how to secure voip
DESCRIPTION
How to Secure VoipTRANSCRIPT
-
29 December 2010
How To Secure VoIP
-
2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
-
Important Information Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11842
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
12/29/2010 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on How To Secure VoIP ).
-
Contents
Important Information ............................................................................................. 3 How To Secure VoIP ............................................................................................... 5
Supported Versions ............................................................................................. 5 Supported OS ...................................................................................................... 5 Supported VoIP Protocols ................................................................................... 5
Before You Start ..................................................................................................... 5 Related Documentation and Assumed Knowledge .............................................. 5 Impact on the Environment and Warnings ........................................................... 6
Configuring VoIP Rules .......................................................................................... 6 Types of Topologies ............................................................................................... 8 Troubleshooting ..................................................................................................... 8 Known Issues .......................................................................................................... 9
Issue: .................................................................................................................. 9 Potential Solution: ........................................................................................... 9
Issue: .................................................................................................................. 9 Potential solution: ........................................................................................... 9
Issue: .................................................................................................................. 9 Potential solution: ........................................................................................... 9
Issue: .................................................................................................................. 9 Potential Solution: ........................................................................................... 9
Issue: .................................................................................................................10 Potential Solution: ..........................................................................................10
Issue: .................................................................................................................10 Potential Solution: ..........................................................................................10
Issue: .................................................................................................................11 Potential Solution: ..........................................................................................11
Issue: .................................................................................................................11 Potential Solution: ..........................................................................................11
Debugging ............................................................................................................. 12
-
Supported Versions
How To Secure VoIP Page 5
How To Secure VoIP This document explains the steps for configuring correctly VoIP rules.
Supported Versions NGX R65
Software Blades R70
Supported OS SecurePlatform
Windows 2003
Solaris
IPSO
Supported VoIP Protocols SIP
H.323
MGCP
SCCP (Skinny)
Before You Start
Related Documentation and Assumed Knowledge
Very important document is R65 and R70 Admin Guide, which contains comprehensive information about protocols and topology options.
Page 247 for R65 and page 241 for R70 contains full information about securing Voice Over IP for R65 version.
Administration Manual - R65 (http://downloads.checkpoint.com/dc/download.htm?ID=7247)
Administration Manual - R70 (http://downloads.checkpoint.com/dc/download.htm?ID=8738)
R65 HFA_70 contains most of the SIP fixes which are available, hence upgrading to the latest HFA is important.
R65.2.100 dedicated version for securing VOIP is highly recommended, NGX R65.2.100 is a VoIP-aware Check Point gateway offering comprehensive security for Enterprises, Telecom networks, and Service Provider VoIP environments.
-
Impact on the Environment and Warnings
Configuring VoIP Rules Page 6
Impact on the Environment and Warnings VoIP servers must be supported by Check Point.
SIP traffic has to be RFC compliant, otherwise SIP inspection will have to be disabled and high ports should be opened for RTP (data streaming).
Debugging causing high load on the system, while doing that monitor the CPU usage.
Configuring VoIP Rules Step 1: Understating the VoIP architecture
Theoretically, we can split VoIP architectures into those containing Handover devices and not containing Handover devices. The Proxy and the Registrar are handover devices, generally servers executing handovers are involved.
Step 2: Setting up the VoIP environment
1. Define the common VOIP environment, which contains a SIP handover device located in the DMZ.
2. Define the VoIP domain object by right-clicking the Network Objects tree and selecting New > VoIP Domains > VoIP Domain SIP Proxy
3. If one SIP server is involved, define only one VoIP domain. If two or more SIP servers are involved, define a VoIP domain for each SIP server IP address.
4. In Rule Base, locate the following rule:
-
Impact on the Environment and Warnings
Configuring VoIP Rules Page 7
It is not recommended to use sip_any service.
5. This will enforce handover and firewall will open dynamically ports for RTP session, to avoid undesirable drops, enforcing Handover is required on R65 and R70 versions. R65.2.100 version does not require this.
6. Look in the SmartView Tracker for relevant voip drop or Smart defense drops.
7. If SIP traffic is involved, by default, SIP uses the UDP port 5060. For non-default port 5060, create a new service as follows:.
a) From the SmartDashboard main menu, select Manage > Services > New > .. > UDP.
b) In the UDP Service Properties window, name the new service and specify the new SIP port.
c) Click Advanced. In the Advanced UDP Service Properties window, select the sip_udp Protocol Type and click OK.
d) Define a rule (as above) in the Security Rule Base that uses the new service.
