McDewey

C H A P T E R 15 Trunk and Gateway SIP Security • Trunk and Gateway SIP Security Overview, on page 181 • Configure Trunk and Gateway SIP Security Task Flow, on page 184 Trunk and Gateway SIP Security Overview This section provides an overview of SIP trunk encryption, gateway encryptions and security profile setup tips. SIP Trunk Encryption SIP trunks can support secure calls both for signaling as well as media; TLS provides signaling encryption and SRTP provides media encryption. To configure signaling encryption for the trunk, choose the following options when you configure the SIP trunk security profile (in the System > Security Profile > SIP Trunk Security Profile window): • From the Device Security Mode drop-down list, choose “Encrypted.” • From the Incoming Transport Type drop-down list, choose “TLS.” • From the Outgoing Transport Type drop-down list, choose “TLS.” After you configure the SIP trunk security profile, apply it to the trunk (in the Device > Trunk > SIP Trunk configuration window). To configure media encryption for the trunk, check the SRTP Allowed check box (also in the DeviceTrunkSIP Trunk configuration window). If you check this check box, we recommend that you use an encrypted TLS profile, so that keys and other security-related information do not get exposed during call negotiations. If you use a non- secure profile, SRTP will still work but the keys will be exposed in signaling and traces. In that case, you must ensure the security of the network between Unified Communications Manager and the destination side of the trunk. Caution Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 181