Content

Page tree

Voice over IP communication systems consist of many components, of which the phones are the ones easiest accessible and therefore a possible entry point for hackers. This paper is meant to give a guideline to our partners which parameters of a Snom phone should be auto-provisioned to ensure the maximum possible security, without compromising the simplicity of the deployment or the ease of use of the phones.



Step-by-step guide

Secure the phone web user interface and set strong and individual user credentials

Accessing the phone web user interface and entering data can mean a security risk, when the communication between web browser and web server is not encrypted. Therefore, the web server of the phone should always either put into https-only mode or turned off completely, if there is no necessity to access the phone via web browser.

ParameterDescriptionRecommended Values
webserver_type

Sets the type of connection the phone’s web server is willing to answer to.
Note: Changes to this setting require a reboot.

https

off

http_user
http_pass
User credentials to login to the web user interface of the phone

12 or 16 character mixed-case alphanumeric
with symbols

use_hidden_tagshidden security tags which protect the web user interface against remote attackers trying to change phone settings with faked HTTP POST requests (XSRF attack).on
web_logout_timer

Specifies the time in minutes after which the web interface shall ask the user to login again.

Any integer value

Configure a maintenance mode user

The service mode (or maintenance mode) is a special user account to access the phone as and switch it temporarily from user mode to admin mode. On logout, the phone will return into user mode. This account can be used for controlling the phone remotely and performing actions triggered by HTTP requests coming from 3rd party applications (e.g. Click-to-dial CTI).

ParameterDescriptionRecommended Values

service_mode_login

service_mode_pass

Additional maintenance account apart from the administrator login.


Note: This setting should be provisioned with read-only permission.

12 or 16 character mixed-case alphanumeric
with symbols

admin_mode_upon_http_loginDetermines whether the admin mode should be enabled, when the service_mode credentials are used for HTTP login to the web user interface (WUI). Logging out from the WUI will disable the admin mode again.

on: admin password will not be requested.
off: admin password will be requested

Secure signalling and voice communication

VoIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Eavesdropping or hijacking phones or SIP accounts are just two of the most common ones. Encryption is one of the essential security technologies for computer data. To have a secure voice over IP communication, both the signalling packets (SIP) and the audio stream (RTP) need to be encrypted.

Securing the SIP traffic

Transport Layer Security (TLS) can provide a secure communication channel between two communicating entities. The primary goal of the TLS Protocol is to provide privacy and data integrity between two communicating applications. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. 

A device incorporating TLS can be configured to allow only secure SIP signaling to other devices. This mandates that the client first sets up a TLS/SSL connection to the server and then exchanges encrypted SIP messages with it on the secure connection. Since this secure communication is based on a shared secret known only by the server and the client, this mechanism makes it very difficult and again if not impossible for an eavesdropper to view, manipulate, or replay the messages exchanged.

The best available transport mechanism can be chosen automatically by creating DNS service records (DNS-SRV) with priorities for UDP, TCP and TLS.

ParameterDescriptionRecommended Values
user_outbound

Specifies the outbound proxy to ensure all SIP packets are sent via the specified communication point.

Add “;transport=tls” to the Registrar server name
e.g. myhostedvoip.com;transport=tls

For further information on TLS authentication please visit: TLS Support


Media Encryption

Media communications can also be secured by incorporating some form of encryption method. VoIP phones may encrypt audio streams via SRTP (Secure Real-time Transport Protocol). SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on the Quality of Service. It creates a unique key stream for each RTP packet, therefore making it almost impossible for eavesdroppers to retrieve the original RTP stream from the encrypted SRTP stream. SRTP also provides replay protection which is undoubtedly important for multimedia data. Otherwise, it would be possible for an adversary to perform simple manipulations on data that subverted security. For example, in a voice application, the phrase "yes" could be substituted for "no" if replay protection is not present.

ParameterDescriptionRecommended Values
user_srtpEnables/disables RTP encryptionon
user_savp

Specifies whether the use of the RTP/SAVP profile by the phone should be off (for backward compatibility), optional or mandatory.

mandatory or optional


If both the signalling and the media are encrypted, a lock symbol will be shown in the call screen of the phone.


For further information please visit: SRTP - Secure Real-Time Transport Protocol


Example of a minimum configuration for a secured handset

<?xml version="1.0" encoding="utf-8"?>
<settings>
  <phone-settings>
    <!-- PHONE WEBSERVER PROTECTION -->
    <webserver_type perm="R">https</webserver_type>
    <http_user perm="R">username</http_user>
    <http_pass perm="R">7X@y8Ob%4308<http_pass>
    <use_hidden_tags perm="R">on<use_hidden_tags>
    <web_logout_timer perm="R">5</web_logout_timer>
    <!-- MAINTENANCE USER ACCOUNT -->
    <service_mode_login perm="R">maintenance<service_mode_login>
    <service_mode_pass perm="R">J#Iwc68521P4</service_mode_pass>
    <admin_mode_upon_http_login perm="R">on</admin_mode_upon_http_login>
    
    <!-- MEDIA & SIGNALLING ENCRYPTION -->
    <user_outbound perm="R">my.hostedpbx.com;transport=tls</user_outbound>
    <user_srtp perm="R">on</user_srtp>
    <user_savp perm="R">mandatory<user_savp>
 </phone-settings>
</settings>