In the same way that you would never allow a PC to connect to the Internet without the proper security tools such as a firewall or a virus checker, Voice over IP (VoIP) also requires protection from malicious activity. SIP has a number of security mechanisms that are either built into the protocol or work alongside it to create a rock solid means of defense. For example, SIP itself can be encrypted and individual SIP messages can be challenged with authentication requests. SIP media streams can also be encrypted to prevent preying eyes and ears.
SIP-based components such as a Session Border Controllers (SBC) can be deployed as perimeter defense appliances similar to how an enterprise would deploy a network firewall. There are two basic types of SBCs. One type is only used for SIP trunks. A trunks-only SBC protects an enterprise from unauthorized access or denial of service attacks. An enterprise would also deploy a trunks-only SBC to hide the topology of its internal network from the outside world.
Prior to SIP, for an enterprise to extend VoIP telephony beyond its internal network it was required to support VPN (Virtual Private Network) tunnels between the internal LAN and remote users. This required specialized software, or in some cases hardware, at the remote sites or devices. In an age where consumer-grade devices such as iPhones, iPad, and Android phones can support enterprise-grade SIP communication software, the requirement for a VPN has become too restrictive and potentially counter to the desire to protect the enterprise from malicious software. For instance, enabling a VPN connection on an iPhone exposes an enterprise to both the desired communications application as well as all other applications a user may have downloaded to his or her iPhone.
The second type of SBC supports trunks, as previously described, along with remote users. Instead of securing an entire device and allowing every application on that device access to a company’s network, this form of SBC will create a secure connection for only the SIP traffic. All other applications and activity on the remote device are blocked from entering the network thereby minimizing the security risks that device may create. The idea here is to safely embrace any and all consumer communications devices by securing the desired SIP traffic and prohibiting all other forms of remote access.
By following the best practices for SIP security a company opens itself up to a world of new forms of communications and communications devices. No longer will the IT department have to say “no” every time an employee asks to put a new device on the company network. The IT staff can be assured that the security measures and devices that have been put into place will safeguard the company while at the same time allowing its employees to be productive in ways never before imagined.