How to Build a Secure SIP Network

For the most part, I love my job as a communications architect.  I love sifting through Wireshark traces trying to find needles in SIP haystacks.  I get excited learning about new IP communications products.  My heart practically skips a beat when I read about another SIP service climbing out of its physical shell and going virtual.

However, the best part of my job is when I get to walk away from my PC, phones, and LAN analyzers to meet with the users of unified communications technology.   It doesn’t matter if it’s a regional user’s group or a series of one-on-one meetings with IT professionals.  I love solving problems and helping people understand the technology that’s near and dear to my heart.

The cream of the crop comes once a year in the form of the International Avaya Users Group’s “Converge.”  I have been speaking at IAUG conferences for many years now and look forward to each one like a Minnesotan waits for summer.  This year, Converge2014 will be held in Dallas, Texas during the last week of April and I’ve already received the green light to present three different topics.  Today I would like to spend a little time writing about one of those topics, “Building a Secure SIP Network.”

Building a Secure SIP Network

When you think about security in terms of SIP and VoIP, you need to consider four different areas.  First, you want to protect the SIP signaling.  Second, you need to protect the media stream.  Third, you need to ensure that people are who they say there are.  Lastly, you need to create a secure network edge that prevents the bad guys from sneaking into your business and compromising your VoIP network.

Let’s begin with protecting SIP signaling.  SIP is comprised of two types of messages.  The first is called the SIP Request or SIP Method.  This could be the INVITE that begins a SIP conversation, the BYE that ends it, or the REFER that moves an existing conversation from one party to another.  In all there are 13 SIP requests.

The second message type is the SIP Response.  This might be the “180 Ringing” response that’s generated when a telephone begins to ring or the “200 OK” response that’s sent when that ringing phone is answered.

To protect SIP signaling you need to encrypt it.  This is no different than encrypting your web traffic when you purchase something online.  In the case of web messages, that’s done with HTTPS or Secure Hypertext Transfer Protocol.  With SIP it’s called Transport Layer Security or TLS.  TLS encodes your SIP Requests and SIP Responses so they cannot be understood by anyone other than the sender or recipient of the messages.

In the SIP world, media is sent using something called Real-Time Protocol or RTP.  RTP is an encapsulation protocol for the data bits that make up the voice conversation.  The media might be G.711, G.729, or G.722.  It’s RTP’s job to get the data to where it needs to go without any concern as to what that data might be.  To protect RTP you must encrypt it.  This is known as Secure Real-Time Protocol or SRTP.  SRTP ensures that if someone captures a LAN or WAN trace of your voice conversation, it cannot be played back.  Only the sender and receiver of the RTP stream can decipher and listen to a conversation.

It is important to ensure that SIP messages have not been spoofed.  Just because I say that I am Andrew Prokop in a SIP message doesn’t guarantee that I really am Andrew.  I need to prove it.  Built into SIP is the ability to challenge messages.  A challenge forces the sender to return his or her encrypted credentials.   A subscriber database such as Active Directory is then queried to verify the authenticity of those credentials.   This prevents a rogue SIP client from pretending to be an authorized user on your network in order to gain access to your communications resources.

For a deep dive into SIP challenges, please see my blog, Proving it with SIP Authentication.

Session Border Controllers

The Session Border Controller (SBC) is the least understood component of SIP Security, but that really shouldn’t be the case.  In its most simplistic sense, an SBC is a firewall for SIP.  It prevents unauthorized SIP traffic from entering your network.  It also performs a deep packet inspection of all SIP messages to ensure that they don’t contain anything malicious.

So, why not just run SIP traffic through your data firewall? In theory you could, but you will probably regret that decision.  SBCs are designed to deal with the bursty, small-packet nature of VoIP communications.   Delay and jitter will destroy a VoIP conversation and SBCs are able to inspect and relay SIP messages and media at near wire speed.  The SBC is the first line of defense for secure VoIP.

Please make sure that you read my blog articles, The SBC Placement Bible and Andrew’s Session Border Controller Checklist for more of my thoughts on session border controllers.

Please Come to Dallas

We take for granted the need for firewalls, virus checkers, and secure browsers for our web activity and it’s essential that we think along those same lines when it comes to VoIP communications.  Thankfully, with the proper configuration, policies, and services, we can assure ourselves that every time we pick up a SIP telephone, start a video conference, or send an instant message, our identity has been protected and our conversation had been secured.

converge2014

If you are attending Converge2014 (why wouldn’t you?) and would like to learn more about SIP security, make sure that you sign up for Session 501 with yours truly.  I promise to make it worth your while.

