are sent in plain text and can be read by anyone on the network. Most Cloud PBX providers use TLS by default. It is the same technology that secures HTTPS websites.
Related: SRTP · Certificate/TLS Certificate · SIP Protocol
SRTP (Secure Real-Time Transport Protocol)
A protocol that encrypts the audio (voice) part of a VoIP call. While TLS protects signalling, SRTP protects the actual conversation. Without SRTP, someone who intercepts your network traffic could listen to your calls. SRTP adds encryption and message authentication to standard RTP audio streams. It is widely supported by modern SIP phones and Cloud PBX systems.
Related: TLS · RTP · SRTP/SDES
SRTP/SDES (Session Description Protocol Security Descriptions)
A key exchange method for SRTP. With SDES, the encryption keys are included directly inside the SIP signalling messages (the SDP body). This is the simpler and more common approach. However, it means the keys are only as secure as the signalling channel. If TLS is not used, the keys travel in plain text. For this reason, SDES should always be combined with TLS.
Related: SRTP · SRTP/DTLS · TLS
SRTP/DTLS (Datagram Transport Layer Security)
An alternative key exchange method for SRTP. Instead of embedding keys in the SIP signalling, DTLS negotiates encryption keys directly between the two endpoints on the media (audio) channel. This means the keys never appear in the signalling messages. DTLS is considered more secure than SDES because the audio encryption does not depend on the signalling being encrypted. It is used in WebRTC.
Related: SRTP · SRTP/SDES · WebRTC
VoIP Fraud / Toll Fraud
Unauthorized use of your phone system to make expensive calls, usually to premium-rate or international numbers. Attackers break into a PBX (often through weak passwords or exposed SIP ports) and route thousands of calls in a short time. The business owner receives a massive phone bill. Toll fraud costs the global telecom industry billions of euros each year. Strong passwords, IP restrictions, and call-spending limits are the main defences.
Related: Brute Force Attack · Registration Hijacking · ITSP
Brute Force Attack
An automated attack that tries thousands of username and password combinations to guess valid SIP credentials. Attackers use software that rapidly sends SIP REGISTER requests with different passwords. If they succeed, they can hijack your account and make calls at your expense. Protection includes strong passwords, Fail2Ban, and limiting login attempts.
Related: Fail2Ban · VoIP Fraud/Toll Fraud · Digest Authentication
SIP Scanning / Port Scanning
The process of systematically probing IP addresses and ports to find active SIP servers or phones. Attackers use automated tools to scan the internet for devices listening on SIP ports (typically 5060 and 5061). Once they find a target, they attempt brute force attacks or exploit known vulnerabilities. Changing the default SIP port and using firewalls can reduce exposure.
Related: Brute Force Attack · ACL · SIP
Registration Hijacking
An attack where someone takes over your SIP registration by sending a new REGISTER message to the server with your credentials. The server updates the contact address to point to the attacker's device. After that, incoming calls meant for you go to the attacker instead. This can be used for eavesdropping or fraud. TLS and strong authentication help prevent it.
Related: TLS · Digest Authentication · REGISTER
Eavesdropping / Call Interception
Secretly listening to VoIP calls by capturing network traffic. If calls are not encrypted (no TLS for signalling, no SRTP for audio), anyone with access to the same network segment can record and replay conversations. This is especially risky on public Wi-Fi or shared networks. Enabling both TLS and SRTP eliminates this threat.
Related: TLS · SRTP · VPN for VoIP
DoS / DDoS Attack
A Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack floods your VoIP server with massive amounts of traffic, making it unable to handle real calls. DDoS attacks come from many sources at once, making them harder to block. The result is dropped calls, poor audio quality, or a complete phone outage. Cloud PBX providers typically have built-in DDoS mitigation.
Related: QoS · ACL
Fail2Ban
An open-source security tool that monitors log files for repeated failed login attempts and automatically blocks the attacker's IP address. In VoIP, Fail2Ban watches SIP registration logs. After a set number of failed attempts (e.g., 5 within 60 seconds), it adds a firewall rule to ban that IP. It is one of the most effective and simple protections against brute force attacks.
Related: Brute Force Attack · ACL
Digest Authentication
The standard SIP method for verifying usernames and passwords. When your phone or PBX sends a SIP request, the server replies with a challenge (a 401 or 407 response). Your device then re-sends the request with a hashed version of the password. The password itself is never sent in plain text over the network. This is more secure than basic authentication, but weaker than TLS-based methods.
Related: Credential Authentication · Brute Force Attack
Certificate / TLS Certificate
A digital file that proves the identity of a server (or sometimes a client). When your phone connects to a Cloud PBX server using TLS, the server presents its certificate. Your phone checks that the certificate was issued by a trusted authority and has not expired. This prevents man-in-the-middle attacks, where an attacker pretends to be the server.
Related: TLS · SIP over TLS
VPN for VoIP
Using a Virtual Private Network to create an encrypted tunnel for all VoIP traffic between your office and the Cloud PBX provider. A VPN protects both signalling and audio even if TLS and SRTP are not configured. It is most useful for remote workers or branch offices connecting over the public internet. The downside is that VPNs can add latency, which may affect call quality.
Related: TLS · SRTP · Eavesdropping/Call Interception
ACL (Access Control List)
A set of firewall rules that define which IP addresses are allowed or denied access to your VoIP system. ACLs are used to restrict SIP and RTP traffic to known, trusted IP addresses (e.g., your office IP, your provider's servers). This prevents unauthorized devices from even reaching your phone system. ACLs are a fundamental layer of VoIP security.
Related: IP Authentication · Fail2Ban · SIP Scanning/Port Scanning
Related Sections
🔗 SIP Protocol — The signalling protocol that powers VoIP calls
📡 SIP Trunking — How your PBX connects to the telephone network
📞 Core Concepts — PSTN, ISDN, DID, and foundational terms
🎵 Audio, Media and Codecs — RTP, codecs, and audio media terms
📅 Ready to explore Cloud PBX for your business?
Start with the provider comparisons or feature guides. If you want expert help, book a short call with a consultant.
Made with Bullet