Securing SIP Gateways

Your SIP gateway, as part of your IP network, should conform to your company security policy. Deployment of basic items, such as user control and authentication, access-control lists, and physical security, should be standard. The SIP network, like most of your user devices, should be on a LAN using private IP addresses, with strong perimeter security.

Because SIP messages contain IP addresses in several different locations, it is important to use a firewall that supports SIP. Cisco IOS firewalls, PIX firewalls, and Adaptive Security Appliance (ASA) devices are all able to inspect the SIP application data and maintain call flow information.

SIP supports some authentication, authorization, and accounting (AAA) mechanisms to help authenticate communications between UAs, servers, and gateways. You can use RADIUS to preauthenticate calls. The gateway forwards incoming call information to a RADIUS server, which must authenticate it before connecting the call. To enable AAA for SIP calls, you must use the normal AAA configuration on the gateway and the RADIUS server. In addition, at global configuration mode, issue the aaa preauth command to enter AAA preauthentication configuration mode. Specify the RADIUS server with the command group {radius | groupname}.

You can also use HTTP Authentication Digest. UAs, proxy servers, and redirect servers can request authentication before they process a SIP message. Gateways can respond to authentication challenges and can respond on behalf of non-SIP phones that they have registered to a SIP server. SIP defines authentication and authorization fields that can be present in the message header. A server that receives a messagesuch as an INVITEwithout authentication credentials issues a challenge. The response includes an authorization field with an MD5 hash and other credentials. To configure a gateway to use HTTP Authentication Digest, give the following command in each dial peer or SIP-UA configuration mode: authentication username username password password [realm realm]. Username is the name of the user that will be authenticating, password is the shared password, and realm is an optional entry that lets you configure multiple username/password combinations. The realm is included in the challenge, so the response will include credentials for that specific realm.

To provide a more secure, encrypted transport mechanism for SIP messages, Cisco IPT devices have added support for the TLS protocol.

Allowing H 323 to SIP Connections

Part I: Voice Gateways and Gatekeepers

Gateways and Gatekeepers

Part II: Gateways

Media Gateway Control Protocol

H.323

Session Initiation Protocol

Circuit Options

Connecting to the PSTN

Connecting to PBXs

Connecting to an IP WAN

Dial Plans

Digit Manipulation

Influencing Path Selection

Configuring Class of Restrictions

SRST and MGCP Gateway Fallback

DSP Resources

Using Tcl Scripts and VoiceXML

Part III: Gatekeepers

Deploying Gatekeepers

Gatekeeper Configuration

Part IV: IP-to-IP Gateways

Cisco Multiservice IP-to-IP Gateway

Appendix A. Answers to Chapter-Ending Review Questions

Index



Cisco Voice Gateways and Gatekeepers
Cisco Voice Gateways and Gatekeepers
ISBN: 158705258X
EAN: 2147483647
Year: 2004
Pages: 218

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net