Network Systems DesignLine | Remove vulnerability from SIP-based VoIP networks--Part II

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » Last-Mile/Broadband Access

 
 HOW-TO : Last-Mile/Broadband Access

Remove vulnerability from SIP-based VoIP networks--Part II

Here's Part II--a discussion of SIP security models, firewall and NAT transversal, and provides a valuable VoIP security checklist as well as other important recommendations.
By Vinay R. Rao, Centillium Print This Story Send As Email Discuss This Story Reprints

Page 1 of 3

Network Systems Designline
(05/26/2006 11:06 AM EDT)

Rate this article
WORSE | BETTER
1 2 3 4 5
SIP security models
In a deployment scenario for SIP-based VoIP devices, it is necessary for standardization in the security protocols, mechanisms and other parameters to use or to have the capability of negotiating a common security mechanism. The disadvantage of negotiated security capabilities is that any entity in the link having weak or no security could compromise the entire system. Encryption can be used to secure the media stream and various parts of the SIP message, such as the headers and/or payload. The entities in the signaling path may be fully trusted, partially trusted or not trusted. This makes it more challenging to authenticate, since it means that messages may have been legitimately modified by intermediaries in the path. SIP communications and the associated security mechanisms may be classified as follows:
  • Hop-by-hop
  • End-to-middle
  • End-to-end


Figure 3. A basic SIP trapezoid and associated callflow

Transport layer security (TLS) used to HTTPS can also be used to secure SIP (SIPS) on a hop-by-hop basis. Using the uniform resource indicator (URI), SIPS indicates that TLS must be used for every hop from end-to-end. Security mechanism agreements and requirements for end-to-middle security help to coordinate implementation efforts in reaching interoperability.

End-to-end security can be supported using secure/multipurpose Internet mail extensions (S/MIME). The media stream can be secured using Secure Real-time Transport Protocol (SRTP). Virtual private networking (VPN) protocols such as IPSec may also be used to encrypt all communications between trusted entities when no intermediaries are present.

Encryption schemes require that both participants know the set of encryption/decryption transformations. Only a key is needed to establish secure communications. The keys are exchanged by some secure means and are authenticated as genuine keys by binding the identity of the originating entity using a digital signature mechanism.

The primary exchange mechanisms are:

  • Pre-shared keys (PSK)
  • Public key infrastructure (PKI)

The key exchange mechanism has a profound effect on which mechanisms are practical for use in securing SIP-based VoIP. PSK is fast and simple, but it does not scale well for secure VoIP, as keys would have to be maintained for every possible caller. PKI, on the other hand, requires an elaborate distribution scheme and adds processing overheads.

Any encryption scheme always means additional data processing. This means that SIP devices would need better processing capabilities to be able to use encryption without significantly adding to the latency of the real-time communications. This leads to more costs as well as practical limitations, as many SIP-based VoIP devices are designed for handheld mobile use running on batteries.

Consider the data shown in Table 1.

And the data shown in Table 2.

Firewall and NAT Traversal
Firewalls and NATs are the fundamental building blocks of network security. They also pose the toughest challenges to VoIP traversal. Most firewalls use packet filters operating at the OSI IP layer. Modern firewalls also incorporate a relay mechanism or gateway in order to compensate for the effect of these filters on desired traffic.

NATs, on the other hand, hide internal (LAN) devices from the external network (WAN). Connections need to be initiated from inside the NAT. This causes a fundamental problem for VoIP, as no unsolicited incoming calls could be possible. In addition, SIP signaling messages carry IP address and port information of the VoIP device inside the NAT.

SIP devices outside the NAT relying on information contained in these SIP messages would be unable to reach SIP devices within the NAT. Some early SIP implementations got around this problem by ignoring the information contained in the message and relying on the underlying IP header or by probing an external host to determine the NAT mapping.

However, symmetric NAT does not lend itself easily to such solutions, as every connection to an external host uses a new mapping. As a result, special schemes need to be developed in order to address these traversal issues. The principal schemes of NAT traversal are listed as follows:

  • Manual configuration with or without use of outbound proxy
  • Application level gateways
  • Symmetric SIP response [25] and symmetric RTP
  • Simple traversal of UDP through NAT (STUN)
  • Traversal using relay NAT (TURN)
  • Interactive connectivity establishment (ICE)
  • Session border controllers (SBC)

Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2 | 3


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts
    GE Corporation seeking Lead Systems Analyst in Van Buren Township, MI

    Osram Sylvania seeking Sr Applications Engineer in Danvers, MA

    Accolo, Inc. seeking User Experience Engineer in Reston, VA

    Johnson Controls, Inc seeking Project Development Engineer in Pittsburg, PA

    WhiteHat Security seeking User Interface Engineer in Santa Clara, CA

    More career-related news, resources and job postings for technology professionals


     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service