-
Impact on the Environment and Warnings
Types of Topologies Page 8
Types of Topologies 1. Proxy in an External Network - Use the example rule above in step #4.
2. Proxy-to-Proxy Topology - add VoIP domain objects to the source and the destination security rule.
3. Proxy in DMZ Topology - create group object contains relevant end point (phones) networks and add it to the VoIP domain object. add it to the security policy as the following:
Troubleshooting Verify that there are no duplicated custom services for VoIP protocols. i.e. It is recommended to remove
- UDP_5060 services which are not predefined.
Verify the match happens on the proper rule, by monitoring it with Smart View Tracker logs.
Verify the protocol type is the default and not for instance NONE.
It is recommended to use the predefined VoIP services. If manual services exist, remove them.
-
Issue:
Known Issues Page 9
Known Issues
Issue: Source port SIP packet was modified, (port 10000 and above).
Potential Solution: This happens as part of the early NAT mechanism, which was resolved as part of the VoIP inspection, this mechanism should be transparent to the end user and the original source port should be replaced correctly. Configure correctly the rule base as mentioned above, or remove unnecessary VoIP services from rule base.
Issue: Illegal redirection drops.
Potential solution: Configure VoIP domain object as previously mentioned (Configuring VoIP Rules), or A VoIP Domain object was defined, but it does not include in the rule-base (therefore add it to the rule-base), or the addresses are not apart of the Related Endpoints Domain field (see step 2 under Setting up the VoIP environment), therefore change it accordingly.
Issue: NATted MGCP traffic is passing the firewall and still the calls do not rise.
Potential solution: Run the command: # fw ctl set int mgcp_standard_hide_nat 1
And the firewall will perform standard hide NAT on MGCP traffic.
Issue: MGCP traffic is dropped by the firewall without any drop log.
Potential Solution: This caused by few known issues, which are already fixed. HFA_50 contains a few essential fixes for MGCP traffic. Upgrade the latest HFA or at least HFA_50. Refer sk42318 (http://supportcontent.checkpoint.com/solutions?id=sk42318) for fixes list.
-
Issue:
Known Issues Page 10
Issue: "Host exceeded call limit (possible spam or DoS attack)"
Potential Solution: Increase the number of call attempts in IPS tab under the protection "VoIP Denial of Service".
Issue: "Reinvites exceed the limit" drop log.
Potential Solution: Increase the number of invitations in IPS tab under the protection "SIP Protections". (In versions older than R70 SmartDefense > Application Intelligence > VoIP > SIP > SIP Protections). Refer to sk35563 (http://supportcontent.checkpoint.com/solutions?id=sk35563)
-
Issue:
Known Issues Page 11
Issue: Unknown SCCP message type
Potential Solution: Run the command - # fw ctl set int sk_accept_unknown_messages 1
Refer to sk34537 (http://supportcontent.checkpoint.com/solutions?id=sk34537)
Issue: SIP Traffic is dropped when the 2xx response is sent to port different then 5060.
Potential Solution: Upgrade the environment at least to HFA_50 (for R65 version) or HFA_10 (for R70 version). Refer to sk42318 (http://supportcontent.checkpoint.com/solutions?id=sk42318 ) fix ID 00418363
-
Issue:
Debugging Page 12
Debugging The most important part of VoIP troubleshooting is to understand the traffic flow, i.e., to compare how it actually flows as opposed to how it should flow.
To debug VoIP scenarios, do the following:
1. Disable SecureXL and IPSO flows (if it is on IPSO) before starting debug.
2. Run the following kernel debug on the enforcement module to see why the Firewall Gateway drops the packet Warning: This will cause load on the CPU
# fw ctl debug 0
# fw ctl debug -buf 32000
# fw ctl debug -m fw + drop conn sip ld
# fw ctl kdebug -f -T > fw.ctl
3. On another Shell at the same time, run the FWmonitor command:
# fw monitor -e "accept;" -o fwmon.out
4. Replicate the problem.
5. After replicating the problem, stop the debug by:
# fw ctl debug 0
6. Stop the firewall monitor by
Ctrl+C .
IMPORTANT
The debug and firewall monitor must all be running when the problem occurs.
These debug outputs, should give Check Point support an indication about the cause for the VoIP-related issue.
If you performed the steps in this guide and the issue still occurs, contact Check Point support and open a new Service Request with all the relevant information collected by you so far.