240 likes | 278 Vues
Learn how to configure SIP application filters for secure communication using Alcatel-Lucent Security Products. Understand the basics of SIP, its components, and the importance of firewall protection. Follow step-by-step instructions on setup and optimal filtering practices.
 
                
                E N D
Configuring the SIP Application Filter Configuration Example Alcatel-Lucent Security Products Configuration Example Series
About SIP • Session Initiation Protocol (SIP) is a signaling protocol used for establishing sessions in an IP network. • Usually associated with real time (RT) applications • International Engineering Task Force (IETF) Standard. • Similar to HTTP in commands and error codes. • Similar to SMTP in addressing. • Reuses many established network protocols and services like: NAT, DNS, MIME, RTP, RSVP, LDAP, RADIUS… • Transport layer independent. • Uses User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
About SIP • SIP network components consist of four basic elements: • User Agent (UA): IP Phone, PC, PDA Multimedia handset. • SIP Registrar Server: database of all UA’s registered in a given domain. This is a name to IP address lookup like: Where is sip:rick@Alcatel-lucent.com? Response 135.10.10.11. • SIP Proxy Server: directs the call signal to the appropriate UA in the domain or to a separate SIP Proxy Server in another domain. • SIP Redirect Server: Allow SIP Proxy servers to direct SIP session invitations to SIP Proxies in external domains. • This process is very similar to H.323’s use of phones, gateways and gatekeepers.
About SIP (Call setup within the same domain) • The call setup uses the UA’s, Proxy, Registrar and sometimes Redirect Server in call setup signaling. • The actual call, once setup, passes from one UA to the other UA directly. See RTP in diagram.
About SIP (Call setup across domains) • Similar setup to the last slide but in this case the proxy will invoke the Redirect Server to find the appropriate proxy in the other domain to send the call signaling to.
Why Firewall SIP • If all of your SIP signaling happened within your network, like interoffice calls, then it would all take place behind your firewall. This however is not usually the case. Most SIP proxies are connected to the internet often in a DMZ. Remember that your SIP Proxy, much like a web server is used for public connections to your network as well as connections from your network to other endpoints on the public network. Therefore all of the same concerns about DOS and DDOS attacks apply. As do concerns of spoofing and theft of service. These concerns make a firewall a necessary component in any SIP environment. • Remember SIP like HTTP, SNMP and others use commands at the application layer (7). This means that you can’t just broadly allow the SIP signaling port (5060) and assume that you are secure. You need to actually filter at the application layer examining each command.
Preparing to Configure the Application Filter • The rest of the slides in this configuration example will walk you step by step through the fields in the SIP Application Filter explaining what they do and how to configure them. • Before you start, get information on how your SIP proxies are configured. You will want to know what range of ports they are using, are they using UDP or TCP, what are their addresses, what addresses do you want to allow to them and so on. Get as much information as you can. • When configuring a firewall, rule or application filter it is always best to keep the settings fairly broad and open to start with. Once you have the application running you can examine your logs, then go back and tighten things up based on what you see. • The logs will also give you information on drops to help you get the application running.
Configuring the SIP Application Filter • The Alcatel-Lucent Bricks support Application layer filtering of the SIP protocol as well as others. • The SIP Application filter is attached to the SIP service by default in the service groups. (see configuration example on applying application filters). • From the main menu on the ALSMS select Application Filters then select Sip Default. • This opens the application filter for configuring.
Configuring the SIP Application Filter • Fill in the Name and Description field. • We will save this as a different name and keep a copy of the default for future use. • The next few slides will explain the use of each field in the SIP Application Filter.
Configuring the SIP Application Filter • The Display and use Globally field is primarily an administrator tool allowing the administrators to use configured filter in any rule set in any group. This won’t effect the operations of the filter. • Type is grayed out keep SIP. • You may want to fill in the length fields. Blank implies no limit. • The “Entire” length needs to exceed the sum of the parts.
Configuring the SIP Application Filter • If the “Configure inside and Outside of Zone.. “ is checked you are allowing the same access in and out. • If unchecked you will get options for “Max Forward Count” and “Dynamic Ports” for in and out. • Max Forward count is the largest value that the Max-Forwards header can have upon entering/leaving the zone. If the message is going OUT of the zone, then the MAX forward OUTSIDE field is checked. If the message is going INTO the zone, then the MAX forward INSIDE field is checked. • “Dynamic Ports” these are the actual ports that the firewall will allow in sessions. These are the dynamic pinholes. You can restrict this to match the proxy settings.
Configuring the SIP Application Filter • “Session Audit” – This is a logging function. If checked the SIP specific audit. Also in your actual SIP Rule change the “Session Audit” from “Basic” to Detailed” this will give you more information in your logs to troubleshoot with. • “Exception Audit” – Also a logging function. Keep this checked for now and change the “Exception Audit” field in your rule to “Detailed”. • Remember you want a lot of information in your logs to start with. Once things are running smoothly you may want to set these to “Basic” or turn them off.
Configuring the SIP Application Filter • “Drop re-Connect….” This field restricts the passage of packets that have violated this filter in some way for “X” seconds. This is a good tool but remember these packets may be spoofed or NATed so you need to handle this with care. • “Media Transport” You should know this answer from your proxy settings. You can check both if both are used. If you don’t know the answer check both then examine your logs to see if both are used and adjust accordingly.
