Versions Compared

Old Version 1

changes.mady.by.user Kelli Higdon

Saved on

compared with

New Version Current

changes.mady.by.user Kelli Higdon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Overview

...

Overview:

The IMG now supports TLS (Transport Layer Security) to establish a trust with each external SIP gateway or trusted domain. TLS will provide endpoint authentication by using 'Mutual' or 'Two-Way' Authentication on a hop-by-hop basis. With Mutual or Two-Way authentication both the server and its client will use certificates from a Certificate Authority to authenticate each other. The IMG uses a digital certificate for authentication and a public key for encryption/decryption. Once the sender is verified then the receiver will send its certificate to the sender for verification. When all information is verified then the SIP signaling can begin. Below is diagram showing the TLS certification process supported on the IMG.

...

TLS only allows SIP entities to authenticate servers to which they are adjacent to. Establishing a TLS connection authenticates  both transport endpoints but does not authenticate the SIP messages flowing through the link. For example, two proxies may carry traffic between them over TLS but this does not stop a malicious gateway from injecting suspect SIP traffic in either end of the TLS link. SIPS can be used to ensure that TLS is maintained for all hops carrying SIP messages, therefore reducing the risk of such an attack. SIPS is enabled/disabled in the IMG 1010 - SIP Profile - 10.5.3 pane.

Supported Information:

  • The IMG supports SSLv3 and TLSv1.

  • TLS is supported only over TCP and requires a separate port. The default port is 5061 and is configurable in the SIP Signaling object.

  • The IMG supports 128 Bit Encryption

  • A Certificate Database is created and uploaded to the IMG.

  • The IMG will allow a maximum of 16 Trust ID's or Certificate Entries

  • TLS is also supported on the IMG's virtual IP addresses

  • The IMG supports X.509 certificates only and supports a maximum depth of CA certificates during certificate verification to four.

  • The use of certificates requires that the clock on the IMG be synchronized with the network time to ensure proper validation of certificates. To configure clock see IMG 1010 - Configure SNTP on GCEMS Server

Not Supported:

  • CRL (Certificate Revocation Lists) are not supported.

  • SNMP or MIB requirements are not supported.

  • DNS or ENUM lookups of NAPTR/SVR records containing SIP URI's is not supported.