CONTACT SALES
Internet Telephony Product of the Year
 
Related Resources
Securing SIP Trunks

SIP Trunk Security

SIP trunks allow enterprises to take full advantage of VoIP and eliminate costly time-division multiplexing (TDM) trunks and gateways. With SIP trunks, enterprises can route calls over the carrier's IP backbone and use the same IP connection for all their communications.

Security and deployment issues

However, SIP trunking comes with a list of important security and deployment issues for the enterprise as well:

  • Do the enterprise and the service provider have the same security requirements?
  • Do the service provider and the enterprise have the same security policies for employees, networks, and VoIP system?
  • How can the enterprise maintain control over signaling, media, security, and routing policies?
  • How does the enterprise address new SIP or media threats to the enterprise infrastructure or to the service provider’s infrastructure?
  • What changes must the enterprise make to the firewall/NAT device, IP PBX, private IP addresses, numbering plan, and other components?
  • Must the enterprise network topology be exposed?
  • How does the enterprise ensure user/caller ID privacy?
  • How does the enterprise ensure the privacy of actual media communications?
  • How is actual media privacy ensured? Is encryption required? If so, must it be end-to-end?

To enable secure SIP trunks enterprises must deploy a comprehensive, real-time UC security solution that offers comprehensive threat protection, strict policy enforcement, robust access control, and privacy in a single security appliance.

The Sipera VoIP/UC Security Solution

The Sipera UC-Sec family of security appliances offers real-time UC security to address the issues associated with SIP trunk deployments. Built on the foundation of the VIPER engine and real-time platform, the UC-Sec performs the following functions for securing SIP Trunks:

  • serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies
  • protects against SIP and RTP threats by blocking them at the enterprise perimeter
  • maintains privacy of the internal network, caller/user IDs, and communications
  • performs firewall/NAT traversal to simplify the deployment of SIP trunks

Secure Implementation

A single Sipera UC-Sec security appliance can be deployed at the customer premise between the internal and external firewalls. The appliance provides complete network security, enforces security policies, and handles other SIP trunk deployment issues for the enterprise network.

In this deployment, the Sipera UC-Sec performs border control functionality such as FW/NAT traversal (local and remote), security policy enforcement based on fine-grained UC policies, and threat protection functionality to prevent denial of service, spoofing, and stealth attacks.

Because the Sipera UC-Sec product is a trusted host in the DMZ, IP signaling traffic to the enterprise is received by the external firewall and sent to the Sipera UC-Sec, which processes the signaling information. If the SIP signaling traffic is encrypted, the Sipera UC-Sec security device decrypts all TLS-encrypted traffic and looks for anomalous behavior before forwarding the packets through the internal firewall to the appropriate IP PBX to establish the requested call session.

Once a valid call has been set-up, RTP packets are allowed to flow through the external firewall to the Sipera UC-Sec product, which decrypts the SRTP traffic (if required) and looks for anomalous behavior in the media before passing on the RTP stream to the intended recipient.

Secure Results

The popularity of SIP Trunks is primarily due to cost savings and the increased reliability offered through service provider service level agreements (SLAs). SIP Trunks can deliver much lower cost local, toll-free, domestic, and international long distance service to any enterprise willing to replace its PSTN connectivity. They also offer a unique opportunity for large distributed enterprises to consolidate their VoIP/UC infrastructure and connectivity to the PSTN.

However, without solving network security and demarcation challenges, SIP trunks cannot be deployed on a large scale. The Sipera UC-Sec product offers comprehensive security solution with threat protection, access control, policy enforcement and privacy protection in a single device that enables enterprises to address all of these challenges and securely deploy SIP Trunks.

 

Learn more: Get the full story in this PDF version of Securing SIP Trunks.

NEW:  Dell’s Unified Communications solutions encompassing SIP trunking with Microsoft OCS R2 and Sipera’s award-winning security appliance are detailed in a new white paper available here.

 

Product information: Look at the Sipera UC-Sec Products page.

UC Security Defined
Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments.
Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements.
Backed by the industry-leading research of the VIPER lab, Sipera's solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance.

© Copyright 2010 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, SLiC, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.