Protecting devices connected to the UC system

Devices connected to the UC system, such as SIP user terminals (VoIP phones and FXS Media Gateways) and SIP trunk media gateways, must also be secured using the best available policies.

Many currently available UC systems still do not implement proper policies or do not apply them by default. What security risks can this cause?

If TFTP is used, simply knowing the MAC address of the device allows acquisition of the provisioning file, which contains the SIP credentials to connect to any device.

Continue reading “Protecting devices connected to the UC system”

Inspecting signaling over TLS/ SSL

Any UC solution must use state-of-the-art cryptographic tools to make sure that information exchanged remains secret.

For TCP connections, the de facto standard is Transport Layer Security (TLS) and, its predecessor, Secure Sockets Layer (SSL). Both of these are frequently referred to collectively as “SSL” and are cryptographic protocols that provide communications security over a computer network.

The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating computer applications. When secured by TLS, connections between an SIP, XMPP, or HTTP client (for example, a web browser) and a server (for example, wikipedia.org) have one or more of the following properties:

Continue reading “Inspecting signaling over TLS/ SSL”

What is SCRAM Authentication Type?

In the previous blog article (Basic and Digest Authentication Types) we have started reviewing authentication types . This time we will focus on SCRAM which is a family of HTTP authentication mechanisms.

XMPP supports plaintext, digest password exchanges and also SCRAM (Salted Challenge Response Authentication Mechanism). SCRAM introduces advantages over Digest, since it allows the server to store password hashes in an irreversible format.

This feature protects against offline attacks on the password and user database. The client can also save a hash-only version of the password, making it more difficult for attackers (who may have access to the PC where the password is stored) to understand the password in plaintext format.

Furthermore, SCRAM protects from man-in-the-middle attacks when certificates are used. This is done by allowing the server to prove to the client that, not only is the certificate signed by a CA (Certification Authority), but that it also knows the password.

Continue reading “What is SCRAM Authentication Type?”

Basic and Digest Authentication Types

Authentication is the process in which the system identifies logged in users from unauthorized users. The effectiveness of this process is determined by the authentication protocols and mechanisms being used. In this article we will start reviewing authentication types that are used to verify the identities of users and decide whether they are really secure or not.

Basic HTTP

The first version of SIP used Basic HTTP authentication. This system is fairly easy to access using man-in-the-middle attacks. This type of authentication has been depreciating for some time now.

In HTTP authentication, an attacker can simply capture a packet containing the password and base64 encoded, which is then used to decode and perform attacks.

Not secure, indeed.

Continue reading “Basic and Digest Authentication Types”

Introducing Unified Communications Security

Security is a serious topic and, unfortunately, it is either overlooked, exposing organizations to risks, or incorrectly addressed through cumbersome solutions. In the series of blog articles I will try to shed light on what you should pay attention to, in terms of security, when choosing a UC solution.

Notwithstanding all the advantages of a UC solution, there is one important prejudice against its adoption: security concerns.

There is a widespread belief that VoIP solutions based on SIP are not secure, and that their usage must be blocked, or at least limited to local networks (eventually extended by VPNs).

Nothing could be further from reality. Well-developed and deployed VoIP solutions that are based on SIP and XMPP are actually more secure than traditional communications.

How did the prejudice start and spread?

Continue reading “Introducing Unified Communications Security”