SIP Trunking Drilldown: Security Considerations
Topic Last Modified: 2009-07-14
Office Communications Server employs Transport Layer Security (TLS) to secure server/server and client/server SIP signaling and secure real-time protocol (SRTP) to secure media flow. The Mediation Server role has always supported TLS and SRTP on the Office Communications Server facing non-gateway side. With the release of Office Communicator Server 2007 R2, the Mediation Server role now supports TLS and SRTP on the gateway side. However, TLS/SRTP is not supported by all service providers nor is it required in all SIP trunk topologies. This section describes when it is necessary to enable TLS and SRTP on the gateway side of the Mediation Server to ensure a secure deployment.
There is only one key condition that requires TLS and SRTP to be enabled. Namely, there is some point in the network path between the Mediation Server and the service provider SIP trunk that is accessible to more than a limited set of non-IT personnel.
Private Connection. The connection to the service provider is dedicated and only used to carry SIP trunk packets. Because only authorized IT engineers at the company and the service provider are able to observe this traffic, TLS/SRTP is not required. However, if the service provider supports it, you may still implement TLS/SRTP for an added layer of protection. Be sure that the subnet linking the Mediation Server to the private connection is also private.
VPN Connection. Although the network between the Mediation Server and the service provider is likely shared by a number of applications, the virtual private network (VPN) connection effectively creates a dedicated pipe used only to carry SIP trunk packets. The key difference from the physical connection topology is that network isolation is being provided by the encryption capabilities of the VPN rather than physical separation. At minimum, the VPN should encrypt all traffic at a level comparable or better than 128-bit Advanced Encryption Standard (AES). Assuming this is the case, the only people who could observe this SIP trunking traffic would be authorized IT engineers of the company and the service provider, so TLS/SRTP is not required. However, if the service provider supports it, you may still implement TLS/SRTP for an added layer of protection. If you use a VPN appliance, ensure that the subnet linking the Mediation Server to the VPN appliance is also private. Note that if the tunneling mechanism carries User Datagram Protocol (UDP) packets over a TCP transport, this may impact the latency characteristics of the call, given that TCP is a reliable transport while UDP is not.
Public Connection. With a public connection, clearly no dedicated connection exists. Quite the contrary, it should be assumed that a large number of people will be able to inspect all SIP trunk-related packets. Enabling TLS and SRTP is strongly advised to ensure a secure deployment.