The TLS and SRTP Combination
Firewalls offer the ability to encrypt SIP protocol signaling by changing the transport from UDP/TCP to TLS (Transport Layer Security). Some also includes support for SRTP (Secure Real-time Transport Protocol). SRTP provides a high level of security for live data with advanced encryption, confidentiality, message authentication and replay protection.
Together, this powerful SRTP-TLS combination protects media from being overheard by unauthorized persons, providing an extremely high level of security for live data. Using TLS and SRTP to encrypt signaling and media traversing the Internet effectively stops eavesdroppers, hackers and spoofers. The firewalls decrypts the signaling and media and deliver them “in the clear” to devices on the Local Area Network (LAN), or pass the encrypted packets on to the server or phone fully encrypted all the way to the user. This flexibility permits the network administrator to tailor the use of encryption to the needs of the organization and the capabilities of the other SIP equipment in the network. The integrity of the call is much stronger than ever possible on PSTN. Used in conjunction with Ingate’s full SIP proxy technology, Ingate’s TLS-SRTP combination delivers maximum protection for enterprises using SIP communications.
Providing all important layers of SIP security.
Solid firewalls have deep packet inspection (DPI) capability, which gives Ingate the ability to look at Layer 2 through Layer 7 of the OSI model. As the SIP protocol is an application layer (Layer 7) in the OSI model, some products have a unique ability to evaluate the SIP protocol packets and provide non-protocol compliance rules, routing rules and policies. Deep packet inspection also provides an important layer of security.
How else does a proper plan ensure security for SIP applications?
Products which strictly adhere to the SIP protocol, look specifically for SIP compliancy. If there is a failure of SIP protocol compliance, the Ingate will use SIP components such as its full SIP proxy and SIP B2BUA to correct or discard SIP traffic to resolve compliancy issues.
Such products can also apply policies to correct SIP non-conformances in various applications such as:
Removal of VIA Headers
SIP Method Processing Rules
MIME Content Filtering
SIP Offer / Answer Call Flow
Escaped Whitespace Rules
SIP Method Authentication
180 Response Removal
Limitation of Media Streams
UDP Packet Size
Limitation of RTP Codecs
and so much more!
Depending on the nature of the failure to adhere to the protocol, the Ingate can also invoke a denial of service.
Deep Packet Inspection (DPI) will identify and classify the SIP traffic based on a signature database
Deep packet inspection (or DPI) is a powerful way to protect not just SIP traffic, but also the network. DPI is a form of computer network packet filtering that examines the data (or datagram) and UDP/TCP header part of a packet as it passes through an Ingate SIParator or Firewall.
Managed devices are searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. This is in contrast to shallow packet inspection (usually called just packet inspection) which only checks the UDP/TCP header portion of a packet.
Shallow packet inspection is the kind of inspection commonly found in most NAT firewall devices.
Firewalls with Deep Packet Inspection capability, Ingate has the ability to look at Layers 2 through 7 of the OSI model. Since the SIP protocol is an Application Layer (Layer 7) in the OSI Model, Ingate products have a unique ability to:
Look at the SIP protocol packets, to provide non-protocol compliance rules, routing rules and statistical information, and
Provide IDS/IPS security features for an effective defense against overflow attacks, denial of service (DoS) attacks, and sophisticated intrusions.This includes headers and SIP protocol structures as well as the actual payload of the message.
DPI will identify and classify the SIP traffic based on a signature database that includes information extracted from the data part of a UDP/TCP packet, providing extremely precise of control of any SIP traffic — finer than any classification based only on header information only.
With the proper protections in place, SIP applications are very secure.
Like any application over Voice-over-IP and all similar applications should be implemented in a way that ensures the continued security and integrity of the enterprise network. With the proper protections in place, SIP applications are very secure. In fact, VoIP calls can be more secure than those made on the PSTN. That’s just an example of how, with the right measures, any SIP application can be secure enough for enterprise use.
The SIP protocol resides in the Application Layer; it is written in clear text within the datagram of a UDP or TCP transport. Because it is in clear text, it is readily readable to any malicious efforts to compromise your VoIP or data traffic. Sensitive IP address information, port address information, contact addresses, usernames, SIP compliance capabilities, media stream attributes and more are all contained in the SIP protocol.
