Security Considerations for UC

When engineering a Unified Communications solution for any enterprise, the issue of security has to be baked in from the beginning. Many commercial users of Unified Communications are not aware that their telecommunications experience is often being carried over the public internet in the clear for any hacker to tap into. Spoofing SIP packets is not a complicated act, and any two-bit hacker can do it.

There are many security considerations, as well as security appliances now on the market that will mitigate the risk of compromised Unified Communications. First and foremost, implement TLS and SRTP encryption (employing AES keys) within your design and technology to ensure both signaling and media streams are encrypted between endpoints and soft switches. Secondly, consider including Session Border Controller (SBC) technology within your security boundary configuration.

Many engineers who implement Unified Communications solutions within existing network environments end up establishing port forwarding rules for ports 5060 and 5090 which are used by VoIP to pass SIP media and signaling. This is not an advised security practice, as it clearly established security vulnerability for the enterprise, as well as results in frequent scans by unwanted VOIP agent queries found on the internet. It can also introduce VoIP performance issues, as often when there is a re-invite SIP message sent, most firewalls will open a new port for the media which the endpoints won’t recognize, causing asynchronous audio experiences.

The correct engineering practice to mitigate both potential VoIP performance issues, as well as mitigate introducing new vulnerabilities to the enterprise security posture, is to make use of SBC technology within the UC solution design. SBC technology basically provides a “stateful” security appliance that opens and closes ports dynamically to meet SIP signaling and media requirements, maintaining secure connectivity between endpoints and soft switches. It is recommended they be implemented in parallel to traditional stateful data firewalls, and include implementing separate VLANs for data and voice/video traffic on the enterprise LAN; by doing so, you will be virtually separating data and any voice/video traffic allowing the data traffic to be directed through the data firewall, and the real time service traffic through the SBC.