Securing SIP Trunks

SIP Trunks are a simple, cost-effective way for enterprises to adopt VoIP. They are also a stepping stone to eventual adoption of Unified Communications (News - Alert). After all, once the network is set up to use SIP-based VoIP via a SIP trunk, the infrastructure is already in place to start using IM, realtime video and the wide array of SIP-based applications available now and in the future.

So what’s stopping many enterprises from embracing SIP trunks? By far, what we hear from customers as the top concern is interoperability — how can I be sure that my PBX (News - Alert) will interact properly with the SIP trunking service provider? This is followed closely by security — how can communications routed over the public Internet or a managed connection really be secure?

The fact is, with the right measures in place and with the proper planning, SIP trunk deployments can work flawlessly and be more secure than the PSTN. Here’s how:

Address interoperability at the start — Making sure the IP-PBX and ITSP are interoperable will not only smooth the way for an easy deployment, but also solve many security headaches. Opportunities for hackers, spoofers, etc. are easy to come by when there are inconsistencies between these two key components. Leading IP-PBXs and ITSPs are aggressively conducting interoperability testing; make sure your choice of equipment and service providers have demonstrated successful interoperability with one another.

Several leading PBX vendors recommend that a SIP-based edge device be installed for multiple reasons, one of which is to smooth out interoperability issues. The edge device can perform “normalization” functions both for your current environment as well as any future changes you may make, essentially future-proofing your SIP trunk deployments to ensure interoperability down the road.

Further simplifying vendor interoperability, the SIP Forum (News - Alert) has developed the SIPconnect Technical Recommendation, a standards-based guideline for SIP trunking between IP PBXs and VoIP service provider networks. As more service providers, PBX vendors and edge device manufacturers adopt this standard, issues with SIP Trunk implementations will be significantly reduced.

Employ security measures — Like any other server in the enterprise network, the IP-PBX should be protected from unauthorized access. Many firewalls today do not adequately protect against attacks on SIP infrastructure so the edge device chosen should enforce rules and policies designed to protect this vital asset. For further protection, SIP based communications can be encrypted to keep the sessions private with no chance of eavesdropping.

Authentication with the service provider — Some IP-PBX equipment can support this natively, while others cannot. A full SIP proxy firewall or other edge device may offer this capability as well, allowing enterprises with non-authenticating IP-PBXs to leverage the benefits of SIP trunking securely.

Steven Johnson (News - Alert) is President of Ingate® Systems (www.ingate.com)

» Internet Telephony Magazine Table of Contents