In addition, the VoIP media stream is also unencrypted. Common media streams such as G711, G723, and G729 are open for malevolent efforts to record conversations over the Internet. Given that SIP is a relatively new protocol for VoIP deployment, there have been very few malicious SIP attacks to date. But as popularity grows and SIP becomes more widespread, the possibility for these kinds of events increases. But since the SIP protocol has been developed by the IETF it has built in capabilities to ensure that the security and control of the enterprise network is maintained, and that measures can be taken to protect the integrity of all Internet-based communications, even for the most sensitive conversations.
The IP-PBX should be deemed a “Mission Critical” server. The IP-PBX is the controller for all of the VoIP phones and SIP applications. Any service outage or degradation would result in the loss of communication and ultimately the loss of business revenue. The IP-PBX must be protected from the Internet and foreign or unknown networks just as any other mission-critical server on the network.
That means that the PBX should never be assigned a publicly routable IP address. The Network Address Translation to the private address space provides a layer of security that must be maintained for the IP-PBX. Measures such as deep packet inspection, encryption and support for TLS and SRTP, authentication, intrusion detection and prevention (IDS/IPS) functionality, DoS attack detection and even SIP (and SIPconnect) compliance are all necessary ways to protect not just the SIP traffic, but also the network.
Solid plans employ all of these and more, including filtering capabilities to ensure that only authorized users are permitted access. With an E-SBC in place, like the SIParator from Ingate Systems, SIP communications can be successfully and securely introduced to the network and the enterprise remains in full control of their network.
In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching)
interface and delivers a private address space into the organization from their network.
We discussed managed SIP trunk service offerings, what they were and their advantages. Now we’ll drill down even further and look at why Ingate is an important part of these deployments to normalize SIP traffic, maintain network security and bridge the voice and data LANs for more effective use of SIP in the enterprise.
In a managed service offering, often the service provider delivers an MPLS (Multi-Protocol Label Switching) interface and delivers a private address space into the organization from their network. This resolves the NAT traversal issues. However, it does not solve SIP normalization issues between the IP-PBX and ITSP. It also doesn’t address security. Despite the actual delivery mechanism of the SIP trunks, the Ingate unit is still required to normalize the traffic between the business and the service provider when those two implementations are not identical.
From a security point of view, since the service provider is offering the Local Area Network and the private IP addresses from their network space, business must ask themselves: Do I trust the service provider to protect my IP-PBX and other parts of my network from harm? If the answer is not a definitive “yes” then the company will be well advised to install an Ingate SIParator or Firewall to perform this very important function.
Finally, by delivering service this way, the service provider is in effect creating separate voice and data networks in the customer premise. This means that personal computers are not going to be connected to the same LAN segment and cannot be used for such services as Presence and Instant Messaging, soft clients cannot be used and the PC cannot be used to self-configure user accounts. In these instances, the Ingate can act as a bridge between the two networks allowing the full capabilities of SIP to be realized, including the promise of Business VoIP.
Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality.
The physical connection to the service provider can vary according to the needs of the enterprise and may range from a single T1 with 1.5Mbps of bandwidth which is sufficient for 23 simultaneous calls, up to and including fiber optic connections with very large capacities. Since voice is very susceptible to delay, often the Managed SIP Trunking Service Provider will deliver service using MPLS (Multi-Protocol Label Switching) which assures that the voice packets will receive delivery precedence over other services being delivered on the same physical connection.
For both of the above reasons, many service providers are willing to write Service Level Agreements (SLAs) that guarantee a certain level of service quality and managed SIP Trunks are often more expensive than those services which are offered over the Public Internet.
The firewall remains critical in this application as a security device between a foreign network and the enterprise network. The firewall provides voice and data security for the enterprise, from other foreign networks. It also monitors and secures the SIP traffic, protecting the IP-PBX from malicious attacks which may range from theft of service to Denial of Service attacks. This is important because any malicious issues on foreign networks can quickly become enterprise issues without a security device in between.
