Cullen Jennings fluffy@cisco.com. July 2015



Similar documents
Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

LifeSize Transit Deployment Guide June 2011

Chapter 11 Cloud Application Development

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IP Ports and Protocols used by H.323 Devices

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

UCi2i Video Conference Endpoint Firewall Requirements. UCi2i Video Conference Endpoint Firewall Requirements

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Application Note. Onsight Connect Network Requirements v6.3

TLS and SRTP for Skype Connect. Technical Datasheet

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Crossing firewalls. Liane Tarouco Leandro Bertholdo RNP POP/RS. Firewalls block H.323 ports

CS5008: Internet Computing

Basic Vulnerability Issues for SIP Security

Application Note. Onsight TeamLink And Firewall Detect v6.3

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Firewall Firewall August, 2003

Building WebRTC Solutions with the Avaya WebRTC Collaboration Environment Snap-in. Joel Ezell Lead Architect, Collaboration Environment R&D

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

FIREWALL AND NAT Lecture 7a

CSCE 465 Computer & Network Security

nexvortex Setup Guide

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

UCi2i Video Conference Endpoint Firewall Requirements

Stateful Firewalls. Hank and Foo

Chapter 32 Internet Security

Firewall Defaults and Some Basic Rules

Solution of Exercise Sheet 5

Dial91 iphone User Guide

allow all such packets? While outgoing communications request information from a

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Polycom. RealPresence Ready Firewall Traversal Tips

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Computer Security: Principles and Practice

Computer Networks. Secure Systems

SIP Trunking Configuration with

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Computer Security DD2395

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

FIREWALLS IN NETWORK SECURITY

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Chapter 3 Security and Firewall Protection

Bria iphone Edition User Guide

DoS/DDoS Attacks and Protection on VoIP/UC

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Internet Privacy Options

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Bit Chat: A Peer-to-Peer Instant Messenger

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Introduction to Computer Security Benoit Donnet Academic Year

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Source-Connect Network Configuration Last updated May 2009

Firewalls, Tunnels, and Network Intrusion Detection

Networking for Caribbean Development

Setting up a reflector-reflector interconnection using Alkit Reflex RTP reflector/mixer

Appendix D Firewall Log Formats

Bria iphone Edition User Guide

Protocol Security Where?

Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd

About Firewall Protection

Application Note. Onsight Connect Network Requirements V6.1

Intro to Firewalls. Summary

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

THINKTEL COMMUNICATIONS CUDATEL PHONE SYSTEM 270. High Availability and SIP-TRUNK Configuration

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Recommended IP Telephony Architecture

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Chapter 8 Security Pt 2

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

SIP Security Controllers. Product Overview

General Guidelines for SIP Trunking Installations

Acano solution. Third Party Call Control Guide. March E

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Serial Deployment Quick Start Guide

Secured Communications using Linphone & Flexisip

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Firewalls. Chapter 3

DKIM Enabled Two Factor Authenticated Secure Mail Client

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Intrusion Detection Systems

NAT and Firewall Traversal with STUN / TURN / ICE

Security Policy Revision Date: 23 April 2009

Firewalls CSCI 454/554

Transcription:

Cullen Jennings fluffy@cisco.com July 2015 v9 1

A B 1. Outbound STUN request to well known STUN port (3478) Firewall creates 3-tuple pinhole for incoming and outgoing STUN message with matching username 2) STUN Res 1) STUN Req Firewall WebRTC Client 2. Inbound STUN response on 3 tuple + secret (Might use 5 tuple instead of 3) Firewall creates 5-tuple pinhole for this flow 3. Inbound STUN request on 3 tuple + secret Allowed out due to rule created by 1. It is same secret. Firewall stores 5-tuple with this STUN transaction ID 4. Outbound STUN response with matching username This triggers creation of 5-tuple pinhole for flow to B 5. Media flowing on 5-tuple to B Q. Could we track DTLS and SRTP sequence numbers in media 2

STUN packets are only allowed in if they know the crypto random username generated by a client inside the firewall Non STUN packets are only allowed in if they match a 5 tuple that a client inside the firewall sent a packet too Non STUN packets are only allowed out if the destination they are sending to did a stun consent handshake Issue : Once a valid 5 tuple is set up, an attacker outside the firewall could spoof the source address and send in a packet that would be forwarded (basically we are not checking sequence numbers of DTLS & SRTP in 5 tuple ). However, if this is only used for DTLS / SRTP, the client is going to discard the packet as invalid as long as we don t have problems in tls or libsrtp 3

4

1. UDP has been used by malware for a control channel 2. UDP has been used for DDoS attacks (DNS, NTP) 3. Encrypted Data Channel can be used to bring malware into the company 4. Encrypted Data Channel can be used to send files out of the company 5

The firewall looks for any outgoing STUN requests to STUN port (3478). When it finds one, it stores the 3 tuple of the source address port and protocol=udp and for the next 30 seconds checks any packets from this 3 tuple to see if they are ICE connectivity checks. When firewall sees an ICE connectivity check from the inside host (which is a STUN Binding Request containing the ice username), it stores that ice username value, and forwards the packet. Thereafter, STUN Binding Requests and Binding Responses with matching 4-tuple (inside IP address, protocol=udp, inside port, and matching ice username) are allowed in any direction (inside- >outside and outside->inside). For each 5-tuple, if a STUN Binding Request has a Success STUN Binding Response (with same transaction ID), in either direction, that 5-tuple is promoted to allow non-stun traffic (DTLS, SRTP, and anything else). Both promoted and non-promoted pinholes are closed after 30 seconds of not seeing a STUN Binding Request and Response transaction, in either direction. (Note to match the ice username external requests will need the halves on either side of : swapped) 6

STUN Server STUN Server Right firewall sees: 1. outbound STUN request and response to well known STUN port (msg 3, 4) NAT Firewall 5) STUN Req 6) STUN Req 7) STUN Res 8) Media Firewall NAT 2. outbound STUN request to IP of far NAT on random port (msg 5). Blocked by far firewall 3. inbound STUN request on same 4-tuple from step 2 followed by response from inside (msg 6,7). Note msg 5 and 6 are different Jabber Client Jabber Client 4. media on same 5-tuple as step 3 7

STUN Server Media Server 1. Outbound STUN request to well known STUN port (3478) Firewall creates 4-tuple pinhole for incoming and outgoing STUN message with matching username 2. Inbound STUN response on cone pinhole Firewall creates 5-tuple pinhole for flow to Stun server (but this is never used) 2) STUN Res 1) STUN Req Firewall NAT WebRTC Client 3. Outbound STUN request to Media server Allowed out due to rule created by 1. Firewall stores 5-tuple with this STUN transaction ID 4. Inbound STUN response with matching username Allowed in due to rule created by 1. This triggers creation of 5-tuple pinhole for flow to media server 5. Media flowing on 5-tuple to media server Note that is the Stun Server and Media Server are the same address, this still works the same way 8

In draft-ietf-rtcweb-transports-09, webrtc clients uses draft-ietf-httpbis-tunnelprotocol which uses HTTP connect to go thought proxy to TURN server. This defines the header that indicates support for doing this as optional so there is no way for the client to know that proxy is available to e used this way Video sent to a proxy not scaled for video makes a huge impact on performance Firewall vendors are asking what algorithm they can use to protect HTTPY proxies form unintended used for RTP relay Better to have consistent behavior than some of the things proposed. Current proposal : Any HTTP or HTTPS connection that sends more than 10 requests per second for longer than 10 seconds should be paused for 1 second 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information