1 / 11

Protecting Yourself in a WebRTC World

Protecting Yourself in a WebRTC World. Lawrence Byrd Technology Evangelist. Speakers. Mykola Konrad Sonus Karl Stahl CTO and Chairman, Ingate Systems. Ingate’s SBCs do more than POTSoIP SIP. They were developed for standard compliant end-to-end multimedia SIP connectivity everywhere.

louises
Télécharger la présentation

Protecting Yourself in a WebRTC World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Yourself in a WebRTC World Lawrence Byrd Technology Evangelist

  2. Speakers • Mykola Konrad • Sonus • Karl Stahl • CTO and Chairman, Ingate Systems

  3. Ingate’s SBCs do more than POTSoIP SIP. They were developed for standard compliant end-to-end multimedia SIP connectivity everywhere. WebRTC is just aligned – Ingate adds Q-TURN telepresence quality and the WebRTC & SIP Companion Gateway brings all WebRTC features to the enterprise PBX/UC Solution/call center and to the service provider next generation telephony. Merged Intertex Data AB and Ingate Systems AB Karl StahlCTO and ChairmanIngate Systemsinfo@ingate.com karl.stahl@intertex.se

  4. WebRTC “Protection”– More or less challenging? Is there a “security difference” compared to soft clients and Webex-like screen sharing applications? Not much! But… The big difference is that the browser is “always available”, used and we now have to trust the browser to provide the basic protection. Can my screen be viewed also? Should we be concerned? Cannot even decline video… And HTTPS only asks first time… Firewalls and SBC won’t help. They don’t do (cannot do) these things. – They allow or not!

  5. WebRTC & VoIP Security (and SBCs) – Confusing it is… And it is quite different: WebRTC in itself • What is meant by “securing WebRTC”, “managing security” etc.? Says who? • User: Privacy, confidentiality would be nice • Carrier: Theft of service, DoS/Overload, don’t crash our systems • Enterprise data department: Don’t send malicious packets into our LAN, don’t leak our information. • Enterprise PBX / UC department: Make it work - always and everywhere, but keep our resources and information to ourselves. and integrated with the “Enterprise PBX / UC social network”

  6. WebRTC in Itself has Excellent Privacy • Media is always encrypted between the endpoints. With DTLS-SRTP, only the browsers know the key. • Signaling is not standardized and is most often over https (i.e. encrypted) • But that will not always be maintained when calls are gatewayed into other worlds • VoIP Service Providers seldom use encryption anywhere • Enterprise PBX / UC / call centers are hiding behind a firewall or an SBC Encryption is rarely used in the current PSTN and VoIP carrier world

  7. WebRTC in Itself is Quite Secure, but Consider… • Turn server needs DoS protection • Does not traverse restrictive enterprise firewalls: ICE firewall traversal assumes it is open from the inside. Proposed media tunneling through open TCP 80 (http) or 443 (https) ports destroys quality. Data department may not want to open more. • Quality on data-crowded pipes: WebRTC uses the Internet, where the access pipes are crowded with data traffic. No QoS since firewalls are unaware of real-time traffic, which ICE/STUN/TURN assumes. Company Web Server Q-TURN RESOLVES LAN

  8. A Novel View on ICE – Q-TURN • Knock-knock; Give my Media a Quality Pipe • Regard ICE as a request for real-time traffic through the firewall. Interpret the STUN & TURN signals in the firewall • Have the STUN/TURN server functionality IN the firewall and set up the media flows under control • Security is back in the right place - The firewall is in charge of what is traversing • Enterprise firewall can still be restrictive Q-TURN • Q-TURN Enables QoS and More: • Prioritization and Traffic Shaping • Diffserv or RVSP QoS over the Net • Authentication (in STUN and TURN) • Accounting: Quality gigabits measured

  9. WebRTC-SIP Gateways Will be Used – Are Required!Often Built on Top of SBCs – Do such SBCs Protect? • An enterprise wants to have the WebRTC benefits into their PBX / UC / Call Center infrastructure. That is where their Auto attendant, Call Routing, Queues, Conference Bridge etc. are. • and an enterprise UC solution of course benefits from browser-based clients, locally and remotely • so do the IMS/VoLTE/RCS emerging networks • Such WebRTC – SIP Gateways require SBC functions like security, interoperability fix-ups and NAT/firewall traversal Company Web Server media WS LAN SIP

  10. Questions (and Answers within parenthesis (Hidden Slide) • If firewalls and SBC can’t do it: Will privacy and security concerns stop WebRTC? (Of course not! All applications invade us these days – We still use them, because we cannot be without them.) • If firewalls just stop or allow WebRTC, what do SBCs do? Do SBCs really exist in the WebRTC world? (Not in the way rumored! Some SBC vendors have added WebRTC/SIP Gateways on top of their SBCs (Ingate, Acme/Oracle…). Others have added TURN servers in their SBCs (Ingate, Avaya/Sipera…) • Shall we stop talking about SBCs in the WebRTC world? (I would say so. The word is too confusing – It actually is in the SIP world as well. SBCs are said to do many things they don’t do, and SBCs vary a lot from each other – some being just SIP fixup devices, and not providing firewall functions at all – The variation is large.)

More Related