“Never let the same dog bite you twice.”
Chuck Berry
Before I discuss securing SIP, I want you to imagine a bank. Every bank I know has a sturdy door equipped with a good lock and some form of alarm system. Inside the bank, it’s not uncommon to have a trained security guard. The tellers have access to alarm buttons that can be silently tripped. Behind the tellers there is a vault for safety deposit boxes and the bulk of the on-premise cash. Every safety deposit box has been secured with a two-key system. Beyond physical security, bank employees are trained in how to recognize and respond to security threats.
In other words, there is no single point that provides overall security. Instead, it is shared in a multi-layered approach and any would-be robber needs to be prepared to deal with a series of roadblocks designed to thwart his or her attempts. Each element is important and together they work to ensure that money, valuables, employees, and customers are protected.
The same is true for properly secured SIP. Hackers are confronted with a number of obstructions that either stop or minimize damage.
Layers of SIP Security
The first line of SIP defense is always a properly configured and maintained session border controller (SBC). Like a data firewall, an SBC monitors all SIP traffic that flows in and out of an enterprise. It decides which SIP messages are allowed and which should be blocked.
However, no matter how good an SBC might be, it’s not enough to prevent malicious SIP activity. An SBC is designed to protect the perimeter of an enterprise’s SIP realm, but what happens if someone happens to sneak through? Like that bank, security needs to be part of a layered architecture that stops hackers both at the door and within the enterprise. The rest of this article will address the non-SBC measures that can be taken to ensure the safety and integrity of SIP communication.
Encryption
Internet traffic is safeguarded by using HTTPS (secure HTTP). With HTTPS, web messages are encrypted using Transport Layer Security (TLS). Thankfully, TLS can also be applied to SIP to ensure that all signaling messages (INVITE, ACK, BYE, etc.) are hidden from prying eyes (and network analyzers).
SIP media can also be encrypted using Secure Real-Time Protocol (SRTP). Like TLS for SIP signaling, SRTP prevents hackers from seeing the media messages that are transmitted during a SIP conversation. In other words, SRTP prevents voice and video eavesdropping.
Unfortunately, there are strong forms of encryptions and weak forms of encryptions. An in-depth look at encryption methodologies is beyond the scope of this article, but it can be simplified to say that strong encryption is provided by using a cipher with a large key size. Here, large can be defined as greater than 128 bits.
Authorization
A secure SIP system is one that does not inherently trust its users. This means that every user must have a secure password.
SIP passwords should model computer network passwords to the best of their ability — passwords should be of a minimum length, changed often, not consist of well-known patterns, and password reuse should be controlled.
Sadly, since many SIP passwords are tied to legacy telephone systems, they are limited to digits that can be entered on a telephone keypad. Still, there are ways to create passwords that are hard to quickly break. Here are some techniques that I’ve found to be effective:
- Minimum password length is 8 digits
- Password cannot contain the SIP extension
- Passwords cannot contain patterns (e.g. 11112222) or a number series (e.g. 87654321).
- Passwords must be changed every 45 days
- Passwords cannot be reused
While no password is 100% secure, it’s essential to make them as hard as possible to stumble upon. If a hacker spends too much time trying to break into your system, he will become frustrated and move on to an easier target.
Authentication
In addition to good passwords, SIP messages should be challenged. At the protocol level, this means that every message will receive a “407 Proxy Authentication Required” response. The client would then resend the message with an encrypted password. Using Nonce technology, the encrypted password is only good for one transaction and even if a hacker discovers it, it’s immediately useless to him or her.
I am a big fan of challenging all SIP messages. This includes everything from REGISTER to BYE. SIP hacking is more than just breaking into a system. It can also take the form of disrupting communication. A 407 response can help ensure integrity at every point in a call flow.
Profiling
Profiling is defined as extrapolating information based on known traits or tendencies. This can be applied to SIP to help keep the bad guys/gals out while allowing the good gals/guys to freely communicate.
For SIP, profiling can be accomplished in a number of different ways. For instance, bad actors can be identified by location. Here, locations consist of IP addresses and countries. When a suspect location is determined, it is added to a SIP blacklist.
In addition to hacker locations, the paths they take to get to your system can be used to question the validity of a SIP message.
Lastly, SIP hackers develop patterns and as those patterns are identified and detected, they can be used to block malicious actors and their attempts. Detection can be carried out in real-time or through an in-depth analysis of SBC logs.
Mischief Managed
You would never put your hard-earned cash into a bank that was careless with how it stored your money. The same needs to be true about SIP. I would not want to make telephone calls or share sensitive information on a SIP platform that didn’t do everything in its power to protect messages and media. By properly securing every attack surface, you can protect your users and your company. And that’s something you can take to the bank.