* * *

This article originally appeared on Andrew Prokop’s unified communications blog, SIP Adventures, and is reprinted with permission.

Related Articles:

Avaya at GITEX 2017: See What You Can Make with the Latest Technology

One thing you can be sure of about Avaya at GITEX 2017 Technology Week: We will stand out from the crowd. We’ve been attending this Dubai-based mega-event since 2005 and every year we design our show presence from scratch, to provide fresh and unique info to our customers and partners who invest time in visiting us. Avaya will be at Stand Z-C20 in Za’abeel Hall, Dubai World Trade Center, October 8-12.

Often, this approach means we take technology in completely unexpected directions. We show solutions that reflect conversations with our industry-leading customers and our understanding of the pain points they experience in their businesses. These become what we call “use cases.” We take our communications portfolio and design solutions that meet our customers’ most pressing needs and, therefore, reflect real market demand. For us, our customers and partners, the conversation has moved on from being just about technology, and on to what you want to make with it.

For instance, the telecommunications industry is going through massive transformation and operators are looking for alternative revenue streams. Some of the leading players in Europe are defining the way forward here, coming up with new and innovative ways to expand horizontally into new ventures. They’re starting with their contact center operations, where they have accumulated customer data—the most valuable asset of any organization—and are looking at how new technologies can enhance the customer experience and add revenue.

At GITEX this year, we are very proud that two of the leading operators in Europe will be with us to demonstrate how we are helping them leverage automation, analytics and artificial intelligence to transform their business models. Avaya’s thought leadership, expertise and unparalleled ecosystem is helping these operators integrate AI into their businesses and head to new dimensions.

For those of us in Dubai, we can’t help but be inspired by the vision of the Smart Dubai team to make the city the world’s first blockchain-powered government. Our engineers and our leading partners are working to turn this vision into a reality, and Avaya will have a truly unique solution to present to the world, from GITEX.

Today, our Unified Communications and Contact Center solutions are being used by all sorts of customers, in all sorts of industry sectors, for usages that we hadn’t even imagined a few years ago—but that those customers did imagine, and we helped to make reality.

Technology has the power to transform—depending on what you want to make with it. By understanding what our customers want to do with our technology and helping them to achieve it, we’ve achieved our biggest transformation, one that we are happy to share with you at this year’s GITEX. If you visit our stand this year, you will see how we are working with partners and customers to go beyond the digital experience. We look forward to seeing you there.

Trust: The Fuel Driving Digital Transformation

Though they are heading in a similar direction, all of the CIOs I work with are on their own individual roads to transform digitally whilst ensuring they stay ahead in the race to satisfy their end customers.

None of these roads however, are a cruise through the countryside. It’s up to us as their vendor partners to figure out how far into their journeys they have come, to create clear road maps, steer them safely around sharp corners, and keep them grounded on rough terrain—all whilst keeping eyes on the objective: the satisfaction of a smooth drive across freshly laid tarmac.

Inevitably, on this winding road, UK CIOs hit a number of barriers. In particular, there’s one challenge that can end a journey before it’s even managed to clock up a few kilometers. It’s the ability to build trusting relationships with decision makers, internal lines of business, and external vendors and partners. They all play an integral part in creating the right ecosystem, alliances, and consensus towards the journey of DX. Gaining their trust is a complex and delicate process—and it is a necessity.

It is incredible what leading CIOs in the UK are achieving as they work at building enough trust internally to bring their internal audience into the journey. After all, the value of this transformation needs to be articulated, measured, and organization-wide. When this is achieved, the journey of digital transformation becomes an enterprise wide initiative, internal champions are brought into the process, support from cross organizations is established from the start, and the political and financial barriers begin to disappear.

Once trust is established, automatically, technology stops leading the conversation but supports it. The discussion between the CIO and his internal ecosystem becomes business objective centric, defined by the use cases that his internal customers see value in bringing into the business. The technology is then used as a highway to connect defined checkpoints in order to create the shortest most efficient route.

Building internal trust is essential to a CIO’s success in driving digital transformation for his or her organization and in delivering results valued by the organization as a whole. A key outcome is the ability of the CIO to shift the conversation with his or her external ecosystem from a technology to a use cases led dialogue. With this shift, the technology is no longer chosen for its features, but for its ability to be to be a malleable vehicle ready to be taken apart at swift pit stops and pieced back together to suit the ever-changing environment. The focus is no longer on the finish line but on relevant and agile roadmaps defined by short- and long-term goals that support their transformation. Roadmaps that are not simply laid out and driven across at full throttle, but consistently checked and measured to ensure they are progressing and on track.

