Tag Archives: Enhancing SIP pinhole security

Enhancing SIP pinhole security

Enhancing SIP pinhole security

You can use the strict-register option in a SIP VoIP profile to open smaller pinholes.

As shown below, when FortiGate unit is protecting a SIP server on a private network, the FortiGate unit does not have to open a pinhole for the SIP server to send INVITE requests to a SIP Phone on the Internet after the SIP Phone has registered with the server.

 

FortiGate unit protecting a SIP server on a private network

FortiGate unit

In NAT/Route mode

Port

172.20.1  0.1

 

SIP Server Virtual IP: 172.20.120.50

SIP Phone A (PhoneA@172.20.120.20)

Phone A sends a REGSTER

message to the SIP Server

Client IP: 172.20.120.20

Server IP: 172.20.120.50

Port: UDP (x,5060)

REGISTER Contact: 172.20.120.20:y

SIP server

10.11.101.50

The FortiGate unit forwards the

REGSTER message to the

SIP Server

Client IP: 172.20.120.20

Server IP: 10.11.101.50

Port: UDP (x,5060)

REGISTER Contact: 172.20.120.20:y

The SIP server sends a

200 OK response to Phone A

The FortiGate unit accepts the session from the SIP server and forwards the INVITE request to Phone A

The SIP server sends an INVITE request to Phone A

 

In the example, a client (SIP Phone A) sends a REGISTER request to the SIP server with the following information:

Client IP: 10.31.101.20

Server IP: 10.21.101.50

Port: UDP (x,5060)

REGISTER Contact: 10.31.101.20:y

Where x and y are ports chosen by Phone A.

As soon as the server sends the 200 OK reply it can forward INVITE requests from other SIP phones to SIP Phone A. If the SIP proxy server uses the information in the REGISTER message received from SIP Phone A the INVITE messages sent to Phone A f will only get through the FortiGate unit if an policy has been added to allow the server to send traffic from the private network to the Internet. Or the SIP ALG must open a pinhole to allow traffic from the server to the Internet. In most cases the FortiGate unit is protecting the SIP server so there is no reason not to add a security policy to all the SIP server to send outbound traffic to the Internet.

In a typical SOHO scenario, shown below, SIP Phone A is being protected from the Internet by a FortiGate unit. In most cases the FortiGate unit would not allow incoming traffic from the Internet to reach the private network. So the only way that an INVITE request from the SIP server can reach SIP Phone A is if the SIP ALG creates an incoming pinhole. All pinholes have three attributes:

(source address, destination address, destination port)

 

SOHO configuration, FortiGate unit protecting a network with SIP phones

FortiGate unit

In NAT/Route mode

 

 

SIP proxy server

172.20.120.50

SIP Phone A (PhoneA@10.11.101.20)

 

  1. Phone A sends a REGSTER message to the SIP Proxy Server
  1. The FortiGate unit forwards the REGSTER message to the SIP Proxy Server

Client IP: 10.11.101.20

Server IP: 172.20.120.50

Port: UDP (x,5060)

REGISTER Contact: 10.11.101.20:y

  1. The FortiGate unit opens a pinhole to accept sessions from the SIP server. If strict-register is enabled the pinhole is (172.20.120.50, 172.20.120.141,y)

If strict-register is disabled the pinhole is (ANY, x,y)

  1. The SIP Proxy server sends a 200 OK response to Phone A
  1. The FortiGate unit accepts the response through the open pinhole and forwards the response to Phone A

The more specific a pinhole is the more secure it is because it will accept less traffic. In this situation, the pinhole would be more secure if it only accepted traffic from the SIP server. This is what happens if strict-register is enabled in the VoIP profile that accepts the REGISTER request from Phone A.

(SIP server IP address, client IP address, destination port)

If strict-register is disabled (the default configuration) the pinhole is set up with the following attributes

(ANY IP address, client IP address, destination port)

This pinhole allows connections through the FortiGate unit from ANY source address which is a much bigger and less secure pinhole. In most similar network configurations you should enable strict-register to improve pinhole security.

Enabling strict-register can cause problems when the SIP registrar and SIP proxy server are separate entities with separate IP addresses.

 

Enter the following command to enable strict-register in a VoIP profile.

config voip profile edit Profile_name

config sip

set strict-register enable

end