Are Your Calls Secure?
There are numerous reasons for deploying secure SIP. The primary reason is preventing fraud. Fraud comes in different forms including toll fraud or consumer based fraud. Consumer fraud includes gathering sensitive information from the call like credit card information. Another major concern might be government-mandated encryption. Simply being security conscience in wanting to keep conversations private is another valid reason. It is important to note that SIP need not be encrypted when delivered on a trusted network, for example MPLS from the carrier, unless you simply do not want your calls listened to.
A quick stroll through the Internet looking at various websites by different cloud- based suppliers informs me they are only telling half the story. Many cloud-based suppliers often tell you their service is encrypted with TLS (Transport Layer Security) leading you to believe your calls are totally encrypted. Naturally, you consider SIP security done.
If a cloud-based supplier is utilizing TLS you are only half encrypted. It is important to understand that the SIP standard divides the call into 2 parts. Call control and audio. Each part requires its own encryption method. SIP call control merely contains information such as inbound calling number, caller ID, hold, transfer, and various other metadata type information. This part of the call is the easiest to encrypt because it is not time sensitive like the voice part of the call. The voice/audio part of the call is called RTP (Real-Time Transport Protocol). As noted in the definition of the call, real time, the packets cannot be delayed or improperly assembled making this more difficult to encrypt. TLS refers only to the SIP signaling leaving RTP totally unencrypted, allowing any knowledgeable hacker on your network, including Internet, to record and replay your calls with simple, free, commonly available tools.
If your concern is primarily to protect from toll fraud TLS is effective. If your concern is one of the reasons noted above than TLS has done nothing to protect your organization.
Feel free to give me a call if you would like to learn more about deploying actual encrypted SIP.
Craig B. Hodges