Security August 14, 2025 10 min read

SIP Trunk Security Best Practices for Enterprise VoIP

SIP trunks are the gateway between your phone system and the outside world. Securing them properly is critical to preventing toll fraud, eavesdropping, and service disruption.

Why SIP Trunk Security Matters

The Stakes Are High: The Communications Fraud Control Association estimates global telecom fraud losses exceed $38 billion annually. Compromised SIP trunks are one of the most common attack vectors.

SIP trunks carry your organization's voice traffic over the internet. Unlike traditional PSTN lines that required physical access to tap, SIP traffic traverses public IP networks where it can potentially be intercepted, manipulated, or exploited. A single compromised trunk can result in:

  • Toll fraud: Attackers route expensive international calls through your trunk, running up thousands in charges overnight
  • Eavesdropping: Unencrypted voice calls can be captured and reconstructed by anyone on the network path
  • Service disruption: SIP floods and malformed packets can crash your PBX or exhaust trunk capacity
  • Caller ID spoofing: Attackers can impersonate your business for social engineering attacks

1. Encryption: TLS for Signaling, SRTP for Media

Encryption is the foundation of SIP trunk security. There are two layers to encrypt:

TLS (Transport Layer Security)

Encrypts SIP signaling messages, protecting call setup details, authentication credentials, and caller information from interception.

SRTP (Secure Real-time Transport Protocol)

Encrypts the actual voice audio stream, preventing eavesdropping on conversation content.

Asterisk PJSIP - TLS Transport Configuration 
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2

; Trunk endpoint with full encryption
[ipcomms-trunk]
type=endpoint
transport=transport-tls
media_encryption=sdes
media_encryption_optimistic=yes

IPComms Supports TLS/SRTP: All IPComms SIP trunks support TLS on port 5061 and SRTP media encryption. Enable it in your PBX configuration for end-to-end encrypted calls.

2. Access Control: Restrict Who Can Reach Your Trunk

Limit SIP trunk access to only the IP addresses that need it. This dramatically reduces your attack surface:

iptables - SIP trunk firewall rules 
# Allow SIP signaling from your provider (IPComms)
iptables -A INPUT -s 34.23.59.14 -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s 34.23.59.14 -p tcp --dport 5061 -j ACCEPT

# Allow RTP media from provider
iptables -A INPUT -s 34.23.59.14 -p udp --dport 10000:20000 -j ACCEPT

# Allow internal PBX management (your network only)
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 8088 -j ACCEPT

# Drop everything else on SIP ports
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A INPUT -p tcp --dport 5060:5061 -j DROP

Never Expose SIP Globally: Port 5060 is one of the most scanned ports on the internet. Automated SIP scanners will find and probe your system within hours of exposure. Always restrict access to known IPs.

For organizations using cloud-hosted PBX systems, consider placing your SIP infrastructure behind a Session Border Controller (SBC) that acts as a security gateway between your internal network and the SIP trunk provider.

3. Authentication Methods

There are two primary methods for authenticating SIP trunks, each with different security profiles:

IP-Based Authentication

Trust is established based on the source IP address. No credentials are transmitted over the network.

  • + No credentials to steal
  • + No registration overhead
  • - Requires static IP

Digest Authentication

Username and password are used with SIP REGISTER. Credentials are hashed but not encrypted without TLS.

  • + Works with dynamic IPs
  • + Easy to set up
  • - Credentials can be captured without TLS

Best Practice: Use IP authentication when possible. If you must use digest authentication, always enable TLS to protect credentials in transit. IPComms supports both authentication methods.

4. Fraud Prevention Controls

Even with strong authentication, implement layered fraud prevention:

  • Call rate limiting: Set maximum concurrent calls and calls-per-minute thresholds. If your business normally handles 20 concurrent calls, alert at 30 and block at 50.
  • Geographic restrictions: Block international dialing to countries you never call. Most toll fraud targets premium-rate numbers in specific countries.
  • Time-of-day restrictions: If your business operates 8am-6pm, disable outbound international calls outside business hours.
  • Spending caps: Set daily and monthly spending limits with your SIP trunk provider to cap potential fraud losses.
  • Premium number blocking: Block calls to known premium-rate number ranges (e.g., 1-900 in North America).
extensions.conf - Block international calls outside business hours 
[outbound-controls]
; Allow domestic calls anytime
exten => _1NXXNXXXXXX,1,Dial(PJSIP/${EXTEN}@ipcomms)

; International calls - business hours only
exten => _011.,1,GotoIfTime(08:00-18:00,mon-fri,*,*?allowed)
 same => n,Playback(after-hours-international-blocked)
 same => n,Hangup()
 same => n(allowed),Dial(PJSIP/${EXTEN}@ipcomms)

; Block premium rate numbers
exten => _1900NXXXXXX,1,Playback(number-blocked)
 same => n,Hangup()

5. Monitoring and Logging

Security without monitoring is incomplete. Implement these monitoring practices:

  • CDR analysis: Review Call Detail Records daily for unusual patterns - calls at odd hours, spikes in international traffic, or calls to unfamiliar destinations
  • Real-time alerts: Configure alerts for concurrent call threshold breaches, failed authentication attempts, and unusual call durations
  • SIP log retention: Keep SIP signaling logs for at least 90 days for forensic analysis
  • Failed registration monitoring: A spike in failed REGISTER attempts indicates a brute-force attack in progress

IPComms Monitoring: IPComms provides real-time call analytics, automatic fraud detection, and configurable spending alerts through the customer portal at portal.ipcomms.net.

6. Network-Level Security

Secure the network infrastructure that carries your SIP traffic:

VLAN Segmentation

Place voice traffic on a dedicated VLAN separate from data traffic. This limits the blast radius of a compromise and enables QoS policies.

Session Border Controller

Deploy an SBC at your network edge to normalize SIP messages, hide internal topology, and provide an additional authentication layer.

VPN for Remote Users

Require remote softphone users to connect via VPN rather than exposing SIP ports to arbitrary internet addresses.

Intrusion Detection

Deploy SIP-aware IDS/IPS systems that can detect scanning, fuzzing, and brute-force attempts targeting your voice infrastructure.

SIP Trunk Security Checklist

Use this checklist to audit your SIP trunk security posture:

  • TLS enabled for SIP signaling (port 5061)
  • SRTP enabled for media encryption
  • Firewall restricts SIP ports to provider IPs only
  • IP authentication used where possible
  • Strong passwords (16+ characters) for digest auth
  • Fail2Ban configured for SIP brute-force protection
  • International call restrictions in place
  • Daily spending caps configured
  • CDR monitoring and anomaly alerts active
  • Voice VLAN segmented from data network
  • Remote users on VPN
  • SIP logs retained for 90+ days

Secure SIP Trunking with IPComms

IPComms provides enterprise-grade SIP trunks with TLS/SRTP encryption, IP authentication, automatic fraud detection, and spending controls built in.

Get Started Learn About SIP Trunking

Related Articles

Security

Asterisk Security Hardening

 Education

SIP Trunking vs PRI

 Tutorial

PJSIP Trunk Setup Guide

 Getting Started

Free SIP Trunk for Testing