Session Initiation Protocol (SIP) is a standards-based protocol for controlling voice and other types of calls. SIP can be used for internal handset communications, but its security issues are mostly similar to those for other handset protocols. SIP is also commonly used for enterprise SIP trunks, which are a means to connect enterprise voice networks to the Public Voice Network. The following diagram shows the threat when using SIP trunks, as opposed to TDM trunks, to connect to the Public Voice Network.
Many enterprises are transitioning to SIP trunks. Enterprises use SIP trunks both for one-to-one replacement for TDM trunks and also to consolidate the traffic from smaller branch or retail sites to a centralized trunk model. Centralized SIP trunk deployments offer a number of advantages, but increase the threat of certain types of attacks, because all or most of an enterprise’s public access is now consolidated through one or a few sites.
The majority of enterprise SIP trunk deployments are provisioned by large service providers who provide a private SIP connection. This is a separate, managed, private connection, where security and Quality of Service (QoS) can be assured, as opposed to the Internet, where neither security nor quality can be assured. While it is technically possible for SIP-specific packet attacks to be seen on these private SIP trunks, such attacks are very unlikely. Also, SIP trunks primarily use SIP and RTP (for audio), as opposed to the multitude of protocols used on an internal/campus VoIP network.
Service providers also deploy SIP security on their side of the network, using Session Border Controllers (SBCs). The SBC provides an additional layer of security that analyzes SIP and RTP before it is delivered to the enterprise. It is technically possible to see scans, fuzzed/malformed packets, and INVITE/REGISTER/OPTION packet floods on dedicated service-provider SIP trunks, but this is a low threat. Nevertheless, it is a good security practice to deploy SIP-specific packet security on an enterprise SIP trunk, preferably using a different technology than that used by the service provider, such as the Cisco Unified Border Element (CUBE), a software solution embedded in the operating system software on Cisco’s Integrated Services Routers (ISRs) and Aggregation Services Routers (ASRs).
If an enterprise uses SIP over the Internet, then the threats rise considerably. This may occur more often as enterprises seek to extend the rich communications experience they enjoy inside their networks with video, Instant Messaging (IM), presence, and other Unified Communications and Collaboration applications. I have seen several Internet SIP-based video systems exploited, but the motivation for these exploits was toll fraud, rather than the video application itself.
While SIP-specific attacks represent a low threat, voice application-level attacks/threats such as toll fraud, social engineering, unsecured and unauthorized modems, harassing calls, and TDoS are still present. None of these threats decrease with the transition to SIP trunks. Service providers and their SIP-specific security devices do nothing to block these call-level attacks.
As introduced above, a related change in enterprise voice networks is the move to centralized SIP trunking. I will cover security issues with these deployments in another post.