NFON offers customers VoIP signalling and media steam encryption. In the process, the link connection and then the voice data is encrypted. This is an end-to-end process, i.e. from the telephone to the NFON data centre, where your telephone system is operated.

In the course of end device provisioning, certificate data is loaded to the end devices to secure the SIP signalling via TLS.End devices are then registered with the assigned encryption gateway, which is operated in the NFON data centres, which has multiple layers of security.

In the course of setting up the secured call via TLS (256 bit AES), keys are exchanged to later encrypt the media streams (via SDES).These are used once to safeguard the calls. If supported by the end device, the display indicates when calls are secured.

The path from the end device to the data centre is therefore fully secured (thus also on the customer’s LAN).The encryption gateway is on the same network as the telephone system server. Since encryption is solely IP-based, connections from the data centre to the public telephone network (landline and mobile network) are not encrypted.

The described encryption solution is compatible with the following end devices:

• Desktop telephones
• DECT telephones
  • Gigaset N670 IP Pro
  • Gigaset N870 IP Pro
• ATA's
  • Grandstream
  • Patton

Other devices which support encryption as well:

• Nsoftphone premium (Softphone) from Version 8.0.0 (and higher)

Since the signalling encryption already takes place on the end devices, customer edge routers are unable to trace signalling and therefore, dynamically open and close ports for media streams.

As a consequence, a wide range of UDP ports must be opened for outgoing traffic; all media streams must run over the Internet connection.

Once encryption is activated for a customer, all devices approved for encryption will automatically be switched to this setting. Billing will always include only the encryption compatible devices.