Views

Difference between revisions of "VoIP Security"

The Wiki of Unify contains information on clients and devices, communications systems and unified communications. - Unify GmbH & Co. KG is a Trademark Licensee of Siemens AG.

Jump to: navigation, search
(Signalling and Payload Encryption (SPE))
(IEEE 802.1X)
 
(19 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
Regarding IP telephony the subject '''VoIP Security''' becomes more and more important.  
 
Regarding IP telephony the subject '''VoIP Security''' becomes more and more important.  
[[VoIP]] must have the same confidentiality, authenticity, availability and anonymity as traditional telephony solutions.
+
[[VoIP]] must have the same confidentiality, authenticity, availability and integrity as traditional telephony solutions.
  
Buzzwords to improve the above mentioned properties are [[PKI]], [[Signalling and Payload Encryption|SPE]]/[[SRTP]] and [[TLS]].
+
Buzzwords to improve the above mentioned properties are [[Signalling and Payload Encryption|SPE]], [[TLS]], [[SRTP]] and [[PKI]].
  
HiPath platforms like [[HiPath 2000]] or [[HiPath OpenOffice ME]] use the most current technology to protect voice and signalling data from unauthorized access.
+
HiPath platforms like [[HiPath 3000]] or [[OpenScape Office MX]] use the most current technology to protect voice and signalling data from unauthorized access.
  
How to use secure [[VoIP]] on optiPoint [[SIP]] phones in general: {{File-DL|Gesicherte Sprachübertragung in SIP 7|pdf}}
+
How to use secure [[VoIP]] on optiPoint [[SIP]] phones in general: {{File-DL|Gesicherte Sprachübertragung in SIP 7|pdf|de}}
  
 
{{Info|
 
{{Info|
Line 15: Line 15:
 
== Signalling and Payload Encryption (SPE) ==
 
== Signalling and Payload Encryption (SPE) ==
  
=== Documentation ===
+
=== Activate Signalling and Payload Encryption (SPE) on a [[OpenStage]] HFA Phone ===
  
=== activate Signalling and Payload Encryption (SPE) on a OptiPoint HFA Phone ===
+
To enable security support on the optipoint HFA phones following settings must be done via local configuration or administration web page.
 +
*Configure transport mode LocalAdmin:  Administration -> System -> Security -> Signalling main = TLS
 +
*Configure transport mode WEB: Admin -> System -> Security -> Secure H.235 main = TLS
 +
**Configure C-TC TLS port in accordance to the CGW configuration (AMO-CGWB: (…), TYP=globif, TLSP=<C-TC TLS port>;), default: 4061
 +
**H.225 TLS port: 1300 (fixed)
 +
**Transport mode: TLS
 +
**Certificate validation main can now be enabled, in this case certificate must be downloaded via DLS
 +
**If you use the feature SRSR. And the standby System is using SPE too, then please configure also Secure H.235 standby(WEB) -or- Signalling standby(LocalAdmin). And Certificate validation standby (if used)
 +
[[Image:SPE_config_OST_HFA.jpg]]
 +
 
 +
 
 +
=== Activate Signalling and Payload Encryption (SPE) on a [[optiPoint]] HFA Phone ===
  
 
To enable security support on the optipoint HFA phones following settings must be done via local configuration or administration web page.  
 
To enable security support on the optipoint HFA phones following settings must be done via local configuration or administration web page.  
Line 27: Line 38:
 
[[Image:SPE_config_HFA.jpg]]
 
[[Image:SPE_config_HFA.jpg]]
  
== Certificate Management ==
+
== IEEE 802.1X ==
  
=== Documentation ===
+
How to configure IEEE 802.1X by [[DLS]]:
 +
* {{File-DL|IEEE 802.1X Configuration Management|pdf}}
  
How to implement and set up a secure environment and provide [[optiPoint]] phones with configuration data by the use of XML files via secure Web server:
 