Managed SIP Trunks offer the advantage of a closely monitored network maintained to deliver the highest voice quality. The enterprise needs to ensure that its network is robust and that no internal bottlenecks exist that could reduce voice quality. Enterprises should also consider establishing its own security perimeter to maintain control of its network and who is allowed to use the SIP Trunking services.
Companies like InfoStructure provide open access to their telephony services over the Internet.
Internet Telephony Service Providers (ITSPs) provide SIP trunking services to all who have Internet connectivity. VoIP communications is just another application provided over the Internet alongside Web, e-mail, FTP and other services commonly found on the Internet.
ITSP companies like InfoStructure provide open access to their telephony services over the Internet. The enterprise leases telephony services such as SIP trunking to provide PSTN numbers and access.
The ISP (Internet Service Provider) is simply the service to gain access to the Internet. The physical connection to the Internet can vary according the enterprise’s needs; it can be as small as DSL or grow to T1, T3, Ethernet, OCx, and more. The advantage is the consolidation of both voice and data traffic on the same physical connection, thus maximizing bandwidth utilization and minimizing monthly reoccurring costs.
Firewalls are critical in this deployment, providing voice and data traffic security to the enterprise: solving the NAT traversal issues through the corporate firewall, monitoring and providing security to SIP traffic, and protecting the IP-PBX from malicious attacks.
The downside is that the voice communication is only as good as the Internet connection that is being used because that link is not managed from end to end. The advantages of this type of delivery is that it is available anywhere and typically is offered at very attractive rates. With an Internet connection, afirewall at the edge to resolve routing and security concerns, and a good ITSP, SIP trunking may be delivered anywhere in the world.
Port forwarding is a hole in your firewall.
In an attempt to overcome NAT issues, many IP-PBX and ITSP vendors will recommend to “port forward” all UDP and TCP traffic on port 5060 (SIP signaling port) and a range of thousands of media ports on the NAT firewall to the IP-PBX. This is not a good idea at all, as it opens the network to security risks. Port forwarding is a hole in your firewall, now forwarding ALL UDP or TCP traffic to the IP-PBX. This UDP/TCP traffic does not have to be SIP protocol specific; it can be traffic from any malicious hacker attempting to gain access to your network.
Better products monitor the SIP signaling port (5060) and apply routing rules and process policies to only the SIP protocol traffic, where all other UDP/TCP traffic will be discarded and not forwarded to the IP-PBX. In addition, these special firewalls will dynamically open and close media ports based on the negotiated SIP traffic, by carefully monitoring the media ports negotiated and responding and routing media accordingly.
These firewalls can also fix far-end NAT devices. If there is a SIP device behind a remote NAT device, the Ingate (with its Remote SIP Connectivity software module) can correct all of the SIP signaling traffic from the remote SIP device, and ensure ports remain open for future SIP signaling and media.
It’s a cost-effective solution, as this removes the requirement of having SIP-aware firewalls at each remote location, while also allowing traveling SIP users (or remote workers, or satellite offices) access to the main office no matter where they are. Want more information
Firewalls perform three very important, crytical functions in relation to SIP.
We discussed what Network Address Translation (NAT) is, its purpose on the network and why this is a problem when adopting SIP in the enterprise. In this issue, we will look at how Ingate SIP-capable security products solve the issues with NAT and do so while maintaining security.
Firewalls perform three very important functions. These functions are critical for any SIP implementation – including SIP trunking — and may provide other benefits as well depending on the construction of the network and the service that the business wishes to employ. The following are the most important of these functions:
- The firewall resolves NAT traversal issues and enables the adoption of SIP and SIP trunking by securely permitting SIP signaling and related media to traverse the firewall. Without this function, most companies will have one-way audio only.
- The Ingate products also normalize the SIP Traffic so that the IP-PBX at the customer site, and the service provider’s network are fully compatible. While SIP is a standard, each implementation can be slightly different, and the service providers may each require a different level of authentication from the business. With thefirewall in place, these requirements can be met.
- Security becomes important with the introduction of SIP trunking and other SIP services because as a server, the IP-PBX is subject to the same types of threats as any other server on the enterprise network. So the properly architected network will include a firewall device to assure that only authorized users are allowed to send and/or receive phone calls using the service, and that no malicious attacks are launched which could render the IP-PBX inoperable.