[VOIPSEC] ipsec vs. tls/srtp ?

Jin Wang jin_x_wang at yahoo.com
Wed Feb 22 19:54:08 CST 2006 

Hello Dan - Yes, we would like to use TLS to protect
the SIP signaling and SRTP to protect the
SIP-associated media (as an alternative to using
IPSec).   I'm on the security team at a large
enterprise (for reasons of confidentiality, I cannot
say which one) that is planning a large-scale
migration to VOIP.      We do not want to get locked
into to any vendor proprietary solutions so we are
trying to standardize on SIP as the base protocol and
TLS & SRTP for security.   We feel that TLS & SRTP are
the only way to protect our internal and external (SIP
trunks) infrastructure against attack.   IPsec does
provide some protection of the external infrastructure
but it does not adequately protect our internal
corporate network.  

As the list members responses allude to, there is not
yet wide support for SIP + TLS/SRTP in all of the
phones (Snom is one notable exception) and VOIP
switching platforms.    While we hope that adoption
happens soon, in the interim, we are investigating
whether or not it makes sense to use external SIP
security appliances such as the product from
Covergence (they are the only product that we found to
have SIP + TLS/SRTP support available today).  If the
list members have other suggestions / advice, please
send it along.

Thanks again to all of the list members for sharing
their opinions and knowledge on this subject. 

Jin

--- dan_york at Mitel.com wrote:

> Jin,
> 
> > The recent list discussion about voip & vpns
> brings up another 
> > question: How do the list members feel about using
> tls & srtp as a 
> > secure alternative to running sip voip over ipsec
> vpns ?    There 
> > would seem to be some advantages to using tls &
> srtp but I  would like 
> some other opinions.
> 
> Are you asking about the approach of separately
> encrypting the SIP call 
> control 
> using TLS and then encrypting the voice using SRTP? 
> (Versus not 
> encrypting both 
> but just tunnelling all the unencrypted traffic over
> an encrypted VPN 
> tunnel?)
> 
> If so, yes, we see that as a secure alternative to
> VPN tunnelling.  This 
> is
> how we secure all of our (Mitel) sets. 
> 
> Regards,
> Dan
> 
> -- 
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for 
> secure communication
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Voipsec mailing list