SIP functionality has stolen the show in VoIP protocols because of its scalability, versatility and affordability for virtual phone numbers. However, like any other protocol –or anything over the internet, for that matter – there is always the concern for security (see the story on Heartbleed – this lends credence to the importance of internet security at large. Note, however, it didn’t affect SIP). Hearing stories like Heartbleed are always cause for concern about security, but the real question is – how can you make SIP safer?
The short answer is layers. Lots of Layers. That’s how.
Ask any certified ethical hacker or penetration tester – if you’re lucky enough to know one (they’re usually interesting characters) – and they’ll tell you that multiple, overlapping layers is the best way to protect against threats. To protect one end of a device and not the other is useless; likewise, to protect from man in the middle threats but not from spoofing is asinine.
The best place to begin is a Session Border Controller (SBC). The SBC plays the role of a SIP firewall as well as it sets up and tears down the call (with a few other features). SBCs are sometimes required by providers – but even if not, they’re worth considering. Border Elements are SBC’s with a little more power. These also integrate hardware and usually run end-to-end on an all IP networks, and allow for SIP mediation. Both can be pricey for smaller companies, but they’re worthwhile. I n addition to SIP, they also help protect the IP-PBX.
IPSec is a very comprehensive, end to end VPN security measure. One of the benefits is its flexibility, as it can be used host to host, network to network, or network to host. Moreover, IPSec protects the individual IP packets at the application level, and works with SSL/TSL. SSL and TSL without IPSec, however, must be provisioned differently at the application level.
Denial of Service (DoS) attacks remain one of the greatest threats, as they’re one of the easiest for hackers to create – at least for a simple one, though it’s usually countered by relatively basic security. If unprotected, a DoS attack can completely incapacitate a phone system. This can be combatted with filters and a proper routing architecture, but an SBC firewall functions will also be very helpful against these.
Spoofing is when a request is sent via SIP ports, usually appearing as a legitimate initiation request. If it gains access, it can capture data, listen in, or even make calls from your number. This is typically countered by both IPSec and SBCs; however, your switch and/or router configuration has a lot to do with this as well.
The general rule to remember is that SIP uses IP packets – and thus, SIP packets should be treated and protected just like any other IP packets.
With all of the above, it looks like moving to SIP is one giant security risk. Without downplaying the potential for security infractions, it really isn’t, provided one doesn’t completely ignore the fundamentals of VoIP/SIP.
Most experts would argue that:
SIP is actually safer than PSTN or analog services
Benefits far outweigh the added measures.
Considering the call quality of VoIP is higher, the features more rich, and it’s generally more economical than other measures, comparing SIP to analog isn’t apples to apples. The benefits of international numbers, call forwarding and mobility, and the simplicity of a hosted PBX functions are the reason for the rapidly increasing popularity. Most business owners realize this – and while security takes some consideration, it’s still an amazing product.
Start your full featured demo now.