The Promise of SIP
by Melisa LaBancz-Bleasdale
What's colorless and odorless and powerful enough to form the foundation of advanced communications systems? The answer, of course, is Session Initiation Protocol (SIP). Initially used for signaling, SIP has come a long way from its humble beginnings in Internet telephony to become ubiquitous amongst communications technology.
Now the standard protocol for IPbased communication applications, such as Voice over IP (VoIP), instant messaging and video conferencing, SIP is also being used in peer-to-peer (P2P) systems, PBX replacement systems, and residential telephony. On a grander scale, the Third Generation Partnership Project (3GPP) has employed SIP as a major building block of the Internet Multimedia Subsystem (IMS) reference architecture, believed by most to be the architecture for large-scale carrier next generation networks (NGN).
Ratified in 2001 by the Internet Engineering Task Force (IETF), SIP is considered an "open" protocol that just happens to be governed by a standards body. Yet Matt Tucker, CTO of Jive Software, feels that calling SIP "open source" would be a misnomer. "With open source projects, many people in the open source community, as well as commercial vendors, work together to define protocol extensions. I don't see this type of relationship around most standards efforts."
The Promise of SIP
The main difference between SIP as open source and traditional open source software (OSS), explains Jeff Carr, VP of SIP solutions group at BorderWare Technologies, is that as an IETF standard, the update process is more rigid. Although SIP has only been on the scene a short time, its believers are legion. By way of evidence, Carr notes that in the past twelve months, there has been a significant increase in the adoption of VoIP services in the small-to mid-sized business (SMB) market, and that virtually all of these adoptions are SIP-based.
With the traditional PBX all but extinct, the IP/PBX business remains robust with SIP leading the charge. Carr points out that SIP enjoys the validation of the telephony giants including Avaya, Cisco, Nortel, Mitel, Siemens, and Alcatel, among others, who offer SIP support in their communications platforms. Carr cites Avaya's purchase of Ubiquity Software, a major SIP vendor, in February 2007, as a move underscoring SIP's promise. "A driving factor for SIP adoption is the trend of moving away from standard Telco services to replace them with SIP trunks-reaping the benefits of integrated communication and links to database systems," says Carr. "It's not a matter of if SIP will be a part of your network, it's a matter of when."
An Open Protocol?
Companies such as Digium (sponsor of open source PBX Asterisk noted below), Fonality, and SIPx, among others, rely heavily or completely on SIP as the underlying protocol. There are also a number of open source products on the market that are built using SIP or SIP variants, including the very popular and free to download: Asterisk.
The idea of "open" goes only as far as the community-or vendor-allows with each new variation of the technology. As with any idea that shows promise as a cost-effective alternative, it's no longer open unless it is freely available and free to be changed. There are those who feel that SIP is going the way of far too many other protocols: "adopted" by the big money vendors. "It's not a matter of open source vs. closed source at the protocol level," Tucker explains. "What we see happening is that Microsoft has adopted the open protocol mantle in its OCS product, despite the fact that they are extending SIP/SIMPLE in proprietary ways. Microsoft is making very little effort toward open federation. The major IM networks like AIM, Yahoo!, and MSN are also resisting open protocols. Internet-wide federation of SIP is just not happening. It's either due to limitations of the protocol, or something else is going on."
"This is similar to the days of proprietary computers," states Carr. "This approach was good for vendors as it locked in customers and reduced cost pressure, but ultimately customers rejected the proprietary model for the openness and interoperability model of Unix/ Linux-based computing. This is the same model we are seeing with SIP."
Unique Challenges
There are unique challenges involved with SIP. Due to its open nature, its implementation can be very complicated. Carr says that while vendors can optimize proprietary protocols-for specific functions they want to implement more easily than a standard such as SIP-the problem then becomes interoperability between vendors. Tucker puts it plainly: "Vendor implementations just aren't compatible."
SIP's inherent complexities require two teams, both data and network, to ensure a smooth implementation . Many organizations still separate voice and data, either physically or using Virtual LANs (VLANS) and Tucker believes that this approach is counterintuitive to reaping the benefits of SIP. "It's hard to link a call center application to a back-end database, or to provide desktop integration of email, voice, IM etc., if voice and data are separated. Even if a new VoIP system starts off physically separated, it makes sense to plan for its integration." Tucker believes it is wise to involve both voice and data from the planning stage onwards.
SIP and Security
SIP is an IP-based messaging, communication and collaboration protocol. It has text-based components similar to SMTP protocol used for email, and a media component similar to HTTP for transmitting content, such as video or voice. Just as SIP-based applications benefit from the similarities to SMTP, they also suffer from the same pitfalls. Without proper security in place, SIP applications, in the same vein as other Web or IP-based applications, are open to a range of vulnerabilities that organizations may not want to experience first-hand.
Carr reveals several security challenges related to the protocol. For example, a SIP message- such as an INVITE, which initiates a VoIP call from one party to another-can easily be spoofed to show a falsified "caller ID" in the same way that an email phishing attack shows a falsified sender.
A Real-time Transport Protocol (RTTP) media stream from a SIPbased call could be intercepted using freely available Internet tools (such as Ethereal) and then recorded. The recorded call could be converted to a .wav file and played back or stored for later use. An example of this would be the interception of a call to a credit card vendor, which captured personal account information. SIP is also vulnerable to Denial of Service (DoS) attacks, call hijacking, service theft and other incidents that can lead to service disruption or unauthorized call monitoring. All are possible security issues hefty enough to strike fear in the hearts of security conscious organizations.
Carr notes that traditional perimeter firewalls are simply not designed to secure and manage the dynamic nature of real-time SIP communications. Further, issues with Network Address Translation (NAT) and Quality of Service (QoS) have made it difficult for network administrators to roll out applications in a secure and flexible way. BorderWare's SIPassure, a SIP security gateway solution, is designed to protect an SMB or enterprise user's VoIP and data infrastructure and is suitable for Telco and Service providers.
In designing SIPassure, BorderWare looked at the threats facing VoIP applications, including a set of standard IP network level threats (the same as those faced by email systems, Web servers and other Internet applications), a range of application threats (such as DoS and flooding attacks) and content driven threats. SIPassure is designed for use with SIP trunks and to allow the wider use of IP Telephony. SIPassure can be used to secure video services, SIP-based IM and presence-based applications. "For SIP not to be attacked seems impossible. It's only a matter of when. Once there is a critical mass of users, it will be lucrative enough for attackers," says Carr.
SIP and SMTP
The parallels between SIP and SMTP are important believes Carr. "So far the lion's share of SIP activity has been Telco focused, by which I mean installing SIPbased VoIP systems to replace or supplement standard PSTN services. Few, if any, SMB SIP users have yet realized the power that SIP gives them. Just as SMTP enables email to any SMTP users worldwide, SIP can offer voice, video, and IM services to any user worldwide-with the proper security. Most SMBs and probably most enterprises are under utilizing this ability." The challenge, according to Carr, is to make SIP applications easy to deploy and manage without compromising security for voice or data applications. MB/TMP