Configuring the SIP Application Filter • “Media Max Streams in Session” – This value limits the number of “m=….” parameters with the SIP SDP. If, say audio and video, were being set up, then there would be 2 media streams, hence two “m=…” parameters. • “Session Media VPN” – If you say “like Rule” you are referring to the “Action” field in your SIP rule. If it is tunnel or pass that is what will happen here. The value of the field is to say “No” if you want the media un-tunneled though the rule is tunneling the SIP messages.
Configuring the SIP Application Filter • Next click on the “Names and Other Addresses” tab. • This is a table to fine tune what SIP traffic is allowed and where it is allowed to and from. • The default settings that you see are basically allowing any valid SIP traffic to pass on port 5060. • SIP traffic can be filtered based on IP address or range of addresses, FQDN or *.Domain either inside or outside of the zone. • There is a great deal of information on this table in the “Policy Guide”. For the sake of getting the application working leave this at default. Come back and fine tune this later based on your network and examination of your logs.
Configuring the SIP Application Filter • Next click on the DNS tab. • There are options here to assign what DNS servers you will use. These can be set by: address, two addresses separated by a comma or a host group with DNS server addresses in it. (See configuration guide on DNS). • This tab also allows you to assign a DNS Application Filter like “DNSdefault” or a customized version of that default filter. • A DNS filter must be used due to the vulnerabilities associated with the DNS protocol. You can assign the DNS filter here or at the DNS rule in your rule set.
Configuring the SIP Application Filter • Next click on the “Methods” tab. • SIP uses command or “Methods” if you will to communicate between endpoints in call signaling. • Here you will see the “Methods” allowed by this filter. • If you uncheck the “Configure inside and Outside….” check box you will be able to configure the inside and outside separately. • The “Dialog” checkbox includes necessary methods like invite, response, bye, ack, cancel and so on.
Configuring the SIP Application Filter • Register - allows the user agent (UA) to register with the registrar server. You may want to unselect this on the outside of the zone so that UA’s outside cannot register with your registrar server. • Info - is used to send control information during the call. • Subscribe – The calling party uses this to request an update of the called parties presence. Present/registered or not. • Refer – requests that the recipient REFER to a resource provided in the request. It provides a mechanism allowing the party sending the REFER to be notified of the outcome of the referenced request. This can be used to enable many applications, including call transfer. • Message – This method is used for instant messaging services. • Other – This field allows you to enter other “methods” or SIP commands. These are text commands, much like HTTP. The “Other” field can contain a comma-delimited list of methods, a blank or a wildcard (*). The default is wildcard.
Configuring the SIP Application Filter • As you can see there are many other SIP commands (methods). • If you are having problems with calls examine your logs. You can sort by IP addresses to follow the call processing flow on any call. Look for things that are dropping and for errors. If you are missing “other” methods go back and fill them into the “other” field. • SIP error codes are also very similar to HTTP error codes. You can find a complete list of them on the web. • You can also find ALSMS error codes seen in your logs by selecting “Help>Error Codes”.
Examples of SIP Error Messages • block: Host name Bell-Labs.com not resolvable: • block: DNS subsystem not available: • This will happen if the DNS resolver can't get to the IP of the DNS itself because the DNS server is on a local interface to the brick, but the DNS server IP address is not responding to ARPs • :block:Message should have more than one via: • :block:From/TO address/port Changed: • :block:Header Contact missing: • :block:Unexpected SDP 0ffer/answer: • :block:Not a SIP request or response((start line)): • :block:CSeq method inconsistent(CSeq):Cseq. 8 INVITE: • :block:Extra 356 bytes after end of message(Content-Length):
Examples of SIP Error Messages • :block:Response but no request: • Invalid characters in SIP message((start line)):INVITE <sip.user@company.com> SIP/2.0: • :block:Invalid characters in SIP message(From):From.Bell,Alexander <sip.a.g.bell@bell-tel.com>: • block:Too many media streams(10)(field 'm',media section 10):m=video..............: • :block:More Record-Route's than proxy Vias: • :block:Invalid host name or address(Route):Route. <sip.vkg@foo.com;maddr=100.200.300.400>,:
Examples of SIP Error Messages • :block:Header too long 63: • :block:Previous hop providing received address/port parameters:: • :block:Initial Cseq number too large:: • :block:Invalid port specification(field 'm', media section 1):m=audio 492170 RTP/AVP 0 12....: • SIP-TEST-AF-1:discard:CSeq number out of range:INVITE........: • :block:Unexpected header fields(Expires):Expires.03/13/2002:
Finishing up. • Once you have complete the configuration of your SIP Application Filter save it under your new name from slide # 9. • You can then attach your custom SIP Application Filter to your SIP rule in your rule set and apply it to your Bricks. • For more information about applying an application filter see the configuration example on “Applying Application Filters”.
Configuring the SIP Application Filter • For more detailed information on configuring the SIP Application Filter go to the section on Configuring Application Filters in the Policy Guide • From the ALSMS you can access the manuals by clicking- Help>On Line Product Manuals>(choose manual)