The CIO needs to be confident that their Vendor as co-driver is an experienced mechanic with that roadmap engraved on the back of their eyelids. They have to trust not only in the technology, but that that their co-driver is guiding them in the right direction towards their vision ahead and will remain by their side as their partner on the road to Digital Transformation.

2016 DevConnect Award Winners Choose to Innovate on Avaya

Platform innovation allows companies to disrupt the status quo for their business, their industry. Amazon, Zappos, Google, Uber are just a few of the success stories that embrace platform innovation and launched massive disruptions. I add to that list Avaya. Why? Like these companies, we too identified a problem and created a platform that solves it. The problem that we identified is that in this mobile-centric, 24X7-access-to-everything, gadget-crazy digital world, there is a huge problem for companies to be able to communications enable any customer experience now, not seven months from now. The platform we created for business communications innovation is Avaya Breeze™. And unlike our competitors, we are embracing the fact that an open, scalable platform with an OpEX business model option that our partners and customers can access on their own—without us—is good for business and the industry. Breeze is a business and industry disrupter not only for Avaya but also for the customers and partners who are innovating on it and transforming their own businesses and industries.

Avaya Breeze is an open framework that brings the necessary attributes for communication in the digital age: embedded, mobile, fast, low risk, and workflow enabled—a key requirement to automate previously manual processes to improve digital experiences. It is the second most visited content topic on Avaya.com. The number of innovations developed on Breeze since its launch in March 2016 has been amazing, especially for an industry that has traditionally been focused on not empowering customers and partners to do things on their own. Customers and partners tell us they have developed hundreds of business communications applications and have hundreds more in development. One of the Avaya DevConnect partners said earlier this year that innovation on Breeze is a breeze. Many others agree. In fact, the DevConnect partners are consistently demonstrating the success of innovating on Avaya via the Breeze platform.

At Avaya, we believe that communications enabling almost anything is now possible through innovation on Breeze. Why not? If a company has a need or a use case, there is a solution and it can be readily available in days to weeks, just ask some of our DevConnect partners like Engelbart Software GmbH.

DevConnect’s 2016 Technology Partner of the Year, Engelbart demonstrated the best overall commitment to Avaya and their DevConnect partnership based on specific characteristics of excellence. The company developed leading-edge esuits2 ECI Server Snap-in for Breeze. This unique snap-in captures calling number information (CLID/ANI) and presents additional caller identification detail to called parties, enabling Avaya customers to enhance productivity and increase customer satisfaction. Engelbart has three solutions listed in the Avaya Snapp Store—Conferencing Whitelisting, esuites2 Enhanced Caller ID (ECI), and NG1-1-2/NG9-1-1 Location Extractor. The company has dozens more concepts under development.

Another example is Beta 80 Group, recently named DevConnect’s 2016 New Partner of the Year for demonstrating innovation and exemplary proactive partnering with Avaya. With a focus on delivering added value for Avaya 911 and second level public safety customers, Beta 80 Group’s innovative e911 (PSAP) solution integrates with Avaya Aura® to provide computer aided dispatch, radio integration, and reporting services for 911 organizations as well as emergency medical services, fire departments, and private medical services.

Three more examples are offered by DevConnect’s 2016 Innovation Award winners who were chosen for their ability to develop an innovative solution that addressed a unique solution in the market.

  • The eGain Knowledge Snap-in for Avaya Breeze from eGain Corporation guides callers to accurate answers online through self-service. Through the Snap-in, eGain enables Avaya customers to improve the overall experience and satisfaction of their own customers by making relevant information quickly available in a self-directed manner.

  • The Moxtra Snap-in for Avaya Breeze from Moxtra, provides rich, persistent chat and document sharing. This innovative Snap-in enables Avaya customers to create real-time continuity and collaboration between callers and contact center agents, increasing productivity and improving customer satisfaction. This Snap-in includes Moxtra’s Dynamic Task Type for Avaya Engagement Designer.

  • With ScoreData Corporation, Avaya customers can greatly benefit from the predictive behavioral analytics characteristics of the ScoreFast™ platform, which is capable of building complex statistical models to deliver custom solutions for specific business problems in near real-time.

On-demand applications such as those created by our award winners are about simplification, urgent need, and improved user experience. Innovating on Avaya is enabling these companies and many more to change their business for today’s digital experiences. Along the way if they also happen to disrupt the industries that they are doing business in, that is the power of innovating on Avaya.