Specifications
Engineering Guidelines
342
Mitel's Secure MiNET protocol uses the Advanced Encryption Standard (AES) to encrypt call
control packets. Using secure MiNET ensures that call control signalling packets between the
IP phones and the 3300 ICP are protected from eavesdropping. Using secure MiNET also
protects the 3300 ICP from unauthorized control packets.
Secure MiNET uses a predefined algorithm to encode the signalling messages. Negotiation of
the encryption method is not needed, so this provides a simpler and faster method to establish
secure connections with third party applications. Some SIP phones may also use TLS, which
is an updated and more open version of the SSL standard. Because the encryption algorithms
for SSL and TLS are not predefined as with secure MiNET, the end points must negotiate the
security at the time of each connection, and performance may be impacted somewhat. When
evaluating the performance of SIP phones with the SET in MCD 6.0, the default connection
will be TLS, which should reflect the actual negotiated selection in most cases. The user of the
tool may also select UDP or TCP if it is known that those will be used in the particular installation.
Performance adjustments for use with SIP-TLS phones is highlighted in the earlier performance
section “SIP Phones and use of TLS (SIP-TLS)” on page 44.
In addition to Secure MiNET, a standard encryption method that uses SSL is also available on
certain end devices. SSL is used to negotiate which encryption method to use at the endpoints.
This standard allows interaction with third party applications.
The SSL security protocol provides data encryption, server authentication message integrity,
and optional client authentication for a TCP/IP connection. SSL will prevent unauthorized
access to administrative functions. SSL encrypts all traffic on the link to prevent sniffing of
usernames and passwords.
The IP Phones will determine which secure method to use, first trying SSL, then secure MiNET
and then, if neither of these is supported, the call will go unsecured.
The ICP uses multiple IP ports to differentiate these protocols (6800, 6801, 6802) as defined
in the IP port information. If the relevant port is blocked with a firewall or a router, for instance,
the negotiation may fail and a connection may not be established.
IP Networking communication between ICP controllers and gateways only use SSL or no
encryption. MiNET encryption is not supported.
Voice streaming to external gateway PSTN connection
In voice streaming to an external gateway PSTN connection, the voice path is established
between the IP Phone and the IP/TDM Gateway. This might be the local ICP, or another unit
dedicated to this function and connected via IP Networking. There is no difference in the
connection path between secure and non-secure call establishment. Connections will be
established as secure where possible.
Voice streaming to TDM connections
Where an ICP has a number of TDM connected devices, calls to these devices will be via local
IP/TDM gateway. Encryption applies to the packet part of the connection, and so the IP path
to the gateway will be secure, where possible. The connection on the TDM side will continue,
as it always has, to use a dedicated connection to the end device.