Remember the days when denial of service referred to “no shoes, no service,” a virus was a nasty cold, and security meant you locked your doors at night? Sadly, those days are long gone and unless we are prepared to give up Internet technologies and return to the dark days of CompuServe and analog telephones, securing data and protecting privacy will continue to be challenges for our work and personal life. This is especially true now that our telephone conversations are traveling on the same wires (or in the case of wireless, radio waves) as our on-line banking and Internet purchases. The bad guys are out there and you need to take steps to protect yourself from prying eyes and ears.
When you think about security in terms of SIP and VoIP you need to consider four different areas. First, you want to protect the SIP signaling. Second, you need to protect the media stream. Third, you need to ensure that people are who they say there are. Lastly, you need to create a secure network edge that prevents the bad guys from coming into your business and compromising your VoIP network.
Let’s begin with protecting SIP signaling. SIP is comprised of two types of messages. The first is called the SIP Request or SIP Method. For instance, this could be the INVITE request that begins a SIP conversation, the BYE request that ends it, or the REFER request that moves an existing conversation from one party to another. In all there are 13 SIP requests. The second message type is the SIP response. This might be the “180 Ringing” response that’s generated when a telephone begins to ring or the “200 OK” response that’s sent when that ringing phone is answered.
To protect SIP signaling you need to encrypt it in the same way that you encrypt your Internet traffic when you purchase something online. In the case of Internet messages that’s done with https or Secure Hypertext Transfer Protocol. With SIP it’s called Transport Layer Security or TLS. TLS encodes all of your SIP Requests and SIP Responses so they cannot be understood by anyone except the sender and receiver of the messages.
In the SIP world, media is sent using something called Real-Time Protocol or RTP. RTP is an encapsulation protocol for the data bits that make up the voice conversation. The media might be G.711, G.729, or G.722. It’s RTP’s job to get the data to where it needs to go without any concern as to what that data might be. As with SIP messages, to protect RTP you encrypt it. This is known as Secure Real-Time Protocol or SRTP. SRTP ensures that if someone captures a LAN or WAN trace of your voice conversation it cannot be played back. Only the sender and receiver of the RTP stream can decipher and listen to a conversation.
It is important to ensure that SIP messages have not been spoofed. Just because I say that I am Andrew Prokop in a SIP message doesn’t guarantee that I am Andrew until I can prove it. Built into SIP is the ability to challenge messages. A challenge forces the sender to return his or her encrypted credentials. A subscriber database such as Active Directory is then queried to verify the validity of those credentials. This prevents a rogue SIP client from pretending to be an authorized user on your network in order to gain access to your communications resources.
For a deep dive into SIP challenges, please see my blog, Proving it with SIP Authentication.
Session Border Controllers
The Session Border Controller (SBC) is the least understood component of SIP Security, but that really shouldn’t be the case. In its most simplistic sense a SBC is a firewall for Voice over IP traffic. It prevents unauthorized SIP traffic from entering your network while doing a deep packet inspection of the SIP messages and media to ensure that they don’t contain anything malicious.
So, why not just run SIP traffic through your data firewall? In theory you could, but you will probably regret that decision. SBCs are designed to deal with the bursty, small-packet nature of VoIP communications. Delay and jitter will destroy a VoIP conversation and SBCs are able to inspect and relay SIP messages and media at near wire speed. The SBC is the first line of defense for secure VoIP.
We take for granted the need for firewalls, virus checkers and secure browsers for our Internet data activity and it’s essential that we think along those same lines when it comes to VoIP communications. Thankfully, with the proper configuration, policies, and services we can assure ourselves that every time we pick up an IP phone, start a video conference, or send an instant message our identity has been protected and our conversation secured.