Content
Voice over IP communication systems consist of many components, of which the phones are the ones easiest accessible and therefore a possible entry point for hackers. This paper is meant to give a guideline to our partners which parameters of a Snom phone should be auto-provisioned to ensure the maximum possible security, without compromising the simplicity of the deployment or the ease of use of the phones.
Step-by-step guide
Secure the phone web user interface and set strong and individual user credentials
Accessing the phone web user interface and entering data can mean a security risk, when the communication between web browser and web server is not encrypted. Therefore, the web server of the phone should always either put into https-only mode or turned off completely, if there is no necessity to access the phone via web browser.
| Parameter | Description | Recommended Values |
|---|---|---|
| webserver_type | Sets the type of connection the phone’s web server is willing to answer to. | https off |
| http_user http_pass | User credentials to login to the web user interface of the phone | 12 or 16 character mixed-case alphanumeric |
| use_hidden_tags | hidden security tags which protect the web user interface against remote attackers trying to change phone settings with faked HTTP POST requests (XSRF attack). | on |
| web_logout_timer | Specifies the time in minutes after which the web interface shall ask the user to login again. | Any integer value |
Configure a maintenance mode user
The service mode (or maintenance mode) is a special user account to access the phone as and switch it temporarily from user mode to admin mode. On logout, the phone will return into user mode. This account can be used for controlling the phone remotely and performing actions triggered by HTTP requests coming from 3rd party applications (e.g. Click-to-dial CTI).
| Parameter | Description | Recommended Values |
|---|---|---|
service_mode_login service_mode_pass | Additional maintenance account apart from the administrator login.
| 12 or 16 character mixed-case alphanumeric |
| admin_mode_upon_http_login | Determines whether the admin mode should be enabled, when the service_mode credentials are used for HTTP login to the web user interface (WUI). Logging out from the WUI will disable the admin mode again. | on: admin password will not be requested. |
Secure signalling and voice communication
VoIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Eavesdropping or hijacking phones or SIP accounts are just two of the most common ones. Encryption is one of the essential security technologies for computer data. To have a secure voice over IP communication, both the signalling packets (SIP) and the audio stream (RTP) need to be encrypted.
Securing the SIP traffic
Transport Layer Security (TLS) can provide a secure communication channel between two communicating entities. The primary goal of the TLS Protocol is to provide privacy and data integrity between two communicating applications. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
A device incorporating TLS can be configured to allow only secure SIP signaling to other devices. This mandates that the client first sets up a TLS/SSL connection to the server and then exchanges encrypted SIP messages with it on the secure connection. Since this secure communication is based on a shared secret known only by the server and the client, this mechanism makes it very difficult and again if not impossible for an eavesdropper to view, manipulate, or replay the messages exchanged.
The best available transport mechanism can be chosen automatically by creating DNS service records (DNS-SRV) with priorities for UDP, TCP and TLS.
| Parameter | Description | Recommended Values |
|---|---|---|
| user_outbound | Specifies the outbound proxy to ensure all SIP packets are sent via the specified communication point. | Add “;transport=tls” to the Registrar server name |
For further information on TLS authentication please visit: TLS Support
Media Encryption
Media communications can also be secured by incorporating some form of encryption method. VoIP phones may encrypt audio streams via SRTP (Secure Real-time Transport Protocol). SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on the Quality of Service. It creates a unique key stream for each RTP packet, therefore making it almost impossible for eavesdroppers to retrieve the original RTP stream from the encrypted SRTP stream. SRTP also provides replay protection which is undoubtedly important for multimedia data. Otherwise, it would be possible for an adversary to perform simple manipulations on data that subverted security. For example, in a voice application, the phrase "yes" could be substituted for "no" if replay protection is not present.
| Parameter | Description | Recommended Values |
|---|---|---|
| user_srtp | Enables/disables RTP encryption | on |
| user_savp | Specifies whether the use of the RTP/SAVP profile by the phone should be off (for backward compatibility), optional or mandatory. | mandatory or optional |
If both the signalling and the media are encrypted, a lock symbol will be shown in the call screen of the phone.
For further information please visit: SRTP - Secure Real-Time Transport Protocol
Example of a minimum configuration for a secured handset
<?xml version="1.0" encoding="utf-8"?>
<settings>
<phone-settings>
<!-- PHONE WEBSERVER PROTECTION -->
<webserver_type perm="R">https</webserver_type>
<http_user perm="R">username</http_user>
<http_pass perm="R">7X@y8Ob%4308<http_pass>
<use_hidden_tags perm="R">on<use_hidden_tags>
<web_logout_timer perm="R">5</web_logout_timer>
<!-- MAINTENANCE USER ACCOUNT -->
<service_mode_login perm="R">maintenance<service_mode_login>
<service_mode_pass perm="R">J#Iwc68521P4</service_mode_pass>
<admin_mode_upon_http_login perm="R">on</admin_mode_upon_http_login>
<!-- MEDIA & SIGNALLING ENCRYPTION -->
<user_outbound perm="R">my.hostedpbx.com;transport=tls</user_outbound>
<user_srtp perm="R">on</user_srtp>
<user_savp perm="R">mandatory<user_savp>
</phone-settings>
</settings>
Further Information
Related articles
Overview
Content Tools
Tasks
