Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Slides:



Advertisements
Similar presentations
SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Advertisements

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Internet Protocol Security (IP Sec)
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Network Layer and Transport Layer.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
SIP Security Matt Hsu.
RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
IT Expo SECURITY Scott Beer Director, Product Support Ingate
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A Brief Taxonomy of Firewalls
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Ingate & Dialogic Technical Presentation SIP Trunking Focused.
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
NAT Traversal Speaker: Chin-Chang Chang Date:
Chapter 6: Packet Filtering
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Greg Van Dyne December 4, Agenda Introduction Technical Overview Protocols Demonstration Future Trends References.
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 NAT & RTP Proxy Date: 2009/7/2 Speaker: Ni-Ya Li Advisor: Quincy Wu.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.
Module 10: How Middleboxes Impact Performance
Presented by Rebecca Meinhold But How Does the Internet Work?
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Firewalls Original slides prepared by Theo Benson.
SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
© 2006 Intertex Data AB 1 Connect your LAN to the SIP world, while keeping your existing firewall*! The IX67 LAN SIParator (Part of the SIP Switch option.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Firewalls, Network Address Translators(NATs), and H.323
NAT (Network Address Translation)
Original slides prepared by Theo Benson
Introduction to Networking
Introducing To Networking
Working at a Small-to-Medium Business or ISP – Chapter 7
NET323 D: Network Protocols
Working at a Small-to-Medium Business or ISP – Chapter 7
* Essential Network Security Book Slides.
I. Basic Network Concepts
Working at a Small-to-Medium Business or ISP – Chapter 7
NET323 D: Network Protocols
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
دیواره ی آتش.
Ingate & Dialogic Technical Presentation
Presentation transcript:

Security, NATs and Firewalls Ingate Systems

Basics of SIP Security

● TLS ● Authentication ● S/MIME ● SRTP

Basics of SIP Security ● SIP is normally run over port 5060, using either TCP or UDP. ● It is also possible to encrypt the SIP signaling with SSL, and in that case port 5061 is used. ● To do this, a reliable transport protocol must be used, and thus SSL can only be used with TCP.

Basics of SIP Security ● The combination of SIP and SSL is called TLS (Transport Layer Security). ● TLS is hop-by-hop encryption, and is not necessarily used for all hops of a call. ● If a sips: address is used instead of a sip: address, then the entire call is made using TLS hops, and the call signaling will be encrypted all the way. ● TLS only protects the SIP signaling, not the media streams.

Basics of SIP Security ● A SIP server or proxy can require authentication from a SIP client before processing a SIP request. ● Authentication is done in the same way as with HTTP, with Digest authentication. ● Basic authentication, also defined in the HTTP specification, is not allowed.

Basics of SIP Security ● A SIP server can require authentication in two different ways: – Regular authentication ● 401 Unauthorized – Proxy authentication ● 407 Proxy Authentication Required

Basics of SIP Security ● Upon receipt of a 401, a SIP client resends the same request again, but with an Authorization header added. REGISTER 200 OK REGISTER + Authorization-header Registrar 401 Unauthorized

Basics of SIP Security ● An authorization request can be proxied to another server. REGISTER 401 Unauthorized REGISTER 100 Trying 200 OK Proxy 401 Unauthorized REGISTER + Auth-header 100 Trying 200 OK Server

Basics of SIP Security ● A proxy in the signaling path can require authorization before sending a request on. ● In this case, a 407 response is sent. INVITE 100 Trying INVITE + Authorization-header Proxy 407 Proxy Authentication Required INVITE

Basics of SIP Security ● S/MIME is an extension to the MIME standard that allows encryption and signing of SIP messages, since SIP uses MIME for its message bodies. ● S/MIME only protects the SIP signaling, not the media streams.

Basics of SIP Security ● SRTP (Secure RTP) can be used to send media streams over an encrypted channel. ● SRTP is not really within the domain of SIP, since SIP does not care how the media streams are transfered, once they are negotiated.

What is NAT and how does SIP traverse NAT?

SIP and NAT ● NAT (Network Address Translation) is a way to allow several computers to share public IP addresses. ● In many places, IP addresses are scarce and/or expensive.

