User`s manual

ManualsBrandsAudioCodes ManualsAcousticsMEDIAPACK VERSION 6.2

211

212

213

214

215

216

217

218

219

220

MediaPack SIP User’s Manual 12. Security (MP-11x Only)

Version 4.6 213 June 2005

12 Security (MP-11x Only)

This section describes the security mechanisms and protocols implemented on the MP-11x. The

following list specifies the available security protocols and their objectives:

• SSL (Secure Socket Layer) / TLS (Transport Layer Security) – The SSL / TLS protocols are

used to provide privacy and data integrity between two communicating applications over

TCP/IP. They are used to secure the following applications: SIP Signaling (SIPS), Web

access (HTTPS) and Telnet access (refer to Section

12.1 below).

• RADIUS (Remote Authentication Dial-In User Service) - RADIUS server is used to enable

multiple-user management on a centralized platform (refer to Section 12.2 on page 217).

12.1 SSL/TLS (MP-11x Only)

SSL, also known as TLS, is the method used to secure the MP-11x SIP Signaling connections,

Embedded Web Server and Telnet server. The SSL protocol provides confidentiality, integrity and

authenticity between two communicating applications over TCP/IP.

Specifications for the SSL/TLS implementation:

• Supports transports: SSL 2.0, SSL 3.0, TLS 1.0

• Supports ciphers: DES, RC4 compatible

• Authentication: X.509 certificates; CRLs are not supported

12.1.1 SIP Over TLS (SIPS)

The MP-11x uses TLS over TCP to encrypt SIP transport and (optionally) to authenticate it. To

enable TLS on the MP-11x, set the selected transport type to TLS (SIPTransportType = 2). In this

mode the gateway initiates a TLS connection only for the next network hop. To enable TLS all the

way to the destination (over multiple hops) set EnableSIPS to 1. When a TLS connection with the

gateway is initiated, the gateway also responds using TLS regardless of the configured SIP

transport type (in this case, the parameter EnableSIPS is also ignored).

TLS and SIPS use the Certificate Exchange process described in Sections

12.1.4 and 12.1.5. To

change the port number used for SIPS transport (by default 5061), use the parameter,

TLSLocalSIPPort.

When SIPS is used, it is sometimes required to use two-way authentication. When acting as the

TLS server (in a specific connection) it is possible to demand the authentication of the client’s

certificate. To enable two-way authentication on the MP-11x, set the ini file parameter,

SIPSRequireClientCertificate = 1. For information on installing a client certificate, refer to Section

12.1.5 on page 216.

12.1.2 Embedded Web Server Configuration

For additional security, you can configure the Embedded Web Server to accept only secured

(HTTPS) connections by changing the parameter HTTPSOnly to 1 (described in Table

5-36 on

page 127).

You can also change the port number used for the secured Web server (by default 443) by

changing the ini file parameter, HTTPSPort (described in Table

5-37 on page 128).