SIP Security Best Practices

One of the easiest and effective ways of securing your SIP application is to only accept SIP traffic from IP endpoints you trust.

To enable this on Twilio, create an IP Access Control List (IP ACL) with the IPs of your endpoints and map it to your SIP Domain. By adding these IPs to your IP ACL, you ensure that only those IPs can connect to your SIP domain. All other traffic is blocked.

IP Access Control Lists can be created with the SIP tools on Twilio.com or via the REST API.

An additional mechanism to secure your SIP application is to use digest authentication. Once enabled, incoming SIP requests will be challenged and you will need to authenticate with a username and password.

To enable this on Twilio, create a Credential List with the set of usernames and passwords that you want to have access to your SIP application and map it to your SIP Domain. Twilio requires that your password meet the following minimum requirements:

• Minimum number of 12 characters
• At least one mixed case
• At least one digit

Credential Lists can be created with the SIP tools on Twilio.com or via the REST API.

Transport Layer Security (TLS) is a mechanism for securing your SIP connections. It is recommended you use TLS as your SIP transport to prevent data being passed between your endpoints and Twilio in cleartext.

Twilio does not currently validate the certificates of the remote clients. This means that you may use self-signed certs on your clients, but this also means that TLS alone is not suitable as an authentication mechanism. At this time, it is only meant to be used to encrypt the SIP communication and does not protect against man-in-the-middle attacks.

In addition to the above, there are things you can do when you build your application to ensure secure access. First, always use HTTPS and POST methods for your URLs. Connecting over HTTPS will prevent your data being passed in cleartext between your app and Twilio.

Second, always validate the X-Twilio-Signature header passed back in the TwiML requests. This will prevent 3rd parties from interfering with your application's operation data. Twilio SDKs contain a Utilities class that help you perform request validation.

Third, Twilio passes information in the TwiML callbacks that can be used to check that your application is being accessed by the appropriate endpoints. This information is:

1. The source IP address of the SIP request in the TwiML request.
2. If using digest authentication, Twilio will pass the username that authenticated.
3. The "From" header and Request URI of the SIP request.

You can use this information to verify a request or check for anomalous traffic patterns. For example, you can check:

1. Is the source IP address one of your IP addresses?
2. Is the user accessing a URI that they shouldn't have access to?
3. Are you receiving too many requests from a specific From address?

This guide covers a feature that can support the following use cases:

You can use the security features in this guide to secure automated call flows that gather sensitive user input. Enforcing TLS encryption and robust authentication ensures that keypad interactions (DTMF tones), such as PINs or credit card numbers, remain protected from interception during self-service sessions.

To learn more advanced features that you can use with voice self-service automation, see Voice self-service automation.

You can use the security features in this guide to verify and shield your inbound infrastructure from malicious traffic. By implementing IP access control lists (ACLs) and rate limiting, you can protect your agents and queue systems against telephony denial-of-service (TDoS) attacks and fraudulent inbound routing.

To learn more advanced features that you can use with inbound call centers, see Voice inbound call centers.

You can use the security features in this guide to protect your outbound operations from unauthorized toll fraud. Utilizing strong digest authentication and strict source validation ensures that only legitimate, authorized agents and system endpoints can place outbound calls using your Twilio account.

To learn more advanced features that you can use with outbound call centers, see Voice outbound call centers.

You can use the security features in this guide to safely connect your AI-powered virtual agents to SIP endpoints. Securing the signaling path prevents unauthorized third parties from hijacking media streams or spoofing the identity of your automated conversational assistants.

To learn more advanced features that you can use with virtual agents, see Voice virtual agents.

You can use the security features in this guide to safely connect your existing SIP infrastructure to the public switched telephone network (PSTN). By implementing IP access control, digest authentication, and TLS, you ensure that your SIP trunking and communication remains private and accessible only to authorized endpoints.

To learn more advanced features that you can use with PSTN connectivity, see Voice PSTN connectivity.

You can use the security features in this guide to protect call audio routed to machine learning models for transcription or sentiment analysis. Implementing end-to-end media encryption (SRTP) guarantees that data captured for AI evaluation is secure from the endpoint all the way to the processing pipeline.

To learn more advanced features that you can use with AI or ML transcription, see Voice AI and ML transcription.

Explore the following guides to build on what you've learned in this guide:

• How to route calls to your SIP network with an outbound call: Direct traffic from Twilio to your SIP endpoints.
• Making SIP calls: Start placing calls using the SIP interface.

Find reference documentation for the topics on this page.

• SIP Credential resource
• SIP CredentialList resource
• SIP CredentialListMapping resource
• SIP Domain Registration CredentialListMapping resource
• SIP Domain resource
• SIP IpAccessControlList resource
• SIP IpAccessControlListMapping resource
• SIP IpAddress resource
• TwiML™ Voice: <Sip>