Post on 03-Jan-2016
description
Security, NATs and Firewalls
Ingate Systems
Basics of SIP Security
Basics of SIP Security
● TLS● Authentication● S/MIME● SRTP
Basics of SIP Security● SIP is normally run over port 5060, using
either TCP or UDP.● It is also possible to encrypt the SIP signaling
with SSL, and in that case port 5061 is used.● To do this, a reliable transport protocol must
be used, and thus SSL can only be used with TCP.
Basics of SIP Security● The combination of SIP and SSL is called TLS
(Transport Layer Security).
● TLS is hop-by-hop encryption, and is not necessarily used for all hops of a call.
● If a sips: address is used instead of a sip: address, then the entire call is made using TLS hops, and the call signaling will be encrypted all the way.
● TLS only protects the SIP signaling, not the media streams.
Basics of SIP Security
● A SIP server or proxy can require authentication from a SIP client before processing a SIP request.
● Authentication is done in the same way as with HTTP, with Digest authentication.
● Basic authentication, also defined in the HTTP specification, is not allowed.
Basics of SIP Security
● A SIP server can require authentication in two different ways:– Regular authentication
● 401 Unauthorized
– Proxy authentication● 407 Proxy Authentication Required
Basics of SIP Security● Upon receipt of a 401, a SIP client resends
the same request again, but with an Authorization header added.
REGISTER
200 OK
REGISTER + Authorization-header
Registrar
401 Unauthorized
Basics of SIP Security● An authorization request can be proxied to
another server. REGISTER
401 Unauthorized
REGISTER
100 Trying
200 OK
Proxy
401 Unauthorized
REGISTER + Auth-header
REGISTER + Auth-header
100 Trying
200 OK
Server
Basics of SIP Security● A proxy in the signaling path can require
authorization before sending a request on. ● In this case, a 407 response is sent.
INVITE
100 Trying
INVITE + Authorization-header
Proxy
407 Proxy Authentication Required
INVITE
Basics of SIP Security
● S/MIME is an extension to the MIME standard that allows encryption and signing of SIP messages, since SIP uses MIME for its message bodies.
● S/MIME only protects the SIP signaling, not the media streams.
Basics of SIP Security
● SRTP (Secure RTP) can be used to send media streams over an encrypted channel.
● SRTP is not really within the domain of SIP, since SIP does not care how the media streams are transfered, once they are negotiated.
What is NAT and how does SIP traverse NAT?
SIP and NAT
● NAT (Network Address Translation) is a way to allow several computers to share public IP addresses.
● In many places, IP addresses are scarce and/or expensive.
SIP and NAT● A NAT box is placed at the edge of the
network.● The NAT box has two IP addresses:
– On the public side it has a public IP address.
– On the private side it has a private address. There are three series of private addresses from which anyone can use addresses as they please.
SIP and NAT● Sometimes a request from the internal
network must pass the NAT box to get to the external network.– The request reaches the NAT box.
– The NAT box rewrites the packet so that it appears to come from its own public IP address instead of the private IP address of the original client.
– The NAT box sends the packet on to the original destination, using a randomly selected port as the source port.
SIP and NAT● When a response comes, the NAT box must
make sure that it reaches the correct place.– The NAT box looks at what port the reponse
came back on.
– If this port is listed in its internal translation table, it sends the packet on to the internal client listed in the translation table.
– The translation table is updated each time packets are sent from the inside to the outside.
SIP and NAT● When using SIP, NAT is a problem.
● Some SIP headers contain the IP address of the originating client.– Contact:
● When a SIP packet contains an SDP payload, this also contains the IP address of the originating client, as well as a port.
● The IP address and port specify where the originating client wants media to be sent.
SIP and NAT
● There are different solutions to this problem:– SIP-aware NAT
– STUN
SIP and NAT
● A SIP-aware NAT means that the NAT box must be aware of the SIP protocol and know how it works.
● This is a general solution that works for all clients, but it requires a special NAT box.
SIP and NAT● When a SIP packet reaches the NAT box...
– The NAT box rewrites the IP-level source address.
– The NAT box looks in the SIP headers for IP addresses of internal clients and rewrites them.
– Any internal IP addresses found in the SDP payload are also rewritten to the NAT box's external address.
– The packet is sent on the the external network.
SIP and NAT● When a response comes back in, the NAT
box must send it on to the internal client, just as for any other request.
● When media comes in, the NAT box must look up what port the internal client wanted media to be sent to, and send it on to that port.
SIP and NAT● A SIP client can implement STUN (Simple
Traversal of UDP through NAT).
● With STUN, the client first detects if it is behind a NAT box.
● If so, it uses information gotten from the STUN server to put in the IP address and port of the NAT box in the SIP packet instead of its own.
● Needs extra code in the clients and does not work with all NAT boxes.
What is a firewall and how does SIP cross a firewall?
SIP and Firewalls
● A firewall is a device that guards a network from unwanted traffic.
● A firewall often, but not necessarily, also contains the functions of a NAT box.
SIP and Firewalls● In general, a firewall can be configured to
allow or disallow traffic into or out from any network connected to it based on various criteria:– Source address.– Destination address.– Protocol used.– Time of day.– ...
SIP and Firewalls● Just as a NAT box, a firewall is a problem for
SIP traffic.● First, to enable SIP traversal of a firewall, the
firewall must allow traffic on port 5060 to flow past the firewall. This is easy to configure.
SIP and Firewalls● However, a SIP client doesn't only need to
send traffic on port 5060. It also needs to send media traffic.
● Media traffic is normally sent on a randomly chosen high port.– These ports are normally closed on a firewall.
– Opening all of them is not a viable option.
SIP and Firewalls● To resolve this problem, the firewall needs to
understand both the SIP packets and their SDP payload.
● For a SIP request that contains SDP, the firewall must allocate ports on its own external IP address to be used instead of those given by the client.
● The firewall must make sure that these ports are open for media traffic when the session is set up, and closed again when the session is torn down.
Handling inbound requests through the firewall
SIP and Firewalls
● Handling inbound requests is also a problem when a firewall (or NAT box) is involved.
● An external client can only see the firewall/NAT box, not the internal clients or an internal SIP server/registrar.
SIP and Firewalls● Ways for a firewall to handle inbound
requests:– Configure the firewall to statically send all
inbound SIP requests on to a SIP proxy on the internal network, and let that proxy use its registrar to figure out where to forward the request.
– Implement a SIP registrar in the firewall, so that the firewall can decide itself where a SIP request needs to be forwarded to.
Security, NATs and Firewalls
Ingate Systemswww.ingate.com
Bringing SIP to the Enterprise