VoIP communications are completely safe if implemented correctly. As with any other technologies, there are best practices which must be followed to achieve the best possible results.
You must address security concerns while developing or selecting your UC solution. While many vendors delegate security to separate entities, such as VPNs, this approach is not necessary nor recommended as a substitution to the security policies.
The system must protect itself from attacks that attempt to guess user and password combinations. This can be achieved by blocking repeated failed attempts. The IP address that is generating the attack must be added to a ban list for an ever-increasing period of time.
Let’s explore how two-factor authentication and single sign-on mechanisms are being used for improving security.
Two-Factor Authentication introduces an additional security layer to protect accounts whose password has been compromised (for example, in case the password has been stolen). After the usual login and password check, the system will always ask for a security code.
The security code is generated either in real-time (by the authentication system) and sent over SMS, email, or via applications such as Google Authenticator or Microsoft Authenticator.
Besides signaling when projecting and deploying Unified Communications system, we might also be interested in encrypting the media transferred between devices.
There are three popular RTP encryption modes:
- SRTP MIKEY / SDES (requires TLS encryption of signaling)
- SRTP DTLS
The Secure Real-Time Transport Protocol (or SRTP) defines a profile of RTP (Real-Time Transport Protocol) intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. It was first published by the IETF in March 2004 as RFC 3711.
Devices connected to the UC system, such as SIP user terminals (VoIP phones and FXS Media Gateways) and SIP trunk media gateways, must also be secured using the best available policies.
Many currently available UC systems still do not implement proper policies or do not apply them by default. What security risks can this cause?
If TFTP is used, simply knowing the MAC address of the device allows acquisition of the provisioning file, which contains the SIP credentials to connect to any device.
Any UC solution must use state-of-the-art cryptographic tools to make sure that information exchanged remains secret.
For TCP connections, the de facto standard is Transport Layer Security (TLS) and, its predecessor, Secure Sockets Layer (SSL). Both of these are frequently referred to collectively as “SSL” and are cryptographic protocols that provide communications security over a computer network.
The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating computer applications. When secured by TLS, connections between an SIP, XMPP, or HTTP client (for example, a web browser) and a server (for example, wikipedia.org) have one or more of the following properties: