Virtual Unified Communications System (vUCS) is a business phone typically used in Enterprise level organizations that provides call routing, presence, follow-me calling, voice mail, fax, and automatic call distributor queues delivered over IP using SIP.
vUCS offers a communication solution optimized to address the requirements of dynamic businesses using the latest IP technology. Unlike a traditional private branch exchange (PBX), businesses do not need to purchase or install special equipment because Virtual Unified Communication solutions are purely software based.
openUC™ (now called Uniteme) - eZuce's flagship openUC platform is a complete unified communications software solution that is easy to deploy and manage, and can scale from dozens to tens ofthousands of end-users. openUC is an open software platform with all the features one would expect in an enterprise-class unified communications solution. The platform supports any end-user device while delivering robust functionality and flexible cloud/on-premise deployment options. Using a Hosted solution often raises security concerns. Do we fully trust and rely on public infrastructure? Of course not! The openUC solution is based on a purely SIP proxy server, meaning that voice traffic will be End-to-End, therefore encryption will be End-to-End. There are three solutions that we can use to protect our most sensitive voice traffic:
- IPSec - Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. Starting with the definition and understanding the nature of End-to-End security, we can assume that by using and administering an IPSec tunnel a good security level will be provide to any organization. Since establishing an IPSec tunnel is done at the router level, there isn’t much else I can show here.
- TLS - Transport Layer Security (RFC 2246) runs at Layer 4 protocol on top of TCP (see DTLS for UDP). There are both advantages and disadvantages associated with TLS.
- Advantages - TLS is the recommended security mechanism for Session Initiation Protocol (SIP). NAT traversal works flawlessly using TLS as compared to IPSec (Layer 3) were you can encounter serious problems. HTTP Digest sessions in SIP environments are based on TLS. SIP clients implementations natively supports TLS. Provides user authentication instead of data-origin authentication (higher degree of authentication).
- Disadvantages - Requires the server and client to support PKI features, such as certificate validation and certificate management. Not all clients and solutions support PKI. TCP and TLS pose significant memory consumption and scaling issues when you have tens of thousands of TCP connections. Runs on top of TCP only (connection-oriented). There is a subset version of TLS that is supported for use with UDP called DTLS (RFC 4347). Provides only hop-by-hop security - every intermittent hop would need to be secured with TLS. Therefore it doesn’t provide true end-to-end security. TLS cannot be used to secure VoIP RTP media streams, SRTP is used instead.
- SRTP/ZRTP - The Secure Real-time Transport Protocol (or SRTP) defines a profile of RTP (Real-time Transport Protocol-RFC 3711), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. A new way of securing RTP emerged lately in the means of ZRTP. ZRTP (composed of Z and Real-time Transport Protocol) is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol (VoIP) phone telephony call based on the Real-time Transport Protocol. It uses Diffie–Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.
Hands-on TLS on openUC system: Deploying TLS for devices that can be provisioned by openUC(like polycom phones) is as easy as just setting the transport to TLS.
To enable TLS on clients that are not provisioned (Zoiper) by openUC, (if you are using a self-signed certificate and if the client doesn’t offer the option to import it automatically), you will need to first copy Certificate Authority from System --> Certificates and then paste it in a txt file renamed as cert.pem.
After importing Certificate Authority you will need to set transport to TLS
Once the transport is changed to TLS, one can simply verify this by looking on the registration page for "transport=tls” option.
Enabling SRTP can be done with same ease in both cases:
For provisioned phones go to phone settings page --> security tab and enable SRTP
For Zoiper you need to manually select SRTP like on below screen (TLS with SDES SRTP)
The next step in verifying secure communications is to take a packet capture by port mirroring on the switch level with hard phones, or you’ll need to launch a wireshark capture when using softphones.The first picture below shows that TLS is enabled, in the second picture since wireshark did not know how to interpret SRTP packets it just show them as ENIP.