Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Published byElinor Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "Security, NATs and Firewalls Ingate Systems. Basics of SIP Security."— Presentation transcript:

1 Security, NATs and Firewalls Ingate Systems

2 Basics of SIP Security

3 ● TLS ● Authentication ● S/MIME ● SRTP

4 Basics of SIP Security ● SIP is normally run over port 5060, using either TCP or UDP. ● It is also possible to encrypt the SIP signaling with SSL, and in that case port 5061 is used. ● To do this, a reliable transport protocol must be used, and thus SSL can only be used with TCP.

5 Basics of SIP Security ● The combination of SIP and SSL is called TLS (Transport Layer Security). ● TLS is hop-by-hop encryption, and is not necessarily used for all hops of a call. ● If a sips: address is used instead of a sip: address, then the entire call is made using TLS hops, and the call signaling will be encrypted all the way. ● TLS only protects the SIP signaling, not the media streams.

6 Basics of SIP Security ● A SIP server or proxy can require authentication from a SIP client before processing a SIP request. ● Authentication is done in the same way as with HTTP, with Digest authentication. ● Basic authentication, also defined in the HTTP specification, is not allowed.

7 Basics of SIP Security ● A SIP server can require authentication in two different ways: – Regular authentication ● 401 Unauthorized – Proxy authentication ● 407 Proxy Authentication Required

8 Basics of SIP Security ● Upon receipt of a 401, a SIP client resends the same request again, but with an Authorization header added. REGISTER 200 OK REGISTER + Authorization-header Registrar 401 Unauthorized

9 Basics of SIP Security ● An authorization request can be proxied to another server. REGISTER 401 Unauthorized REGISTER 100 Trying 200 OK Proxy 401 Unauthorized REGISTER + Auth-header 100 Trying 200 OK Server

10 Basics of SIP Security ● A proxy in the signaling path can require authorization before sending a request on. ● In this case, a 407 response is sent. INVITE 100 Trying INVITE + Authorization-header Proxy 407 Proxy Authentication Required INVITE

11 Basics of SIP Security ● S/MIME is an extension to the MIME standard that allows encryption and signing of SIP messages, since SIP uses MIME for its message bodies. ● S/MIME only protects the SIP signaling, not the media streams.

12 Basics of SIP Security ● SRTP (Secure RTP) can be used to send media streams over an encrypted channel. ● SRTP is not really within the domain of SIP, since SIP does not care how the media streams are transfered, once they are negotiated.

13 What is NAT and how does SIP traverse NAT?

14 SIP and NAT ● NAT (Network Address Translation) is a way to allow several computers to share public IP addresses. ● In many places, IP addresses are scarce and/or expensive.

15 SIP and NAT ● A NAT box is placed at the edge of the network. ● The NAT box has two IP addresses: – On the public side it has a public IP address. – On the private side it has a private address. There are three series of private addresses from which anyone can use addresses as they please.

16 SIP and NAT ● Sometimes a request from the internal network must pass the NAT box to get to the external network. – The request reaches the NAT box. – The NAT box rewrites the packet so that it appears to come from its own public IP address instead of the private IP address of the original client. – The NAT box sends the packet on to the original destination, using a randomly selected port as the source port.

17 SIP and NAT ● When a response comes, the NAT box must make sure that it reaches the correct place. – The NAT box looks at what port the reponse came back on. – If this port is listed in its internal translation table, it sends the packet on to the internal client listed in the translation table. – The translation table is updated each time packets are sent from the inside to the outside.

18 SIP and NAT ● When using SIP, NAT is a problem. ● Some SIP headers contain the IP address of the originating client. – Contact: ● When a SIP packet contains an SDP payload, this also contains the IP address of the originating client, as well as a port. ● The IP address and port specify where the originating client wants media to be sent.

19 SIP and NAT ● There are different solutions to this problem: – SIP-aware NAT – STUN

20 SIP and NAT ● A SIP-aware NAT means that the NAT box must be aware of the SIP protocol and know how it works. ● This is a general solution that works for all clients, but it requires a special NAT box.

21 SIP and NAT ● When a SIP packet reaches the NAT box... – The NAT box rewrites the IP-level source address. – The NAT box looks in the SIP headers for IP addresses of internal clients and rewrites them. – Any internal IP addresses found in the SDP payload are also rewritten to the NAT box's external address. – The packet is sent on the the external network.

22 SIP and NAT ● When a response comes back in, the NAT box must send it on to the internal client, just as for any other request. ● When media comes in, the NAT box must look up what port the internal client wanted media to be sent to, and send it on to that port.

23 SIP and NAT ● A SIP client can implement STUN (Simple Traversal of UDP through NAT). ● With STUN, the client first detects if it is behind a NAT box. ● If so, it uses information gotten from the STUN server to put in the IP address and port of the NAT box in the SIP packet instead of its own. ● Needs extra code in the clients and does not work with all NAT boxes.

24 What is a firewall and how does SIP cross a firewall ?

25 SIP and Firewalls ● A firewall is a device that guards a network from unwanted traffic. ● A firewall often, but not necessarily, also contains the functions of a NAT box.

26 SIP and Firewalls ● In general, a firewall can be configured to allow or disallow traffic into or out from any network connected to it based on various criteria: – Source address. – Destination address. – Protocol used. – Time of day. –...

27 SIP and Firewalls ● Just as a NAT box, a firewall is a problem for SIP traffic. ● First, to enable SIP traversal of a firewall, the firewall must allow traffic on port 5060 to flow past the firewall. This is easy to configure.

28 SIP and Firewalls ● However, a SIP client doesn't only need to send traffic on port 5060. It also needs to send media traffic. ● Media traffic is normally sent on a randomly chosen high port. – These ports are normally closed on a firewall. – Opening all of them is not a viable option.

29 SIP and Firewalls ● To resolve this problem, the firewall needs to understand both the SIP packets and their SDP payload. ● For a SIP request that contains SDP, the firewall must allocate ports on its own external IP address to be used instead of those given by the client. ● The firewall must make sure that these ports are open for media traffic when the session is set up, and closed again when the session is torn down.

30 Handling inbound requests through the firewall

31 SIP and Firewalls ● Handling inbound requests is also a problem when a firewall (or NAT box) is involved. ● An external client can only see the firewall/NAT box, not the internal clients or an internal SIP server/registrar.

32 SIP and Firewalls ● Ways for a firewall to handle inbound requests: – Configure the firewall to statically send all inbound SIP requests on to a SIP proxy on the internal network, and let that proxy use its registrar to figure out where to forward the request. – Implement a SIP registrar in the firewall, so that the firewall can decide itself where a SIP request needs to be forwarded to.

33 Security, NATs and Firewalls Ingate Systems www.ingate.com Bringing SIP to the Enterprise

Download ppt "Security, NATs and Firewalls Ingate Systems. Basics of SIP Security."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.

RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933.

IT Expo SECURITY Scott Beer Director, Product Support Ingate
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls

Similar presentations

Ads by Google