There is two types of security that you can enable with Call Manager
- Mixed mode : In this mode, depending the security configured on each phone, you can have secure calls when both devices are security-enabled and when one of the phones is missing security, your call will be nonsecure.
- Nonsecure mode : As all phones are not set up with security (default configuration), all calls are nonsecure.
When you device to put security on phones , they can support the three following levels:
- Nonsecure mode : secure calls are not supported
- Authenticated mode : the phone will be able to authenticate calls
- Encrypted mode : the phone will be able to support encrypted calls
If you enable the authentication and the encrytion on your network , you are then able to secure the media traffic as well the voice signaling.
If you want to have security on the media flow, it is then mandatory to secure also the signaling as the keys which are used to secure the media traffic are exchanged during the signaling phase.
SCCP messages sent by IP Phones and Call Manager can be secured using TLS, it is the signaling part. Then for the protection of the media traffic so the RTP packets , you will use the Secure RTP which is providing a framework for encryption and authentications of your stream.
SRTP will be also use between your MGCP gateway and your IP Phone but you need to know that your SRTP keys are exchanged in cleartext session between the MGCP gateway and the Call Manager.