SIP-based VoIP products use two primary protocols. SIP provides signalling functionality. Call initiation, status, setup, and teardown are handled via SIP, including designating IP addresses and ports for Real-time Transport Protocol (RTP) sessions. In office deployments, SIP and RTP traffic usually flows between a phone and PBX. However, the protocols are flexible and allow other topologies. For example, RTP sessions can be established peer-to-peer, and some service providers increase call quality by handling only SIP traffic and facilitating direct RTP sessions between a customer and telco.
One way to protect VoIP traffic is to secure the protocols themselves. SIPS is an implementation of SIP over TLS (Transport Layer Security). SRTP provides a cryptographic layer for RTP, and Phil Zimmerman’s ZRTP improves on SRTP. Many VoIP products support one or more of these standards, but none have become mainstream. VoIP service providers that support these protocols are few and far between.
Within the enterprise, especially between branch offices, an increasingly popular approach is a virtual private network (VPN). A common misconception is that VoIP over VPN always leads to performance degradation. This may be true if bandwidth is not appropriately managed or if congestion occurs within the VPN itself. Traffic shaping and prioritization may be more difficult because the QoS tags on individual packets inside the VPN tunnel are not visible to routers. However, it possible to prioritize a VPN tunnel dedicated to VoIP traffic. In some cases this simplifies the traffic shaping configuration.
From a bandwidth perspective, VPNs usually add between five and ten per cent overhead. In telephony, a standard voice channel consumes 64 kbps. RTP and IP headers result in a typical VoIP conversation requiring approximately 80 kbps in each direction. Even with a 20 per cent VPN overhead, calls would still require less than 100 kbps.
In poor network conditions, a VPN may make matters worse. For example, RTP uses UDP and many implementations include Packet Loss Concealment (PLC). Voice packets are replaced with zeros, previous packets are replayed, or more sophisticated speech models are used to interpolate or extrapolate the gap. VPNs, by design, usually detect and retransmit missing packets, making a bad VoIP connection worse. However, in normal network conditions it does not present a problem.
In practice, VoIP VPN across the Internet works well. I started testing various configurations more than a year ago. I installed FreePBX, an open-source Asterisk-based PBX, and configured the underlying Linux operating system to also act as an OpenVPN server. Three EdgeRouter Lite routers were configured as OpenVPN clients at various locations. At one office, a firewall was configured to reserve bandwidth and prioritize OpenVPN traffic.
The result was crystal clear, reliable, and secure calls. I planned to write about how a high security, AES-256 encrypted private telephone network could be built using an off the shelf $100 router and $150 telephone at each endpoint. Then I discovered a Canadian company called Sangoma.
Markham Ontario-headquartered Sangoma Technologies Corporation has been in business since 1984. Their products include a strong line of VoIP Session Border Controllers (SBCs), giving the company experience with SIP security issues.
In January 2015, Sangoma acquired all the key assets of Schmooze Com Inc., including FreePBX, adding IP-PBXs based on FreePBX, SIP trunking, and fax-over-IP services to their portfolio. In January 2016, Sangoma launched a family of three telephones designed to work with FreePBX.
Sangoma obviously considered ease of installation, including a “zero touch” provisioning feature that allows a brand new phone connected anywhere, Internet or LAN, to find its provisioning server. The phone can also leverage traditional DHCP options. FreePBX’s endpoint manager allows creation of provisioning files from the web user interface. Sangoma phones also include OpenVPN client functionality.
Scott Beer, Director of Support and Professional Services, was kind enough to lend me a Sangoma s700 VoIP phone and help configure FreePBX for OpenVPN and Sangoma provisioning. Once the PBX was properly configured, the phone worked exactly as advertised. During provisioning the phone obtains certificates, the OpenVPN configuration file, SIP account credentials, and phone-specific configuration information from FreePBX. The phone then establishes an OpenVPN connection to the PBX. The user simply sees “VPN activated” and a lock symbol on the phone screen.
In a corporate deployment, Sangoma’s built-in VPN capability adds a useful layer of security. For teleworker and small branch office applications, Sangoma phones really shine. Employees can simply plug them in and the phone will automatically establish a secure connection to the corporate PBX. The VPN also simplifies some aspects of the configuration because NAT is not required; phones and the PBX communicate directly using OpenVPN-assigned private IP addresses.
In addition to great security features, the Sangoma s700 is an attractive, functional phone. It will register with up to six different SIP accounts and has ten line keys. Each line key can be associated with a SIP account or used for another function such as speed dial. In the unlikely case that 10 line keys aren’t enough, the phone can be configured to allow scrolling through four pages of them. It also offers a built-in directory, call history, four soft keys, and a host of other dedicated function keys.
In time, other vendors will undoubtedly add VPN capability to their VoIP phones, but for now, Canada’s Sangoma Technologies Corporation offers a great secure VoIP solution.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…