Home > Telecom Tips > > Don't forget to secure the signaling
Telecom Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Don't forget to secure the signaling


Tom Lancaster
06.23.2005
Rating: -4.25- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Most of the concerns network engineers intuitively have about VoIP security are related to high-tech eavesdropping via packet sniffing, or to denial of service attacks or new IP-based versions of good old-fashioned toll fraud. The last two are generally a matter of keeping your systems patched and sensibly configured, but the obvious solution to the eavesdropping is encrypting the media streams.

Many vendors now support the SRTP protocol which uses AES to encrypt your conversations, but it's important to realize that SRTP only encrypts the payload of the media stream. It's not an encapsulating protocol that covers your headers too. It also, obviously, does not encrypt your signaling.

Understanding this is even more important, because you should realize that there is still important user information in your signaling. In the legacy voice world, when you push buttons on the phone -- for instance, to enter the PIN number to access your voice-mail or your bank account, or your automated order taker for your stock brokerage account -- you simply are generating a tone which is carried across the same line your spoken words use. But when this gets converted to VoIP, some of the dialed digits are carried in the signaling protocol, and not in the RTP stream.

So, if you were thinking about authenticating signaling traffic, go ahead and put some thought into encrypting the signaling as well.

The details of this can be vendor-specific, since many vendors implement proprietary signaling protocols, or at least proprietary extensions to standardized protocols. So in the absence of a standard signaling protocol that provides privacy and non-repudiation, odds are good that you'll see some implementation of IPsec, but keep in mind that if you've got a multi-vendor solution, encrypting your signaling may be especially challenging.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

Rate this Tip
To rate tips, you must be a member of SearchTelecom.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Telecom Security
Enterprise services revenues climb as telecoms tap economies of scale
Telecom network security requires constant vigilance
Data loss prevention inches into telecom service provider awareness
E-mail security protocols add service provider requirements
Short-circuiting hackers' SIP-based VoIP attacks
Vonage VoIP service plagued by security holes, researchers say
Addressing security risks – Whose problem is it?
Security market based on economics, not technology
ISPs offer managed security as network attacks grow
MPLS security analysis

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
caller ID spoofing  (SearchTelecom.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2007 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts