Enabling SIP to the Enterprise Security How SIP

Enabling SIP to the Enterprise Security: How SIP Improves Telephony Steve Johnson, Ingate Systems

Managed SIP Trunk Connected to Separate Enterprise Vo. IP LAN in Operator’s Space SIP Trunking Provider Network Public Internet PSTN G SIP System W No Remote Users! IP-PBX Managed SIP Trunk Operator: Security Warning! Enterprise: Security Warning! Firew all Data LAN Vo. IP LAN ? ? No Soft or Multimedia Clients!

Managed SIP Trunking with SBC Adapting SIP to NAT: ed Space of the Enterprise LAN SIP Trunking Provider Network Public Internet PSTN G SIP System W No Remote Users! IP-PBX Managed SIP Trunk Firew all Enterprise: Can we trust having our LAN pulled to the operator? Other customers Vo. IP& Data LAN

Ingate Firewall® Creating a Common Data and Vo. IP LAN for Managed SIP Trunking Service Public Internet Remote Users IP-PBX SIP Trunking Provider Network SIP System PSTN G W Managed SIP Trunk Ingate Firewall® Demarcation point and SIP communication via both WAN pipes. Data & Vo. IP LAN Soft Clients and Multimedia Terminals

NAT/Firewall Traversal Problem when SIP Trunking over the Internet Public Internet SIP Trunking Provider SIP System PSTN G W SIP Trunking does not pass a SIP unaware NAT/firewall! IP-PBX Firew all … and the firewall cannot even be opened enough to make it work. Data LAN

Ingate SIParator® Used with Existing Firewall for SIP Trunking Service over Internet Public Internet Remote Users IP-PBX SIP Trunking Provider SIP System PSTN G W SIP Trunk over Internet Firew all Ingate SIParator® Demarcation point and bringing SIP communication to the LAN Data & Vo. IP LAN Soft Clients and Multimedia Terminals

The Function of a Full Featured SIP Proxy Ingate SIP Proxy/Registrar SIP Signaling 168. x. xx 10. x. xx Media IP-Phone ITSP 1. Check the SIP signaling, packet inspection -Full flexibility to handle future threats 2. Rewrite for the different address spaces 3. Forward the signaling to the correct SIP proxy or client 4. Open ports (UDP/TCP) in the firewall for the media -Only for the duration of the call -Only between the exact endpoints 5. Media flows through the ports 6. Close ports after the call

SPIT, Do. S – Filter, IDS/IPS Dynamically allow authenticated users Mobile user Spammer IP-PBX Internet ITSP Block non authenticated users Monitor traffic and block end-points with a un-normal behavior

Encryption • Encrypted SIP signalling – Support for TLS • Encrypted media – Support for SRTP (Sdescriptions) Termination , Pass through or Transcoding IP-Phone TLS In. Inthe clear TLS the clear SRTP __SRTP__ Ingate Firewall or SIParator IP-PBX / SIP Server

Branch Office and Partner Interconnect US office Ingate Firewall® IP-PBX Internet Connecting branch offices Customers & Partners Securing with TLS and Encrypted Media SRTP DMZ SIP-unaware Firewall Swedish office Ingate SIParator® IP-PBX

Enabling SIP to the Enterprise Ingate Systems Steven J. Johnson 603 -883 -6569 steve@ingate. com www. ingate. com