Transcript Configuring the SIP Application Filter

Configuring the SIP Application Filter
Configuration Example
Alcatel-Lucent Security Products Configuration Example Series
About SIP
• Session Initiation Protocol (SIP) is a signaling protocol used for
establishing sessions in an IP network.
• Usually associated with real time (RT) applications
• International Engineering Task Force (IETF) Standard.
• Similar to HTTP in commands and error codes.
• Similar to SMTP in addressing.
• Reuses many established network protocols and services like: NAT,
DNS, MIME, RTP, RSVP, LDAP, RADIUS…
• Transport layer independent.
• Uses User Datagram Protocol (UDP) and Transmission Control Protocol
(TCP).
2
All Rights Reserved © Alcatel-Lucent 2008,
About SIP
• SIP network components consist of four basic elements:
• User Agent (UA): IP Phone, PC, PDA Multimedia handset.
• SIP Registrar Server: database of all UA’s registered in a given
domain. This is a name to IP address lookup like: Where is
sip:[email protected]? Response 135.10.10.11.
• SIP Proxy Server: directs the call signal to the appropriate UA in the
domain or to a separate SIP Proxy Server in another domain.
• SIP Redirect Server: Allow SIP Proxy servers to direct SIP session
invitations to SIP Proxies in external domains.
• This process is very similar to H.323’s use of phones, gateways and
gatekeepers.
3
All Rights Reserved © Alcatel-Lucent 2008,
About SIP (Call setup within the same
domain)
• The call setup uses the UA’s,
Proxy, Registrar and
sometimes Redirect Server in
call setup signaling.
• The actual call, once setup,
passes from one UA to the
other UA directly. See RTP in
diagram.
4
All Rights Reserved © Alcatel-Lucent 2008,
About SIP (Call setup across domains)
• Similar setup to the last
slide but in this case the
proxy will invoke the
Redirect Server to find the
appropriate proxy in the
other domain to send the
call signaling to.
5
All Rights Reserved © Alcatel-Lucent 2008,
Why Firewall SIP
•
If all of your SIP signaling happened within your network, like
interoffice calls, then it would all take place behind your firewall.
This however is not usually the case. Most SIP proxies are connected
to the internet often in a DMZ. Remember that your SIP Proxy, much
like a web server is used for public connections to your network as
well as connections from your network to other endpoints on the
public network. Therefore all of the same concerns about DOS and
DDOS attacks apply. As do concerns of spoofing and theft of service.
These concerns make a firewall a necessary component in any SIP
environment.
•
Remember SIP like HTTP, SNMP and others use commands at the
application layer (7). This means that you can’t just broadly allow
the SIP signaling port (5060) and assume that you are secure. You
need to actually filter at the application layer examining each
command.
6
All Rights Reserved © Alcatel-Lucent 2008,
Preparing to Configure the Application Filter
• The rest of the slides in this configuration example will walk you step
by step through the fields in the SIP Application Filter explaining what
they do and how to configure them.
• Before you start, get information on how your SIP proxies are
configured. You will want to know what range of ports they are using,
are they using UDP or TCP, what are their addresses, what addresses
do you want to allow to them and so on. Get as much information as
you can.
• When configuring a firewall, rule or application filter it is always best
to keep the settings fairly broad and open to start with. Once you
have the application running you can examine your logs, then go back
and tighten things up based on what you see.
• The logs will also give you information on drops to help you get the
application running.
7
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•The Alcatel-Lucent Bricks support
Application layer filtering of the SIP protocol
as well as others.
•The SIP Application filter is attached to the
SIP service by default in the service groups.
(see configuration example on applying
application filters).
•From the main menu on the ALSMS select
Application Filters then select Sip Default.
•This opens the application filter for
configuring.
8
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•Fill in the Name and
Description field.
•We will save this as a
different name and
keep a copy of the
default for future use.
•The next few slides
will explain the use of
each field in the SIP
Application Filter.
9
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•The Display and use Globally field
is primarily an administrator tool
allowing the administrators to use
configured filter in any rule set in
any group. This won’t effect the
operations of the filter.
•Type is grayed out keep SIP.
•You may want to fill in the length
fields. Blank implies no limit.
•The “Entire” length needs to
exceed the sum of the parts.
10
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•If the “Configure inside and Outside of Zone.. “ is checked you are
allowing the same access in and out.
•If unchecked you will get options for “Max Forward Count” and
“Dynamic Ports” for in and out.
Max Forward count is the largest value that the Max-Forwards header can
have upon entering/leaving the zone. If the message is going OUT of the
zone, then the MAX forward OUTSIDE field is checked. If the message is going
INTO the zone, then the MAX forward INSIDE field is checked.
•“Dynamic Ports” these are
the actual ports that the
firewall will allow in
sessions. These are the
dynamic pinholes. You can
restrict this to match the
proxy settings.
11
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•“Session Audit” – This is a logging function. If checked the SIP specific
audit. Also in your actual SIP Rule change the “Session Audit” from
“Basic” to Detailed” this will give you more information in your logs to
troubleshoot with.
•“Exception Audit” – Also a logging function. Keep this checked for now
and change the “Exception Audit” field in your rule to “Detailed”.
•Remember you want a lot of information in your logs to start with.
Once things are running smoothly you may want to set these to “Basic”
or turn them off.
12
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•“Drop re-Connect….” This field restricts the passage of packets that
have violated this filter in some way for “X” seconds. This is a good
tool but remember these packets may be spoofed or NATed so you need
to handle this with care.
