Snom m9/Documentation/Online Manual/Security and Emergency

From Snom User Wiki

Jump to: navigation, search

Contents

Encrypted Calls

  • snom m9 supports media and VoIP signaling encryption for making secure VoIP calls (TLS/SRTP)
  • snom m9 provides these features via:
  • TLS/SIPS functionality can be enabled on the snom m9 by appending a transport=tls parameter to the Outbound Proxy
  • Media encryption can be switched on using RTP Encryption setting
  • Secure call status is indicated on the snom m9 Handset by a Closed Padlock icon



X.509 Certificates

  • The m9 base station is able to perform Server Identity Verification based on trusted X.509 chains when SSL/TLS is used
  • Servers which present certificates signed by CAs unknown to the base are rejected
  • The Server Verification functionality can be switched off by selecting Don't validate certificates under Security->Certificate Policy
  • The trusted root CAs on the base can be viewed under Status->Network
  • Note: The snom m9 is also able to present its X.509 Certificate for Client Identity Verification
  • Note: For the Client/Server verification to function, the validation server must have a valid certificate with a domain-name as the CN. Also the same domain-name must be provided to the snom m9 as the SIP server or auto-configuration server.



Client Certificates

  • Each snom m9 base station comes equipped with a unique X.509 certificate signed by snom CA
  • These Client Certificates are used by the snom m9 to provide proof-of-identity to servers and to generate private-key based signatures
  • The client certificate of the snom m9 can however also be customized by provisioning custom client certificate/private key
  • Embedded within an XML file with <cert> and <key> tags, the snom m9 can be auto configured to use customized client Identity
  • Both these <cert> and <key> tags need to be encapsulated within a <certificates> XML tag
  • The following XML format indicates how a customized client certificate and private key can be provisioned to the snom m9:


CA Setup

  • Trusted Root CAs can also be provisioned to the m9 base with auto-provisioning
  • With <certificates> as the top XML tag, each trusted root CA can be enclosed within a <ca> tag
  • The following XML format can be used for CA setup:




Security

  • Admin Login Account: HTTP Admin username
  • Password: HTTP Admin password
  • Session Timeout: Webserver auto-logoff interval
  • HTTP Client Username: HTTP Username for outgoing HTTP connections
  • HTTP Client Password: HTTP Password for outgoing HTTP connections
  • PIN: Base PIN (Recommended to be changed from default 0000)
  • Emergency Proxy: Emergency SIP Proxy for routing emergency calls
  • Emergency Numbers: Permitted emergency numbers for emergency calls



Emergency Calls

  • The dial plans on the snom m9 can also be used to make emergency calls terminated at an external VoIP provider
  • The following dial plan will make a call to the SIP URI emergency@provider.com when 911,999 or 112 is dialed: 
!^(911|112|999)!sip:emergency@provider.com!d
Personal tools
Interoperability