Manualshelf

User`s manual

ManualsBrandsAudioCodes ManualsComputer equipmentMP-1FXO
271272273274275276277278279280
SIP User's Manual 12. Security
Version 5.0 279 December 2006
12 Security
This section describes the security mechanisms and protocols implemented on the
MediaPack. The following list specifies the available security protocols and their objectives:
IPSec and IKE protocols are part of the IETF standards for establishing a secured IP
connection between two applications. IPSec and IKE are used in conjunction to
provide security for control and management protocols but not for media (refer to
Section 12.1 below).
SSL (Secure Socket Layer) / TLS (Transport Layer Security) – The SSL / TLS
protocols are used to provide privacy and data integrity between two communicating
applications over TCP/IP. They are used to secure the following applications: SIP
Signaling (SIPS), Web access (HTTPS) and Telnet access (refer to Section 12.2 on
page 288).
Secured RTP (SRTP) according to RFC 3711, used to encrypt RTP and RTCP
transport (refer to Section 12.3 on page 293).
RADIUS (Remote Authentication Dial-In User Service) - RADIUS server is used to
enable multiple-user management on a centralized platform (refer to Section 12.4 on
page 294).
Internal Firewall allows filtering unwanted inbound traffic (refer to Section 12.5 on
page 297).
12.1 IPSec and IKE
IP Security (IPSec) and Internet Key Exchange (IKE) protocols are part of the IETF
standards for establishing a secured IP connection between two applications (also referred
to as peers). Providing security services at the IP layer, IPSec and IKE are transparent to
IP applications.
IPSec and IKE are used in conjunction to provide security for control and management
(e.g., SNMP and Web) protocols, but not for media (i.e., RTP, RTCP and T.38).
IPSec is responsible for securing the IP traffic. This is accomplished by using the
Encapsulation Security Payload (ESP) protocol to encrypt the IP payload (illustrated in
Figure 12-1 below). The IKE protocol is responsible for obtaining the IPSec encryption keys
and encryption profile known as IPSec Security Association (SA).
Figure 12-1: IPSec Encryption
Note: IPSec doesn’t function properly if the gateway’s IP address is changed
on-the-fly due to the fact that the crypto hardware can only be
configured on reset. Therefore, reset the gateway after you change its
IP address.