System interfaces
39
System functions and features as of R4.1
syd-0570/1.2 – R4.1 – 08.2016
Situation without encryption (SIP/RTP)
If the signalling data and voice data are considered separately, the situation is as fol-
lows if encryption is not used:
Tab. 3 Situation without encryption
Solutions
• Encryption of the SIP and RTP data at IP level using IPSec (Internet Protocol Secu-
rity) and VPN (Virtual Private Network). The signalling data and the voice data are
protected if all the SIP components involved are within the VPN.
• Encryption of the SIP signalling data at the transport level using TLS (Transport
Layer Security) and of the voice data at application level using SRTP (Secure Real-
Time Transport Protocol).
For WAN links via the internet it makes sense to combine both methods.
Securiing the signalling data with TLS:
TLS works by exchanging certificates and requires the TCP transport protocol. The
communication server generates a trusted certificate and automatically uploads it to
the Mitel SIP phones, which then restart. A call connection between communication
server and terminal is established only if the two certificates match.
For standard SIP terminals the trusted certificate must be exported as a file and manu-
ally uploaded to the terminal. Certificates remain valid for long periods; however for se-
curity reasons they should be replaced at regular intervals. New certificates must also
be generated manually whenever the IP address of the communication system
changes. The settings can be found in the Certificate ( =u9) view.
Securing voice data with SRTP:
The SRTP protocol is used to secure the voice data. Please note the following points:
• VoIP encryption must be activated ( =3n).
• VoIP mode ( =ym) must be set to Secure G.711 or Secure G.711/G.729.
•The NTP service ( =ty) must be activated.
•A Secure VoIP licence is required.
Note:
Securing signal data with TLS, and voice data with SRTP, is also important for the connection
between the communication server and an SIP provider, as well as between the SIP nodes of a
private SIP network.
Security objective Signalling data Voice data
Data Protection Not guaranteed. Not guaranteed
Authentication Partially guaranteed through password protection Not guaranteed
Integrity Not guaranteed Not guaranteed
To Next Page
Loading...
