Secure media and signaling must be considered whenever VoIP endpoints or IP Office VoIP interfaces transit or are potentially accessible by untrusted networks, including the Internet.
Prior to deploying secure media or signaling using IP Office, the following should be reviewed:
The use of a Session Border Controller. See Session Border Controllers & IP Office. If Avaya’s SBC for Enterprise is used, the security level on each side of the SBC must match. SRTP or SIP-TLS must be implemented on both side of the SBC.
The IP Office SRTP feature supports media security natively without license or IP infrastructure requirements, but can add extra interoperation complexity with various endpoints.
Signaling security (SIP-TLS) must be considered whenever SRTP is used. Signaling security can be considered on its own as a security improvement mechanism.
Secure phone provisioning (HTTPS) must be considered whenever media or signaling security is considered.
Signaling security or Secure phone provisioning require the administration and maintenance of an identity certificate and it’s root CA certificate on the IP Office and SBC.
When VoIP endpoint resilience is active with secure signaling or provisioning, the root CA certificate for both home and backup server must be the same.
SRTP will reduce the concurrent call capacity of IP Office systems, therefore direct media should be used whenever possible. It may also reduce the capacity and performance of other connected systems.
The exact SRTP support of each endpoint type should be assessed to determine how best to achieve security, direct media and other performance criteria.
IP Office default SRTP settings should be retained wherever possible and only varied under exceptional circumstance.
