SIP Trunking Demystified: Security
I’m not old enough to remember the old school party line phones that my mom talks about. Heck, the idea of sharing one phone per house seems far enough in the past at this point, let alone sharing a phone with neighbors.
If you’re not familiar with the concept of party line phones, you basically shared a single line from the telephone company with a handful of your neighbors. When the phone would ring, you would listen to the number of rings to determine if the call was for your house. There was no second call on the line allowed either. You could pick up the phone at any time and listen to your neighbors phone calls as well. No guarantee of privacy!
SIP trunks can be sort of the same thing. Standard SIP providers hand off their SIP trunks on the default TCP port of 5060. This port is typically used for unencrypted SIP communications. That means that anyone who can get a packet capture of your calls gets to replay the whole conversation. If the handoff for the SIP trunk is through a private connection to the carrier, this may not be much of an issue. However, most SIP carriers hand off their trunks across the internet. This means that all of your calls are then unencrypted across the internet and are subject to interception!
Enter SIP-TLS and SRTP. SIP-TLS puts a TLS wrapper around your SIP signaling to ensure that all call setup and teardown messages are encrypted. SRTP does the same, but for the actual call audio. Setup for SIP-TLS and SRTP is pretty simple. All it takes is the exchange of a digital certificate between the provider and the customer to verify and encrypt traffic on both sides. However, the majority of providers don’t offer this as a service and non-enterprise grade PBXs don’t support it either.
No so with a Cisco based SIP solution. Cisco’s Unified Border Element (CUBE) has supported call encryption for quite some time now. Starting with the ISR 2900/3900 line, and now extended in to the 4300/4400 series. On the provider side, I’ve had great luck with Intelepeer and their secure SIP options. Easy to work with and rock solid one set up.