SHARE



ABOUT THE AUTHOR


Andrew Prokop
Andrew Prokop has been heavily involved in the world of communications since the early 1980s. He holds five United States...
Read Full Bio >>
SHARE



Andrew Prokop | June 09, 2015 |

 
   

Building a Secure SIP Network

Building a Secure SIP Network With the proper configuration, policies, and services, we can assure ourselves that our conversation has been secured.

With the proper configuration, policies, and services, we can assure ourselves that our conversation has been secured.

For the most part, I love my job. I love sifting through Wireshark traces trying to find needles in SIP haystacks. I get excited learning about new IP communications products, and my heart practically skips a beat when I read about another SIP service climbing out of its physical shell and going virtual.

The best part of my job, however, is when I get to walk away from my PC, IP telephones, and LAN analyzers to meet with the users of unified communications technology. It doesn’t matter if it’s a regional user’s group or a series of one-on-one meetings with IT professionals. I love solving problems and helping people understand the technology that is near and dear to my heart.

With that in mind, today I thought I’d delve into one of the session topics I will be speaking on at the upcoming International Avaya User’s Group’s (IAUG) “Converge” conference in Denver, where I hope to help users solve the problem of securing a SIP network.

Building a Secure SIP Network

When you think about security in terms of SIP and VoIP, you need to consider four different areas:

  1. First, you want to protect the SIP signaling.
  2. You need to protect the media stream.
  3. You need to ensure that people are who they say they are.
  4. Lastly, you need to create a secure network edge that prevents the bad guys from sneaking into your business and compromising your VoIP network.
Securing SIP signaling

SIP is comprised of two types of messages. The first is called the SIP Request, or SIP Method. This could be the INVITE that begins a SIP conversation, the BYE that ends one, or the REFER that moves an existing conversation from one party to another. You may be surprised to learn that for all that SIP can do, there are only 13 request types. Clearly, big things come in small packages.

The second message type is the SIP Response. This might be the “180 Ringing” response that’s generated when a telephone begins to ring, or the “200 OK” response that’s sent when that ringing phone is answered. With the exception of the ACK Method, one or more response messages is sent for every request.

To protect SIP signaling you need to encrypt it. This is no different than encrypting Web traffic for online purchases. In the case of Web messages, that’s done with HTTPS, or Secure Hypertext Transfer Protocol. With SIP, it’s called Transport Layer Security, or TLS. TLS encodes SIP Requests and SIP Responses so they cannot be understood by anyone other than the sender and recipient of the messages. While the mechanics of TLS are fairly complicated, encryption is essentially accomplished with public and private certificates. Data encrypted with a public certificate can only be decrypted with its private certificate counterpart.

In the SIP world, media is sent using something called Real-Time Protocol, or RTP, an encapsulation protocol for the data bits that make up the voice conversation. The media might be G.711, G.729, or G.722. It’s RTP’s job to get the data to where it needs to go without any concern as to what that data might be. To protect RTP, you must encrypt it. This is known as Secure Real-Time Protocol, or SRTP. SRTP ensures that if someone captures a LAN or WAN trace of your voice conversation, it cannot be played back. Only the sender and receiver of the RTP stream can decipher and listen to a conversation.

It is important to ensure that SIP messages have not been spoofed. Just because I say that I am Andrew Prokop in a SIP message doesn’t guarantee that I really am Andrew. I need to prove it.

Built into SIP is the ability to challenge messages. A challenge forces the sender to return his or her encrypted credentials. A subscriber database such as Active Directory is then queried to verify the authenticity of those credentials. This prevents a rogue SIP client from pretending to be an authorized user on your network in order to gain access to your communications resources or play havoc with existing calls.

Session Border Controllers

The Session Border Controller (SBC) is the least understood component of SIP Security, but that really shouldn’t be the case. In its most simplistic sense, an SBC is a firewall for SIP. It prevents unauthorized SIP traffic from entering your network. It also performs deep packet inspection of all SIP messages to ensure that they don’t contain anything malicious.

So, why not just run SIP traffic through your data firewall? You could, but you would probably regret that decision. Firewalls are designed to work with larger, more evenly paced packets, while SBCs are designed to deal with the bursty, small-packet nature of VoIP communications. Delay and jitter will destroy a VoIP conversation, and SBCs inspect and relay SIP messages and media at near wire speed. Additionally, firewalls do not contain the specialized hardware that SBCs use for encryption, decryption, and transcoding.

I’ve addressed SBCs a number of times here on No Jitter. For a more detailed explanation of the features an enterprise SBC provides, I recommend that you take a look at The Fine Art of Choosing the Right SBC.

