3 Ways to Secure Communications for Virtual Unified Communications Systems

Security Unified Communications

Virtual Unified Communications System (vUCS) is a business phone typically used in Enterprise level organizations that provides call routing, presence, follow-me calling, voice mail, fax, and automatic call distributor queues delivered over IP using SIP.

vUCS offers a communication solution optimized to address the requirements of dynamic businesses using the latest IP technology. Unlike a traditional private branch exchange (PBX), businesses do not need to purchase or install special equipment because Virtual Unified Communication solutions are purely software based.

Unified Communications

 

openUC™ (now called Uniteme) - eZuce's flagship openUC platform is a complete unified communications software solution that is easy to deploy and manage, and can scale from dozens to tens ofthousands of end-users. openUC is an open software platform with all the features one would expect in an enterprise-class unified communications solution. The platform supports any end-user device while delivering robust functionality and flexible cloud/on-premise deployment options. Using a Hosted solution often raises security concerns. Do we fully trust and rely on public infrastructure? Of course not! The openUC solution is based on a purely SIP proxy server, meaning that voice traffic will be End-to-End, therefore encryption will be End-to-End. There are three solutions that we can use to protect our most sensitive voice traffic:

  1. IPSec - Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. Starting with the definition and understanding the nature of End-to-End security, we can assume that by using and administering an IPSec tunnel a good security level will be provide to any organization. Since establishing an IPSec tunnel is done at the router level, there isn’t much else I can show here.
  2. TLS - Transport Layer Security (RFC 2246) runs at Layer 4 protocol on top of TCP (see DTLS for UDP). There are both advantages and disadvantages associated with TLS.
    • Advantages - TLS is the recommended security mechanism for Session Initiation Protocol (SIP). NAT traversal works flawlessly using TLS as compared to IPSec (Layer 3) were you can encounter serious problems. HTTP Digest sessions in SIP environments are based on TLS. SIP clients implementations natively supports TLS. Provides user authentication instead of data-origin authentication (higher degree of authentication).
    • Disadvantages - Requires the server and client to support PKI features, such as certificate validation and certificate management. Not all clients and solutions support PKI. TCP and TLS pose significant memory consumption and scaling issues when you have tens of thousands of TCP connections. Runs on top of TCP only (connection-oriented). There is a subset version of TLS that is supported for use with UDP called DTLS (RFC 4347). Provides only hop-by-hop security - every intermittent hop would need to be secured with TLS. Therefore it doesn’t provide true end-to-end security. TLS cannot be used to secure VoIP RTP media streams, SRTP is used instead.
  3. SRTP/ZRTP - The Secure Real-time Transport Protocol (or SRTP) defines a profile of RTP (Real-time Transport Protocol-RFC 3711), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. A new way of securing RTP emerged lately in the means of ZRTP. ZRTP (composed of Z and Real-time Transport Protocol) is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses Diffie–Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.

 

Hands-on TLS on openUC system: Deploying TLS for devices that can be provisioned by openUC(like polycom phones) is as easy as just setting the transport to TLS.

Unified Communication OpenUC

To enable TLS on clients that are not provisioned (Zoiper) by openUC, (if you are using a self-signed certificate and if the client doesn’t offer the option to import it automatically), you will need to first copy Certificate Authority from System --> Certificates and then paste it in a txt file renamed as cert.pem.

 

Unified Communications Cert

Unified Communications Cert2

After importing Certificate Authority you will need to set transport to TLS

Unified Communications

Once the transport is changed to TLS, one can simply verify this by looking on the registration page for "transport=tls” option.

Unified communications

Enabling SRTP can be done with same ease in both cases:

For provisioned phones go to phone settings page --> security tab and enable SRTP

Unified Communications

For Zoiper you need to manually select SRTP like on below screen (TLS with SDES SRTP)

Unified Communications

The next step in verifying secure communications is to take a packet capture by port mirroring on the switch level with hard phones, or you’ll need to launch a wireshark capture when using softphones.The first picture below shows that TLS is enabled, in the second picture since wireshark did not know how to interpret SRTP packets it just show them as ENIP.

Unified Communications_ENIP

Unified Communications

 

Safety comes first!

Click here to see a full comparison between IPSec and TLS.

Written by Mihai Costache

Mihai Costache

Mihai is an IT enthusiast and a new technology scouter with more than 10 years of experience. His military education and background cultivated in him a strong sense of loyalty and a positive work ethic. Mihai worked in various roles for government and private corporations in area the of IT and telecommunications. After serving his country for more than 6 years, he joined Huawei Romania as an OSS Engineer. Currently he is part of eZuce family acting as Senior TAC Engineer and Solutions Architect. His motto is : "No problem can withstand the assault of sustained thinking"

Subscribe to Email Updates

Recent

Popular tags

see all
  • Our Mission
      eZuce is an innovative technology company that provides small and medium enterprises with visually integrated unified collaboration environment to improve their business processes. Intuitive adoption of technology by humans is in the forefront of all our developments. The eZuce user centric solution enables our enterprise partners to respond swiftly and accurately to their customers’ needs.
  • My Enterprise
      At eZuce, we are passionate about changing the way people collaborate within the enterprise. We believe that the consumerization of information technology has changed the status quo within the enterprise. Intuitive adoption of technology by individuals empowers a more productive workplace, my workplace, My Enterprise! Our goal is to leverage newly attained consumer skills into a “My Enterprise” attitude at work by enabling individuals and teams to collaborate on their terms.
  • Be there
      By emphasizing visual interaction, the human factor and user centricity, eZuce software and service solutions enable individuals and teams to collaborate on their terms, to be there for the business at the right time at the right place with the right device. Be there with your own insight!

eZuce, Inc.


300 Brickstone Square #104, Andover, MA 01810


Phone: (978) 296-1005

Email: [email protected]

Web: http://ezuce.com