Comprehensive, End-to-End SIP Security

I was out east last week (I grew up in Arizona and we call everything on the right side of the map “out east”) where I worked with a large university and hospital on their move to SIP. They aren’t starting from scratch and have implemented some SIP, but for the most part they are still predominantly TDM throughout their campuses and medical facilities.  They needed schooling on SIP trunks, users, SBCs…the works.

Security is a concern for every institution, but it’s especially important in research and medical facilities. Preserving the integrity of their communications systems is extremely important, but so is providing access to those who need to use it.  At the same time, keeping out prying, unauthorized eyes is absolutely crucial. So, not only did I meet with the traditional telecom people, but I spoke with the folks whose jobs revolve around keeping everything safe.

A few years ago, I read a research brief from the Aberdeen Group that detailed their work with 299 companies on securing unified communications. I learned a lot from the study, but one thing clearly stood out to me.

The time spent with security solutions on the front-end led to the ability to launch greater functionality with fewer debates, challenges, and workarounds as Unified Communications were launched throughout the enterprise to all employees, including remote employees and brand offices.

In other words, if you build security into your environment from the very start, it becomes easy to roll out new applications. If IT trusts the strength of the platform, they don’t fear every new request for additional functionality.

This means that security must be provided from the inside out. You start with the core of the communications system and work your way towards the edges. In this way, you strengthen every access point to ensure that there are no weak spots.

At the core are your physical servers, gateways, and networking devices. It goes without saying that they must be physically secured and if possible, logically isolated from the rest of your network. A hacker or malicious individual can do a great deal of damage by gaining access to an unprotected network port or console connection. Keep your core communications equipment behind locked doors and limit the number of people who can change it.

SIP supports a number of built-in security checks and it’s important that you choose a vendor that implements them.  For example, every SIP message should be authenticated.  This means that before your SIP server blindly accepts that Andrew Prokop is trying to send an INVITE message, make him prove that he is who he says he is.

I dig into this subject in Proving it With SIP Authentication.

Protect the data that runs on your network. Encrypt SIP signaling with TLS and media with SRTP. I teach a SIP class where I show how easy it is to use Wireshark to capture and play media streams. You don’t want the wrong people listening to your company’s phone calls or voice mails, do you?

There are times when encryption is not possible. For instance, no SIP carrier supports TLS or SRTP. You must decrypt on the egress and encrypt on the ingress. However, since this data travels to and from the carrier on an already secure MPLS connection, the risk of a security breach is extremely small.

Typically, carrier-facing encryption and decryption are done by an SBC. This makes it essential that the network between the SBC and MPLS edge router is inaccessible to attack or tampering.

Don’t Let SIP Endpoints be Your Achilles Heel

Encryption needs to extend to the endpoints, as well. This is especially true for endpoints that access your communications system over the Internet. Whether it’s a physical device such as a SIP phone, or a soft client that runs on a PC or mobile device, make sure it supports TLS and SRTP. Also, make sure that your network policies are such that they do not allow unencrypted communications.

The next thing you need to examine are your password and access policies. Don’t let the weak link in your security chain be an easily guessed four-digit password.  I am constantly finding companies that allow a user’s telephone extension to be his or her password. I’ve also seen just as many “1234” passwords out there. This has to stop for clients both inside and outside your network.

When my company moved to SIP, we immediately forced every user to adopt eight digit passwords. We also instituted a policy that prohibited easily guessed passwords. Next, we deployed software that aged passwords after so many days and didn’t allow the same passwords to be reused. In essence, we created communications password polices that mimicked what we were already doing with our domain passwords.

We also enabled rules on our SBC that detected malicious activity and stopped it from occurring. Specifically, our SBC will disable an extension after a set number of failed login attempts. An alarm is raised and we require an administrator to re-enable that extension. This prevents people from hacking into our system by either manually or programmatically guessing at a password until they eventually get in.

One more edge protection technique that can be applied is two-factor authentication. Two-factor authentication forces you to “register” devices against specific resources. Perhaps you’ve already encountered this through online banking. Every time you access your bank’s website from a new device, you are required to answer your pre-defined security questions (“What is the name of your first pet?”)

The Avaya SBC supports two-factor authentication by only allowing SIP access from authorized devices. So, even though you know Andrew Prokop’s user ID and password, you need to be on Andrew’s iPhone or iPad to log in. Add this to strong passwords and password hacking detection and you’ve got an extremely secure network edge that is very difficult to compromise.

If You Build It

I would like to end with a little more from the Aberdeen study. This paragraph sums up how building security into all aspects of unified communications fosters a more robust adoption rate.  Rolling out UC on an already secure platform significantly increases its ability to succeed within the workplace.

Although security and freedom are often seen as counterbalancing tradeoffs, Aberdeen research suggests that the opposite is true for Unified Communications and that security can actually lead to more opportunities for end-users. As an example, organizations were asked about their use of instant messaging, mobile wikis, and micro-blogging within their workplace. 70% of organization with a security solution used these short messaging capabilities on a regular basis, which nearly tripled the adoption by all other organizations.

Enough said.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: