Problem solve Get help with specific problems with your technologies, process and projects.

Don't forget to secure the signaling

Valuable information can be transported in the signaling protocol, so make sure you encrypt it as well as the media stream.

Most of the concerns network engineers intuitively have about VoIP security are related to high-tech eavesdropping via packet sniffing, or to denial of service attacks or new IP-based versions of good old-fashioned toll fraud. The last two are generally a matter of keeping your systems patched and sensibly configured, but the obvious solution to the eavesdropping is encrypting the media streams.

Many vendors now support the SRTP protocol which uses AES to encrypt your conversations, but it's important to realize that SRTP only encrypts the payload of the media stream. It's not an encapsulating protocol that covers your headers too. It also, obviously, does not encrypt your signaling.

Understanding this is even more important, because you should realize that there is still important user information in your signaling. In the legacy voice world, when you push buttons on the phone -- for instance, to enter the PIN number to access your voice-mail or your bank account, or your automated order taker for your stock brokerage account -- you simply are generating a tone which is carried across the same line your spoken words use. But when this gets converted to VoIP, some of the dialed digits are carried in the signaling protocol, and not in the RTP stream.

So, if you were thinking about authenticating signaling traffic, go ahead and put some thought into encrypting the signaling as well.

The details of this can be vendor-specific, since many vendors implement proprietary signaling protocols, or at least proprietary extensions to standardized protocols. So in the absence of a standard signaling protocol that provides privacy and non-repudiation, odds are good that you'll see some implementation of IPsec, but keep in mind that if you've got a multi-vendor solution, encrypting your signaling may be especially challenging.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This was last published in June 2005

Dig Deeper on Telecommunication networking

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.