* {{File-DL|Certificate over secure link|pdf}}
 
* {{File-DL|Zertifikate über gesicherte Verbindung|pdf}}
 
  
General information about certificates, [[PKI]], currently used security parameter in [[HiPath]] and [[TLS]]:
+
Basic Requirements For 802.1x Certificates
* {{File-DL|Certificate usage in HiPath|pdf}}
+
* {{en}} [[802.1x Certificates]]
* {{File-DL|Verwendung von Zertifikaten in HiPath|pdf}}
+
* {{de}} [[802.1x Zertifikate]]
  
== IEEE 802.1X ==
+
== Certificate Management (an alternative, available on [[optiPoint]] phones only) ==
  
=== Documentation ===
+
How to implement and set up a secure environment and provide [[optiPoint]] phones with configuration data by the use of XML files via secure Web server (note, that this type of interface is not provided by [[OpenStage]] phones):
 
+
* {{File-DL|Certificate over secure link|pdf}}
How to configure IEEE 802.1X by [[DLS]]:  
+
* {{File-DL|Zertifikate über gesicherte Verbindung|pdf|de}}
* {{File-DL|IEEE 802.1X Configuration Management|pdf}}
 
* {{File-DL|IEEE 802.1X Konfigurations-Management|pdf}}
 

Latest revision as of 13:27, 20 October 2021

Regarding IP telephony the subject VoIP Security becomes more and more important. VoIP must have the same confidentiality, authenticity, availability and integrity as traditional telephony solutions.

Buzzwords to improve the above mentioned properties are SPE, TLS, SRTP and PKI.

HiPath platforms like HiPath 3000 or OpenScape Office MX use the most current technology to protect voice and signalling data from unauthorized access.

How to use secure VoIP on optiPoint SIP phones in general: pdf-de.png  Gesicherte Sprachübertragung in SIP 7

Please have a look also at the administrator documentation to IP phones of the optiPoint and OpenStage families and the service documentation for the IP platforms.


Signalling and Payload Encryption (SPE)

Activate Signalling and Payload Encryption (SPE) on a OpenStage HFA Phone

To enable security support on the optipoint HFA phones following settings must be done via local configuration or administration web page.

  • Configure transport mode LocalAdmin: Administration -> System -> Security -> Signalling main = TLS
  • Configure transport mode WEB: Admin -> System -> Security -> Secure H.235 main = TLS
    • Configure C-TC TLS port in accordance to the CGW configuration (AMO-CGWB: (…), TYP=globif, TLSP=<C-TC TLS port>;), default: 4061
    • H.225 TLS port: 1300 (fixed)
    • Transport mode: TLS
    • Certificate validation main can now be enabled, in this case certificate must be downloaded via DLS
    • If you use the feature SRSR. And the standby System is using SPE too, then please configure also Secure H.235 standby(WEB) -or- Signalling standby(LocalAdmin). And Certificate validation standby (if used)

SPE config OST HFA.jpg


Activate Signalling and Payload Encryption (SPE) on a optiPoint HFA Phone

To enable security support on the optipoint HFA phones following settings must be done via local configuration or administration web page.

  • Configure transport mode: Administration -> System -> Signaling & Payload Encryption (SPE)
    • Configure C-TC TLS port in accordance to the CGW configuration (AMO-CGWB: (…), TYP=globif, TLSP=<C-TC TLS port>;), default: 4061
    • H.225 TLS port: 1300 (fixed)
    • Transport mode: TLS
    • Certificate check can now be enabled, in this case certificate must be downloaded via DLS

SPE config HFA.jpg

IEEE 802.1X

How to configure IEEE 802.1X by DLS:


Basic Requirements For 802.1x Certificates

Certificate Management (an alternative, available on optiPoint phones only)

How to implement and set up a secure environment and provide optiPoint phones with configuration data by the use of XML files via secure Web server (note, that this type of interface is not provided by OpenStage phones):