Addressing Threats to Enterprise Voice for Office Communications Server 2007 R2
Topic Last Modified: 2012-02-01
Enterprise Voice is the Office Communications Server software-based VoIP solution. Enterprise Voice uses VoIP for both internal calls and for connecting to traditional telephone networks. Because internal VoIP calls, like IM, are all encrypted, security concerns that are specific for VoIP focus on the transfer of calls to and from the unencrypted public switched telephone network (PSTN).
Enterprise Voice requires two devices to provide VoIP connectivity with the PSTN:
A media gateway that translates local phone-system signaling protocols to SIP over TLS (recommended) or TCP (optional) for transmission over IP networks.
An Office Communications Server role, the Mediation Server, that can translate SIP over TCP to SIP over TLS for internal routing, if necessary.
|Enterprise Voice supports three different types of media gateways: basic, basic/hybrid, and advanced media gateway. The advanced media gateway eliminates the need for a Mediation Server by incorporating its logic into the gateway proper, but such gateways are not yet available. For purposes of this discussion, it is assumed that your deployment requires a Mediation Server for PSTN connectivity. For details about the media gateways and the Mediation Server, see the Enterprise Voice Support in the Planning and Architecture documentation.|
If you choose to configure the link between a media gateway and the Mediation Server for TCP, that link becomes a potential security loophole because the signaling is unencrypted. Nevertheless, many currently available gateways do not support MTLS, so a TCP connection to the Mediation Server may be required until such time as you are able to upgrade your gateway. The recommended mitigation for this potential vulnerability is to deploy the Mediation Server in its own subnet by installing a two network interface cards, each with a separate IP address in a separate subnet with a separate port setting. One card serves as the Mediation Server’s internal edge, listening for TLS traffic from internal servers. The second card acts as the Mediation Server’s external edge, listening for TCP traffic from the media gateway. Using two dedicated listening addresses ensures the clear separation between trusted traffic originating in the Office Communications Server network and untrusted traffic from the PSTN.
This section includes the following topics: