Cisco 521SG Administration Guide - Page 131

Configuring Security, Quality, and Network Features Setting Security Features 5 Setting Security Features The security features ensure that calls are secure and authenticated. Challenging SIP Initial INVITE and MWI Messages The SIP INVITE (initial) and Message Waiting Indication (MWI) messages in a session can be challenged by the endpoint. The challenge restricts the SIP servers that are permitted to interact with the devices on a service provider network. This significantly increases the security of the VoIP network by preventing malicious attacks against the device. To configure SIP INVITE challenge, navigate to Admin Login > advanced > Voice > Ext_n. Under SIP Settings in the Auth INVITE field, choose yes. Encrypting Signaling with SIP Over TLS Transport Layer Security (TLS) is a standard protocol for securing and authenticating communications over the Internet. SIP Over TLS encrypts the SIP messages between the service provider SIP proxy and the end user. SIP Over TLS encrypts only the signaling messages, not the media. A protocol such as Secure Real-Time Transport Protocol (SRTP) can be used to encrypt voice packets (see Securing Voice Traffic with SRTP). TLS has two layers: • TLS Record Protocol--layered on a reliable transport protocol, such as SIP or TCH, it ensures that the connection is private by using symmetric data encryption and it ensures that the connection is reliable. • TLS Handshake Protocol--authenticates the server and client, and negotiates the encryption algorithm and cryptographic keys before the application protocol transmits or receives data. Cisco SPA IP phones use UDP as a standard for SIP transport, but they also support SIP over TLS for added security. To enable TLS for the phone, navigate to Admin Login > advanced > Voice > Ext_n. Under SIP Settings, select TLS from the SIP Transport list. Cisco Small Business SPA300 Series, SPA500 Series, and WIP310 IP Phone Administration Guide 130