We take for granted the need for firewalls, virus checkers, and secure browsers for our Web activity, and it’s essential that we think along those same lines when it comes to SIP and VoIP communications. Thankfully, with the proper configuration, policies, and services, we can assure ourselves that every time we pick up a SIP telephone, start a video conference, or send an instant message, our identity has been protected and our conversation has been secured.

Coming to Denver?

IAUG’s Converge conferences are one of my favorite places to meet, greet, and speak to unified communications professionals. I have been speaking at IAUG gatherings for many years and look forward to each one like a Minnesotan looks forward to the arrival of summer. Like the glutton for punishment that I am, at this year’s Converge2015, taking place June 14 to 18, I signed up to present seven different breakout sessions. (I know … what was I thinking?)

To learn more about this important topic while seeing me walk and talk in person, I invite you to attend my security presentation at Converge2015 -- Session 406, Monday, June 15 at 1:00. Tell them No Jitter sent you.

Andrew Prokop writes about all things unified communications on his popular blog, SIP Adventures.

Follow Andrew Prokop on Twitter and LinkedIn!
@ajprokop
Andrew Prokop on LinkedIn





COMMENTS



Enterprise Connect Orlando 2018
March 12-15 | Orlando, FL

Connect with the Entire Enterprise Communications & Collaboration Ecosystem


Stay Up-to-Date: Hear industry visionaries in Keynotes and General Sessions delivering the latest insight on UC, mobility, collaboration and cloud

Grow Your Network: Connect with the largest gathering of enterprise IT and business leaders and influencers

Learn From Industry Leaders: Attend a full range of Conference Sessions, Free Programs and Special Events

Evaluate All Your Options: Engage with 190+ of the leading equipment, software and service providers

Have Fun! Mingle with sponsors, exhibitors, attendees, guest speakers and industry players during evening receptions

Register now with code NOJITTEREB to save $200 Off Advance Rates or get a FREE Expo Pass!

September 20, 2017

Customer experience can make or break your business. But how do you achieve outstanding customer service when you're dealing with outdated organizational structure, lagging technology, dated proces

August 16, 2017

Contact centers have long been at the leading edge of innovation in communications technology, given their promise of measurable ROI and the continual need to optimize customer interactions and sta

July 12, 2017

Enterprises have been migrating Unified Communications & Collaboration applications to datacenters - private clouds - for the past few years. With this move comes the opportunity to leverage da

September 8, 2017
Greg Collins, a technology analyst and strategist with Exact Ventures, delivers a status report on 5G implementation plans and tells enterprises why they shouldn't wait to move ahead on potential use ....
August 25, 2017
Find out what business considerations are driving the SIP trunking market today, and learn a bit about how satisfied enterprises are with their providers. We talk with John Malone, president of The Ea....
August 16, 2017
World Vision U.S. is finding lots of goodness in RingCentral's cloud communications service, but as Randy Boyd, infrastructure architect at the global humanitarian nonprofit, tells us, he and his team....
August 11, 2017
Alicia Gee, director of unified communications at Sutter Physician Services, oversees the technical team supporting a 1,000-agent contact center running on Genesys PureConnect. She catches us up on th....
August 4, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, has lately been working on integrating enterprise communications into Internet of Things ecosystems. He shares examples and off....
July 27, 2017
Industry watcher Elka Popova, a Frost & Sullivan program director, shares her perspective on this acquisition, discussing Mitel's market positioning, why the move makes sense, and more.
July 14, 2017
Lantre Barr, founder and CEO of Blacc Spot Media, urges any enterprise that's been on the fence about integrating real-time communications into business workflows to jump off and get started. Tune and....
June 28, 2017
Communications expert Tsahi Levent-Levi, author of the popular BlogGeek.me blog, keeps a running tally and comprehensive overview of communications platform-as-a-service offerings in his "Choosing a W....
June 9, 2017
If you think telecom expense management applies to nothing more than business phone lines, think again. Hyoun Park, founder and principal investigator with technology advisory Amalgam Insights, tells ....
June 2, 2017
Enterprises strategizing on mobility today, including for internal collaboration, don't have the luxury of learning as they go. Tony Rizzo, enterprise mobility specialist with Blue Hill Research, expl....
May 24, 2017
Mark Winther, head of IDC's global telecom consulting practice, gives us his take on how CPaaS providers evolve beyond the basic building blocks and address maturing enterprise needs.
May 18, 2017
Diane Myers, senior research director at IHS Markit, walks us through her 2017 UC-as-a-service report... and shares what might be to come in 2018.
April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.