Secure SIP protects VoIP traffic

Security mechanism helps fill hole in Session Initiation Protocol.

Session Initiation Protocol has become the call control protocol of choice for VoIP networks because of its open and extensible nature. However, the integrity of call signaling between sites is of utmost importance, and SIP is vulnerable to attackers when left unprotected.

Secure SIP is a security mechanism defined by SIP RFC 3261 for sending SIP messages over a Transport Layer Security-encrypted channel. Originally used for securing HTTP sessions, TLS can be repurposed to protect SIP session communications from eavesdropping or tampering. By deploying SIP-based devices that support Secure SIP, network administrators benefit from these increased levels of security for their VoIP networks.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Session Initiation Protocol has become the call control protocol of choice for VoIP networks because of its open and extensible nature. However, the integrity of call signaling between sites is of utmost importance, and SIP is vulnerable to attackers when left unprotected.

Secure SIP is a security mechanism defined by SIP RFC 3261 for sending SIP messages over a Transport Layer Security-encrypted channel. Originally used for securing HTTP sessions, TLS can be repurposed to protect SIP session communications from eavesdropping or tampering. By deploying SIP-based devices that support Secure SIP, network administrators benefit from these increased levels of security for their VoIP networks.

Thwarting threats

Companies are concerned about malicious parties eavesdropping on SIP signaling information, performing man-in-the-middle attacks that disrupt service or gaining unauthorized access to VoIP networks.

RFC 3261 defines mechanisms for providing increased security for a SIP session.

The most basic level of security, required to be implemented by all SIP user agents and SIP proxy servers, is Message Digest (MD5) authentication. This provides a basic level of authentication challenge between a SIP proxy server and SIP user agent. At the other end of the spectrum, Secure Multipurpose Internet Mail Extensions (S/MIME) can be implemented to encrypt data directly within SIP messages.

SIP support for S/MIME has not been as widely deployed as HTTP because of the required public-key infrastructure support and the added complexity of managing the security certificates. Secure SIP, running SIP over TLS on a hop-by-hop basis, provides a more comprehensive level of security than that of basic MD5 authentication, without the additional overhead imposed by S/MIME.