In a recent article, I discussed how protecting a VoIP network from attack and interception requires a multi-layered security strategy ("Take a multi-layered approach to VoIP security"). One important element of such a strategy is protecting the protocols that provide call signaling.
The Session Initiation Protocol (SIP) has gained ground as a popular call-signaling protocol for a number of reasons, including its relative simplicity and lightweight design when compared to the traditional alternative, H.323. Therefore, implementing SIP in a secure fashion is an important consideration for organizations that choose a SIP-based VoIP deployment.
However, developers didn't design SIP with security in mind, so adding SIP devices to your IP network can introduce additional security issues. Let's look at how you can make SIP traffic more secure.
Know the risks
With some types of security mechanisms, SIP is vulnerable to eavesdropping and interception (i.e., hijacking) of call-signaling information and the conversation itself, man-in-the-middle attacks, call tampering, replay attacks, and denial-of-service (DoS) attacks.
Here are some of the security risks posed by these attacks:
- Attackers can gain access to the VoIP network and use it to make unauthorized calls.
- Attackers can hear the content of private conversations made on the VoIP network and extract information that they can use for identity theft and other fraudulent purposes.
- Attackers can manipulate the voice messages and change the content to impersonate the original caller to fool the called party.
- Attackers can bring down the IP phone or the entire VoIP network.
Fortunately, mechanisms are available for protecting SIP networks from these threats.
Protect SIP networks with TLS
Normally, SIP packets travel in plain text over TCP or UDP connections, which make them easy for hackers to manipulate and attack. Defined by RFC 3261, Secure SIP (SIPS) is a security measure that uses Transport Layer Security (TLS), which is the new and improved version of Secure Sockets Layer (SSL).
Netscape originally developed SSL for securing Web-based transactions. TLS provides an encrypted channel that you can use to send SIP messages. To use SIPS, however, VoIP devices must support it.
SIPS requires the authentication of the SIP user agents and proxies using Message Digest (MD5) authentication. The RFC also defines a SIP Uniform Resource Identifier (URI), which provides for a secure connection from one endpoint to another.
Based on public key cryptography, TLS encryption relies on digital certificates. Here's how it works:
- The SIP client connects to the SIP proxy.
- The SIP client requests a TLS session from the proxy.
- The proxy replies with a valid public certificate.
- The client validates the certificate.
- The client and proxy exchange session keys.
- The session keys encrypt and decrypt data for the session.
SIPS requires end-to-end (i.e., phone-to-phone) TLS protection. It's also possible to use TLS on a hop-by-hop basis. In addition, you can configure SIPS-capable devices to only accept calls encrypted by TLS.
Is your firewall SIP-aware?
Firewalls are essential to the security strategy of any organization that connects to the Internet—or to any other network that isn't completely trustworthy. However, like some other VoIP protocols, SIP sometimes has problems traversing firewalls and Network Address Translation (NAT) devices.
Organizations often configure firewalls to accept incoming traffic only if an internal computer has initiated the connection. The problem is that SIP uses two separate connections—on different ports—to make a VoIP phone call. One carries the call-signaling information, and the other carries the actual voice payload (i.e., the media).
If you make a call outside the local area network, the initial message goes out through the port that handles call signaling. This is an "invite" message to the IP phone you're calling.
When the called party answers the phone, the phone replies with an acknowledgement. This also comes back through the port that's handling call signaling. Because you initiated the connection, it gets through the firewall. However, your firewall may block incoming media because it comes in over a different port, and it could even block incoming calls.
A device called a session controller can overcome this problem to make SIP work through firewalls and NAT devices. It's a device on the public network that hosts a public IP address for your VoIP client, registered with a public server. To learn more about how session controllers work, read this Newport Networks white paper.
However, to protect your VoIP network, you still need a firewall that's SIP-aware. SIP data can be difficult for a regular firewall to examine. SIP networks use the Real-time Transport Protocol (RTP) and the Real-time Transport Control Protocol (RTCP) to deliver the media (i.e., the voice message itself) from one IP phone to another.
So a SIP-aware firewall needs to be able to discover the RTP/RTCP port information that SIP dynamically assigns to the media stream. That means the firewall must parse the SIP exchanges in order to discover which packets contain the media. The port information can be present in many different SIP packets. A SIP-aware firewall must be able to understand the SIP exchanges and extract the relevant information.
Security was not an initial concern in the design of the major VoIP protocols, including SIP. This is similar to the state of early computer operating systems—it was necessary for those deploying them to add security mechanisms because they weren't built-in.
Organizations deploying VoIP must likewise take measures to secure the VoIP protocols. Some of the ways that you can make a SIP network more secure include using Secure SIP with TLS to encrypt the channel over which VoIP messages travel and by using session controllers and SIP-aware firewalls.
Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!
Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.