“The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life.”
— Jane Addams
If you ever bought a home, you’ve undoubtedly experienced the frustration of closing. In addition to purchasing the house and the land it sits on, you wind up writing checks for all sorts of things (fees for loan origination and filing, title search, settlement, a credit report, loan recording, courier services, a notary, a home inspection, title insurance, etc.). Adding to the frustration is that fees, and often their names, differ from title company to company. It’s difficult to know what you need, what you don’t, why you need it, and what you are getting, making it near impossible to shop around for the best value.
I feel the same frustration when it comes to shopping for SIP trunks. Providers package their solutions into unique offerings that rarely tell you exactly what you are getting. For example, I’m working on a project that requires me to know if REFER is supported on the customer’s SIP trunks, and after looking through several carrier-supplied documents and reference guides, I’m still not sure. Since I can’t afford to guess, I have no alternative other than to make countless phone calls, hoping to find someone who can tell me.
This goes well beyond which SIP messages are supported and what behavior anomalies might exist. As SIP becomes more widespread and enterprises place more SIP endpoints outside the bounds of their physical and logical networks (thank you, COVID-19), security concerns become paramount. We may live in uncertain times, but uncertainty has no place in security planning. An enterprise needs to be clear about how they interface with the outside world and how they are mitigating any potential threats from that exposure. There is no place for guesswork or simply trusting that your business partner is taking the necessary steps to protect you from harm.
Did you know that SIP is the world’s
most hacked protocol? Anyone who has ever stood up a publicly facing SIP server and monitored the incoming packets can tell you that. Within minutes of going online, a SIP server will see registration attempts come in from across the world. In addition to trying to gain access to your SIP resources, hackers are unleashing Denial of Service and misconfigured SIP message attacks to take down SIP servers or rendering them useless. Enterprises that are not prioritizing SIP security are opening themselves up to toll fraud and downtime.
Of course, securing SIP is not a one-sided affair. The enterprise and the SIP provider share in the responsibility of ensuring that good SIP traffic gets through, and bad traffic is dealt with appropriately. Unfortunately, like those closing documents, it’s hard to know exactly what the carrier is doing to protect you. Everybody claims to be doing everything in their power to secure both ends of the SIP pipe, but it’s very difficult to find documents and/or people to assure the enterprise of that.
The problem is amplified now that so many non-traditional vendors are providing SIP services. There are the old standbys like AT&T and the born-in-the-cloud providers like
Twilio and
Flowroute, but these days you can even buy trunks from UC vendors such as
Avaya and
Mitel. Having a larger pool of providers is a good thing, but it makes the decision process that much more complicated.
The SIP Security Challenge
That is why I am calling on enterprises and SIP carriers to come forth with what they need and what they are doing. I would love to create an RFP-like document that lists what is important and who provides it. With this document, buyers can ensure their security needs are being met, and providers can share how they fill in security gaps.
To kick things off, these are the kinds of questions I want answers to:
- What versions of TLS do you support?
- What versions of TLS do you reject?
- How do you handle TLS version mismatches?
- Do you support SIPS (SIP over TLS)?
- Do you support SRTP (Secure Real Time Protocol) and SRTCP (Secure Real Time Control Protocol)?
- Can you detect and remediate registration storms?
- What security handshakes (DLTS-SRTP, SDES) do you support?
- How quickly can you detect and remediate denial of service (DoS) and distributed denial of service (DDoS) attacks?
- How do you react when encountering a malformed SIP packet or unknown SIP headers?
- What ciphers do you use?
- How do you detect and remediate call spoofing?
- Have you implemented STIR/SHAKEN?
- How do you detect and remediate Spam-over-Internet-Telephony (SPIT)?
- How do you protect the integrity of SIP messages (the message sent is essentially the same as the message received)?
- How extensively do you support proposals such as RFC 3329 (Security Mechanism for the Session Initiation Protocol)?
I could go on and on, but you get the point. Security is essential when it comes to building out a SIP network, and questions like “how is it ensured” and “who is ensuring it” should never be left to guesswork. It is my firm belief that if you don’t know how well something has been secured, it’s as good as not being secured at all. An enterprise must be aware of where they are strong and where they are weak. You can be assured that hackers are diligently looking to find those answers, and the consequences of them finding out first can be devastating.
Head-To-Head
As an experiment, I chose TLS and supported ciphers from my list and applied them to three SIP carriers — Twilio, Verizon, and CenturyLink. Although my research was in no way exhaustive, I did spend what I considered to be a reasonable amount of time searching for answers. In the end, I discovered that Twilio was very upfront with
their answers, Verizon less precise but
good enough, and I’m still searching for an answer from CenturyLink.
I did the same with STIR/SHAKEN and came up with the same results. Twilio and Verizon were out there with their support, and I’m still looking for something from CenturyLink.
This is not to say that CenturyLink is a bad choice for SIP trunks. Perhaps they do everything I want and more. It simply means that it shouldn’t be hard to find answers to what I consider to be essential security questions.
Mischief Managed
I wasn’t kidding when I threw out my SIP challenge. I want businesses to tell me what their security concerns are, and I want providers to respond with how they are being addressed. Like closing costs on a new home, it’s difficult to find the right fit if you aren’t sure what you are buying or why you need to buy it.
“We all do better when we all do better,” according to the late Minnesota Senator Paul Wellstone. Although he was speaking about the common good, it applies just as well to SIP security. Knowing more leads to better decisions, which leads to better results. And isn’t that where we all want to wind up?