•“Media Transport” You should know this answer from your proxy
settings. You can check both if both are used. If you don’t know the
answer check both then examine your logs to see if both are used and
adjust accordingly.
13
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•“Media Max Streams in Session” – This value limits the number of
“m=….” parameters with the SIP SDP. If, say audio and video, were
being set up, then there would be 2 media streams, hence two “m=…”
parameters.
•“Session Media VPN” – If you say “like Rule” you are referring to the
“Action” field in your SIP rule. If it is tunnel or pass that is what will
happen here. The value of the field is to say “No” if you want the
media un-tunneled though the rule is tunneling the SIP messages.
14
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•Next click on the “Names and Other Addresses” tab.
•This is a table to fine tune what SIP traffic is allowed and where it is
allowed to and from.
•The default settings that you see are basically allowing any valid SIP
traffic to pass on port 5060.
•SIP traffic can be filtered based on IP address or range of addresses,
FQDN or *.Domain either inside or outside of the zone.
•There is a great deal of information on this table in the “Policy
Guide”. For the sake of getting the application working leave this at
default. Come back and fine tune this later based on your network and
examination of your logs.
15
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•Next click on the DNS tab.
•There are options here to assign what DNS servers you will use. These
can be set by: address, two addresses separated by a comma or a host
group with DNS server addresses in it. (See configuration guide on DNS).
•This tab also allows you to assign a DNS Application Filter like
“DNSdefault” or a customized version of that default filter.
•A DNS filter must be used due to the vulnerabilities associated with
the DNS protocol. You can assign the DNS filter here or at the DNS rule
in your rule set.
16
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•Next click on the “Methods” tab.
•SIP uses command or “Methods” if
you will to communicate between
endpoints in call signaling.
•Here you will see the “Methods”
allowed by this filter.
•If you uncheck the “Configure
inside and Outside….” check box
you will be able to configure the
inside and outside separately.
•The “Dialog” checkbox includes
necessary methods like invite,
response, bye, ack, cancel and so
on.
17
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•Register - allows the user agent (UA) to register with the registrar
server. You may want to unselect this on the outside of the zone so that
UA’s outside cannot register with your registrar server.
•Info - is used to send control information during the call.
•Subscribe – The calling party uses this to request an update of the
called parties presence. Present/registered or not.
•Refer – requests that the recipient REFER to a resource provided in the
request. It provides a mechanism allowing the party sending the REFER
to be notified of the outcome of the referenced request. This can be
used to enable many applications, including call transfer.
•Message – This method is used for instant messaging services.
•Other – This field allows you to enter other “methods” or SIP
commands. These are text commands, much like HTTP. The “Other”
field can contain a comma-delimited list of methods, a blank or a
wildcard (*). The default is wildcard.
18
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
•As you can see there are many other SIP commands (methods).
•If you are having problems with calls examine your logs. You can sort
by IP addresses to follow the call processing flow on any call. Look for
things that are dropping and for errors. If you are missing “other”
methods go back and fill them into the “other” field.
•SIP error codes are also very similar to HTTP error codes. You can find
a complete list of them on the web.
•You can also find ALSMS error codes seen in your logs by selecting
“Help>Error Codes”.
19
All Rights Reserved © Alcatel-Lucent 2008,
Examples of SIP Error Messages
 block: Host name Bell-Labs.com not resolvable:
 block: DNS subsystem not available:
 This will happen if the DNS resolver can't get to the IP of the DNS itself because
the DNS server is on a local interface to the brick, but the DNS server IP address is
not responding to ARPs
 :block:Message should have more than one via:
 :block:From/TO address/port Changed:
 :block:Header Contact missing:
 :block:Unexpected SDP 0ffer/answer:
 :block:Not a SIP request or response((start line)):
 :block:CSeq method inconsistent(CSeq):Cseq. 8 INVITE:
 :block:Extra 356 bytes after end of message(Content-Length):
20
All Rights Reserved © Alcatel-Lucent 2008,
Examples of SIP Error Messages
 :block:Response but no request:
 Invalid characters in SIP message((start line)):INVITE
<[email protected]> SIP/2.0:
 :block:Invalid characters in SIP
message(From):From.Bell,Alexander <[email protected]>:
 block:Too many media streams(10)(field 'm',media section
10):m=video..............:
 :block:More Record-Route's than proxy Vias:
 :block:Invalid host name or address(Route):Route.
<[email protected];maddr=100.200.300.400>,:
21
All Rights Reserved © Alcatel-Lucent 2008,
Examples of SIP Error Messages
 :block:Header too long 63:
 :block:Previous hop providing received address/port
parameters::
 :block:Initial Cseq number too large::
 :block:Invalid port specification(field 'm', media section
1):m=audio 492170 RTP/AVP 0 12....:
 SIP-TEST-AF-1:discard:CSeq number out of range:INVITE........:
 :block:Unexpected header fields(Expires):Expires.03/13/2002:
22
All Rights Reserved © Alcatel-Lucent 2008,
Finishing up.
• Once you have complete the configuration of your SIP Application
Filter save it under your new name from slide # 9.
• You can then attach your custom SIP Application Filter to your SIP rule
in your rule set and apply it to your Bricks.
• For more information about applying an application filter see the
configuration example on “Applying Application Filters”.
23
All Rights Reserved © Alcatel-Lucent 2008,
Configuring the SIP Application Filter
• For more detailed information on configuring the
SIP Application Filter go to the section on
Configuring Application Filters in the Policy Guide
• From the ALSMS you can access the manuals by
clicking- Help>On Line Product Manuals>(choose
manual)
24