Don’t Ignore SIP Security

10 Security Trends to Look for in 2016

The Session Initiation Protocol (SIP) enables voice communications over IP networks (VoIP). However, this traffic is vulnerable to hackers and phishers, and organizations need to take prudent steps to protect it. Sonus’ Vice President of Engineering and Chief Technology Officer Kevin Riley contributed a commentary to Network Computing in which he discussed five steps to securing SIP traffic.

Riley advocates:

• Strong security policies enforced across all offices and devices.
• Use of encryption, virtual private networks and endpoint authentication.
• Use of heuristic models to ferret out and identify suspicious and/or malicious patterns in communications.
• Use of call admission control for each session, which both ensures call quality and prevents unauthorized log-ins.
• Use of session border controllers (SBCs) in an effort to protect the core of the enterprise network

SIP security shouldn’t be overlooked. A white paper from Panamax explores its importance. The press release for the paper, “Tomorrow Starts Today: Security for SIP-Based VoIP Communications Solutions,” highlights the risks of not paying attention to this important topic. The bottom line is that:

…in the face of cyberattacks from potential hackers, firewalls alone are not sufficient to protect a VoIP network.  Because SIP-based VoIP communications solutions are a gateway to an entire network, enterprises and SMBs require a robust, seamless approach to network security, including understanding hackers’ tactics and motivations, sufficient in-house skills, and a consistent strategy to safeguard against intrusion.

Telecom Reseller News goes into detail about how to secure SIP networks. The piece covers initial setup and ongoing operations, which include the servers, passwords and access procedures, security checks and enablement of a backup routine. Each category contains multiple suggestions. For instance, there are no fewer than 12 steps in the passwords and access category. The bottom line is that truly securing a SIP VoIP infrastructure is not easy and demands vigilance.

More advice was offered in June by Andrew Prokop at No Jitter. The piece also goes into admirable detail. Among the most valuable is the advice Prokop offers on what precisely needs to be protected. He says you need to consider four areas in terms of security for SIP and VoIP: SIP signaling and the media stream must be protected. Strategies for ensuring that the people using the network are who they say they are must be employed. The last task is to find ways of preventing ‘the bad guys from sneaking into your business and compromising your VoIP network.’

The security challenges to SIP seem to be both technical (actual hacking and cracking) and social (phishing). That makes it particularly insidious. Clearly, organizations must pay close attention.

Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.