Posted by: Jessica Scarpati
telepresence, UC Security, video conferencing, VoIP security
|(Image courtesy of Cisco Systems)|
There are a lot of things people won’t write in an email because they know that someone — corporate IT, regulators, the boss — may be watching. But people are often more candid and less cautious behind the closed doors of a meeting room, which may be exactly what hackers are hoping to exploit as high-definition video conferencing and telepresence gains traction.
Our recent story on video conferencing security threats offers a broad overview about what vulnerabilities enterprises have to watch out for, which led Jean-Pierre Kellermann, a product line manager at Alcatel-Lucent, to chime in with some technical tips for video conferencing and telepresence pros.
Check out some of his video conferencing security suggestions (reproduced with permission and edited for clarity) after the jump…
To avoid all these attacks, customers can use antivirus software to protect their video end-points, and encryption (based on SIP/TLS and SRTP) for the control channel and the media flows. The session border controller has an advantage in comparison of the traditional firewall because it’s adapted to these media flows; it can be used as a proxy between the external world and the enterprise LAN.
In general my recommendations to my customers are the following:
1) Against insecure endpoints and servers: Certificates with a public key infrastructure (PKI) should be mandatory and deployed for all the endpoints used (smartphones, IP-DECT, IP or SIP hardphones and servers).
2) Against attacks on the control channel: The encryption of the signaling should be mandatory by default with SIP/TLS.
3 ) Against eavesdropping/modification: The encryption of the media (voice and video) should be enabled by default with SRTP.
4) Against attacks on SIP trunking: The mutual authentication should be used between the devices used to establish this trunk. The encryption (signaling/media) can be used against the MITM attacks. I suggest also to finish all the SIP trunks on a SIP proxy, such as the SBC and not directly on an internal SIP server. The SBC can be a filter for all the SIP sessions established between an external cloud and an enterprise.