Using a VOIP phone remotely



  • My phone vendor told me recently that VOIP traffic should always travel over a VPN when you are working remotely because SIP is not encrypted. Is this correct?

    My friend showed me his old setup, he had taken an Office phone home plugged it into his home network (received DHCP address) and was connected to his office PBX without any issues. 2 questions:

    1 - what are the chances the phone had a built in VPN?
    2 - if no VPN - was this a wise setup?



  • It is correct that SIP is not encrypted. That SIP needs to be encrypted is a different question. Is voice traffic really something that you need to encrypt? My its nature, voice isn't something generally worth intercepting.

    Also, SIP doesn't carry VoIP traffic, so anyone telling you SIP's encryption doesn't know where to start since SIP is a management protocol. If you encrypt SIP, it does absolutely nothing about encrypting your phone calls. VoIP traffic travels over RTP. RTP is not normally encrypted but can be using SRTP. But almost no one does this because it just doesn't matter.

    You can use SRTP or use a VPN to encrypt RTP. But you really have to ask yourself how important it is to encrypt two independent UDP streams. Who will intercept them and what will they do with them? If you really have security concerns around your voice traffic, yes securing the channel would be advised. But in the real world, the need for secure voice transmissions is very low. Intercepting voice is so much harder than intercepting email, for example, and carries much less useful data and email is not encrypted either.



  • @Dashrender said:

    1 - what are the chances the phone had a built in VPN?

    If you get good phones like Snom or Yealink, quite high. They normally have OpenVPN built in.



  • @Dashrender said:

    My friend showed me his old setup, he had taken an Office phone home plugged it into his home network (received DHCP address) and was connected to his office PBX without any issues. 2 questions:
    .....
    2 - if no VPN - was this a wise setup?

    Unless he's transferring military secrets, it's fine. Most companies run this way. Traditional voice (PSTN) isn't encrypted either and that traffic is way easier to intercept.



  • @Dashrender said:

    My phone vendor told me recently that VOIP traffic should always travel over a VPN when you are working remotely because SIP is not encrypted. Is this correct?

    My friend showed me his old setup, he had taken an Office phone home plugged it into his home network (received DHCP address) and was connected to his office PBX without any issues. 2 questions:

    1 - what are the chances the phone had a built in VPN?
    2 - if no VPN - was this a wise setup?

    As @scottalanmiller says, it is not required.

    I run our PBX from a datacenter where we have space and the 4 people in our company all work from home and have an IP Phone. I do use good firewall rules to only allow specific networks to connect to our PBX. I do not bother with a VPN. I do want to setup a SBC but have not gone that far yet. For now I rely on a public STUN server.



  • @JaredBusch said:

    I run our PBX from a datacenter where we have space and the 4 people in our company all work from home and have an IP Phone. I do use good firewall rules to only allow specific networks to connect to our PBX. I do not bother with a VPN. I do want to setup a SBC but have not gone that far yet. For now I rely on a public STUN server.

    Here too. We aren't doing anything illegal over the phone or otherwise, only the ISP could intercept our calls without someone actually breaking into either the house or the datacenter to tap the lines. And if someone is going to go that far, tapping the VoIP line is the last way that they would get our data.



  • Are there any security risks to publishing the SIP/RTP ports directly on the internet? it sounds like you are saying no.

    While JaredBusch is limiting what external networks are allowed to connect to his PBX, if you're a mobile user who can find themselves anywhere using a softphone for example - you can't really lock down the PBX like this, so you'd either be limited to using a VPN or publishing directly to the internet.

    I'd say I should worry about this for HIPAA reasons, but we don't encrypt our current phone calls over PSTN, so I guess you're right, why worry about it over the internet? Though I'd argue that it's easier to capture the traffic over the internet than over PSTN.



  • @Dashrender said:

    Are there any security risks to publishing the SIP/RTP ports directly on the internet? it sounds like you are saying no.

    Not saying that at all. In fact I said the complete opposite. Unless you like large unexplained phone bills, do not expose a PBX to the public internet with protection.

    While JaredBusch is limiting what external networks are allowed to connect to his PBX, if you're a mobile user who can find themselves anywhere using a softphone for example - you can't really lock down the PBX like this, so you'd either be limited to using a VPN or publishing directly to the internet.

    This is one of the reason to use a session border controller (SBC)

    I'd say I should worry about this for HIPAA reasons, but we don't encrypt our current phone calls over PSTN, so I guess you're right, why worry about it over the internet? Though I'd argue that it's easier to capture the traffic over the internet than over PSTN.

    Not really, it is very very low tech to find the junction box and clip on an analog voice recorder to a POTS circuit.



  • In regard to exposing the PBX to the public internet...
    Strong SIP secrets and the firewall rules mentioned here can be a decent deterrent. Throw fail2ban in there too if your PBX can utilize it. Some SIP providers will allow you to limit the maximum charge for international or LD calling for situations such as Jared mentions (unexplained phone charges). And monitor the logs like crazy.

    And as Scott said, many phones have OpenVPN built in, but the better question is...do you have a VPN endpoint on your side that can accept the connection? What I find may be the better recommendation is try to get people who work from home to use a soft phone in conjunction with the corporate VPN solution (perhaps Pertino or something else) on their PC so that they are not going directly over the internet. Mobile phones can utilize VPN client software as well for soft phone access on those devices as you mention above.

    Related to this, I thought I saw a post the other day in Spiceworks about someone who worked for a company that would send every person who worked from home a Meraki router that would be connected via VPN back to corporate. That didn't sound fun to have to manage.



  • NTG actually used to do the "send a router home with everyone" thing. It was fine. Meraki makes that even easier. Central management.



  • @NetworkNerd said:

    In regard to exposing the PBX to the public internet...
    Strong SIP secrets and the firewall rules mentioned here can be a decent deterrent. Throw fail2ban in there too if your PBX can utilize it. Some SIP providers will allow you to limit the maximum charge for international or LD calling for situations such as Jared mentions (unexplained phone charges). And monitor the logs like crazy.

    Or have a provider who will block that out the gate. I know a few who block all international calling from their trunks by default because of the major problem of relaying.

    Not to say that this is a new problem. I used to war dial PBXes all the time trying to find some way to relay a call. No better sound after calling a number than dial tone willing to accept DMTF. 🙂



  • We use an international blocking trunk provider. It's great peace of mind.