SIP and NAT ● A NAT box is placed at the edge of the network. ● The NAT box has two IP addresses: – On the public side it has a public IP address. – On the private side it has a private address. There are three series of private addresses from which anyone can use addresses as they please.

SIP and NAT ● Sometimes a request from the internal network must pass the NAT box to get to the external network. – The request reaches the NAT box. – The NAT box rewrites the packet so that it appears to come from its own public IP address instead of the private IP address of the original client. – The NAT box sends the packet on to the original destination, using a randomly selected port as the source port.

SIP and NAT ● When a response comes, the NAT box must make sure that it reaches the correct place. – The NAT box looks at what port the reponse came back on. – If this port is listed in its internal translation table, it sends the packet on to the internal client listed in the translation table. – The translation table is updated each time packets are sent from the inside to the outside.

SIP and NAT ● When using SIP, NAT is a problem. ● Some SIP headers contain the IP address of the originating client. – Contact: ● When a SIP packet contains an SDP payload, this also contains the IP address of the originating client, as well as a port. ● The IP address and port specify where the originating client wants media to be sent.

SIP and NAT ● There are different solutions to this problem: – SIP-aware NAT – STUN

SIP and NAT ● A SIP-aware NAT means that the NAT box must be aware of the SIP protocol and know how it works. ● This is a general solution that works for all clients, but it requires a special NAT box.

SIP and NAT ● When a SIP packet reaches the NAT box... – The NAT box rewrites the IP-level source address. – The NAT box looks in the SIP headers for IP addresses of internal clients and rewrites them. – Any internal IP addresses found in the SDP payload are also rewritten to the NAT box's external address. – The packet is sent on the the external network.

SIP and NAT ● When a response comes back in, the NAT box must send it on to the internal client, just as for any other request. ● When media comes in, the NAT box must look up what port the internal client wanted media to be sent to, and send it on to that port.

SIP and NAT ● A SIP client can implement STUN (Simple Traversal of UDP through NAT). ● With STUN, the client first detects if it is behind a NAT box. ● If so, it uses information gotten from the STUN server to put in the IP address and port of the NAT box in the SIP packet instead of its own. ● Needs extra code in the clients and does not work with all NAT boxes.

What is a firewall and how does SIP cross a firewall ?

SIP and Firewalls ● A firewall is a device that guards a network from unwanted traffic. ● A firewall often, but not necessarily, also contains the functions of a NAT box.

SIP and Firewalls ● In general, a firewall can be configured to allow or disallow traffic into or out from any network connected to it based on various criteria: – Source address. – Destination address. – Protocol used. – Time of day. –...

SIP and Firewalls ● Just as a NAT box, a firewall is a problem for SIP traffic. ● First, to enable SIP traversal of a firewall, the firewall must allow traffic on port 5060 to flow past the firewall. This is easy to configure.

SIP and Firewalls ● However, a SIP client doesn't only need to send traffic on port It also needs to send media traffic. ● Media traffic is normally sent on a randomly chosen high port. – These ports are normally closed on a firewall. – Opening all of them is not a viable option.

SIP and Firewalls ● To resolve this problem, the firewall needs to understand both the SIP packets and their SDP payload. ● For a SIP request that contains SDP, the firewall must allocate ports on its own external IP address to be used instead of those given by the client. ● The firewall must make sure that these ports are open for media traffic when the session is set up, and closed again when the session is torn down.

Handling inbound requests through the firewall

SIP and Firewalls ● Handling inbound requests is also a problem when a firewall (or NAT box) is involved. ● An external client can only see the firewall/NAT box, not the internal clients or an internal SIP server/registrar.

SIP and Firewalls ● Ways for a firewall to handle inbound requests: – Configure the firewall to statically send all inbound SIP requests on to a SIP proxy on the internal network, and let that proxy use its registrar to figure out where to forward the request. – Implement a SIP registrar in the firewall, so that the firewall can decide itself where a SIP request needs to be forwarded to.

Security, NATs and Firewalls Ingate Systems Bringing SIP to the Enterprise

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.