Securing IP Telephony
05/18/2022 by Niek Boeye
A first defensive measure is a dedicated IP Telephony firewall to protect an organization’s internal network against the outer world (being the PSTN accessed via SIP Trunking, or a Cloud-based UCC solution). A Session Border Controller (SBC) is specially designed for VoIP security. It recognizes attacks, fends off attacks (for example DDoS), supports the encryption of signalling and voice and converts these into other formats (transcoding). However, SBCs often require considerable investment which means that it is less worthwhile to implement them in each location. Companies should therefore think about a central, redundant SBC to which all external VoIP connections (SIP and RTP) are routed. Secondly, when talking about IP Telephony and SIP Trunking, one should make a distinction between (1) telephony services offered via the public Internet by Over The Top (OTT) providers such as WhatsApp who do not operate their own network and (2) telephony services offered via secure private networks by telecom providers who rely on their own infrastructure. In the second case, IP telephony offers a level of security comparable to that of the old TDM-based telephone network. Finally, besides the fact that most WANs consist of secure VPNs based on the MPLS protocol or based on SD-WAN encryption techniques, an organization may still decide to specifically encrypt its IP Telephony. This is realized by means of encryption protocols such as Secure SIP over TLS (or SIPS – Session Initiation Protocol Secure) for signalling and SRTP (Secure Real Time Protocol) for payload.
Value-added services in combination with SIP Trunking
The following value-added services can be offered by Deutsche Telekom in combination with SIP Trunking:
Encryption via SIPS and SRTP
Voice communication can be transmitted in encrypted form with SRTP and SIPS. Deutsche Telekom’s Corporate SIP service supports SIPS and SRTP. However, it must be made clear that various pre-requisites must be fulfilled (for example, encryption is to be supported by the company’s End User Equipment or the IP-PBX/SBCs) and local regulation has to be checked before SIPS and SRTP can be implemented.
Managed Session Border Controller (eSBC)
Deutsche Telekom can provide organizations with a central, redundant Enterprise Session Border Controller (eSBC) that is network-based and fully managed by Deutsche Telekom. A central SBC may also be of great value for organizations that are planning to move to Cloud-based UCC services such as Microsoft O365 (with Teams Telephony) or Cisco WebEx. Thanks to Deutsche Telekom’s vast experience with the Microsoft and Cisco cloud suites, as reflected by earning the highest partner certification level, Deutsche Telekom can provide a smooth migration from legacy PBX/UCC systems to Cloud UCC services (for example, a migration from Skype for Business to Microsoft Teams) or can make sure that legacy systems (PBXs, UCC systems and call/contact centre solutions) can be integrated with and operated in parallel with Cloud UCC services (for example the integration between Microsoft Teams and a Genesys CC system).
Intelligent Network services for special treatment of inbound calls
Intelligent Network (IN) services are inbound voice services, i.e., calls to non-geographic and geographic numbers, which trigger special network-based call routing. The main working principle is the translation of the called telephone number to a final geographical destination number. IN services are often referred to as Marketing Numbers or Service Numbers. They are categorized in Freephone services, Premium Rate services, Shared Cost services and geographical number translation services. The call routing plan is stored in the Intelligent Network platform. When a caller dials a Service Number, the telephony network identifies the number as a Service Number and retrieves the call routing plan from the Intelligent Network. The call is then routed to the geographical destination according to the parameters of the call plan. Reasons for deploying Service Numbers may be:
- marketing related: for example, customers call the organization’s call/contact centre free of charge (Freephone Service), or at a premium rate, or at a reduced rate (Shared Cost Service);
- to combine with a centralized conferencing solution: for example, partners dial in free of charge (Freephone Service) or at a reduced rate (Shared Cost Service);
- to route calls between multiple call/contact centres that may even be in different countries: for example, call routing to the right call/contact centre based on an Interactive Voice Menu (typical examples are inviting a caller to press 1 for English, 2 for Spanish, 3 for French, …), time-of-day call distribution, percentage-based call distribution or origin-dependent call routing.
An Interactive Voice Menu allows an organization to set up a virtual and fully automated call centre entity in the telecom operator’s network to do a pre-screening of calls before they are handed over to the organization’s call/contact centre. A response menu can be created, and announcements can be recorded and uploaded to the routing plan of the IN service.
Do you want more insights from smart connectivity and network professionals?