SIP over the internet
-
I had a discussion with Danielle and Joe yesterday about unencrypted SIP trunks over the internet.
Anyone who's been reading ML for any length of time knows that @scottalanmiller is fully for using SIP trunks directly over the internet without bringing in anything special like vendor supplied session boarder gateways, etc. This isn't to imply that extra stuff is needed to provide encryption, it's simply a side note.
I'm just curious what the rest of the community thinks of using unencrypted SIP trunks over the internet?
Also, some endpoints will connect to the PBX via the internet.
-
I personally wouldn't do it without encryption.
-
@thecreativeone91 said:
I personally wouldn't do it without encryption.
You can do SIP with encryption without any extra equipment. Most PBXs, like FreePBX and Elastix and even 3CX have encryption options built in.
-
@scottalanmiller I haven't seen any PBX without the option for encryption. though some commercial options charge extra for it in addition to the normal SIP license.
-
OK so the option is out there...
Besides @thecreativeone91 does anyone else use it?
What about encrypting when sending SIP to the endpoints (phones)?
-
@Dashrender said:
What about encrypting when sending SIP to the endpoints (phones)?
You can do that too. CJIS actually required this for police departments even on the LAN.
-
@scottalanmiller said:
@thecreativeone91 said:
I personally wouldn't do it without encryption.
You can do SIP with encryption without any extra equipment. Most PBXs, like FreePBX and Elastix and even 3CX have encryption options built in.
My mentioning of your not liking extra supplied stuff is a side note, not meaning that you need that stuff to provide encryption.
-
@Dashrender said:
OK so the option is out there...
Besides @thecreativeone91 does anyone else use it?
What about encrypting when sending SIP to the endpoints (phones)?
If you're going to encrypt and it's a fully hosted PBX, you'd want encryption everywhere. If it's an on-premise, no need to encrypt internal traffic, obviously.
-
@thanksajdotcom said:
@Dashrender said:
OK so the option is out there...
Besides @thecreativeone91 does anyone else use it?
What about encrypting when sending SIP to the endpoints (phones)?
If you're going to encrypt and it's a fully hosted PBX, you'd want encryption everywhere. If it's an on-premise, no need to encrypt internal traffic, obviously.
That may or may not be true, but for my purposes let's assume my endpoints will connect over the internet.
-
@thanksajdotcom said:
If it's an on-premise, no need to encrypt internal traffic, obviously.
That depends. If you take Credit card information over the phone or other sensitive information you'll likely still want encryption.
-
@Dashrender said:
OK so the option is out there...
Besides @thecreativeone91 does anyone else use it?
What about encrypting when sending SIP to the endpoints (phones)?
This adds a lot of complexity and really depends on the scenario. If you want to send to mobile endpoints it gets difficult - one of the reasons that I'm looking forward to Pertino on smart phones. If you have a static office, using IP locking covers most of the bases.
-
@Dashrender said:
That may or may not be true, but for my purposes let's assume my endpoints will connect over the internet.
Like anything, it depends on your scenario. What is it you are attempting to protect against?
-
Eavesdropping.
-
@Dashrender said:
Eavesdropping.
If that is an actual concern, then you need to encrypt. In general, that's not a very reasonable concern. If it is a requirement for healthcare or other that goes beyond traditional phones, then you'd need that.
Let me ask this.... how have you handled this in the past with traditional phones since those are dramatically easier to eaves drop onto?
-
And if you didn't do it in the past, why do you feel that you should now after introducing SIP which provides a small amount of additional protection against eaves dropping?
-
@scottalanmiller said:
@Dashrender said:
Eavesdropping.
If that is an actual concern, then you need to encrypt. In general, that's not a very reasonable concern. If it is a requirement for healthcare or other that goes beyond traditional phones, then you'd need that.
Let me ask this.... how have you handled this in the past with traditional phones since those are dramatically easier to eaves drop onto?
You've eluded to this before when it comes to faxes, how is it so much easier to eaves drop on traditional phone lines vs VOIP traffic?
How is VOIP at all more secure than PSTN? -
@Dashrender said:
@thanksajdotcom said:
@Dashrender said:
OK so the option is out there...
Besides @thecreativeone91 does anyone else use it?
What about encrypting when sending SIP to the endpoints (phones)?
If you're going to encrypt and it's a fully hosted PBX, you'd want encryption everywhere. If it's an on-premise, no need to encrypt internal traffic, obviously.
That may or may not be true, but for my purposes let's assume my endpoints will connect over the internet.
Which is what I figured. If you're encrypting one but not the other, what's the point of using encryption at all?
-
Traditional is only easier with physical access. VoIP depending on the ACLs/Firewall you have potential to gain access anywhere. Granted the NSA is already doing it for landlines and cell phones.
-
@Dashrender said:
You've eluded to this before when it comes to faxes, how is it so much easier to eaves drop on traditional phone lines vs VOIP traffic?
How is VOIP at all more secure than PSTN?PSTN is circuit switching rather than packet switching for one. That means that tapping a PSTN path is trivial while guaranteeing the tap on a VoIP path is impossible. The second is that PSTN is so easy that you can go to any wire and without actually tapping it join the conversation bi-directionally using very simple equipment. PSTN is standard and simple. Any hobbyist can tap PSTN with minimal effort. Kids can do it.
Tapping VoIP is certainly doable if you don't encrypt. But the effort might be 10x or 100x more. You can't just "go find a line" and you can't just slap together some electronics and stand by the line to do it. You need serious gear and a lot of know-how and luck that you are getting a line that has the packets on it.
One is truly trivial. One is quite hard.
-
@thecreativeone91 said:
Traditional is only easier with physical access. VoIP depending on the ACLs/Firewall you have potential to gain access anywhere. Granted the NSA is already doing it for landlines and cell phones.
That's true, but that's what makes it easier. They are about equal without access. With access PSTN is completely trivial. And getting physical access is super easy since PSTNs have rigid endpoints and are exposed on the poles and external to the building. VoIP has potentially mobile end points and potentially no access externally.
