Enabling Inspection Settings on SIP

Inspection Settings add more than 80 protections and VoIP settings. It protects against malicious attacks by:

• Identifying attack signatures
• Identifying packets with protocol anomalies
• Ensuring RFC compliance
• Inspecting signaling protocols, verifying header formats and protocol call flow state

As part of Inspection Settings, VoIP protections can be:

• Enforced for different gateways using Inspection Setting profiles
• Monitored using Detect Mode

With Inspection Settings you can:

• Generate detailed logs with packet captures on VoIP security events
• Configure granular VoIP security for maximum flexibility in deployment and enforcement
• Add exceptions to specified VoIP protections

  For example, if you add an exception that allows non-RFC compliant SIP traffic on a specified VoIP server, security is not compromised for all other VoIP traffic.

Inspection Settings can be configured for each profile and can be:

• Prevent
• Detect
• Inactive

Configuring SIP Protections

To configure Inspection Settings:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter SIP protections.

   The SIP Protections service shows. Double-click the service. A window opens.

3. Double-click on the Inspection Profile of your choice. Select Advanced.
4. Check the boxes to enable the protections that you want.
5. Click OK.

Note - We strongly recommended that you enable Strict SIP Protocol Flow Enforcement.

To enable Strict SIP Protocol Flow Enforcement:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter Strict SIP Protocol Flow Enforcement.
3. Double-click on the Inspection Profile of your choice.
4. Select Override with Action > Accept.
5. Click OK.

Configuring SIP Application Policy

Specified VoIP services can be blocked if the services:

• Consume more bandwidth than the IP infrastructure can support
• Do not comply with the organization's security policy

To configure Application Policy:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter SIP.

   A list of Settings options shows.

3. Double-click the settings you want to configure.
4. Click OK.

Notes:

• Application Policy options are not intended to protect against attacks.
• Logging settings for each protection are configured for each profile.

Configuring SIP Protocol Anomaly Protection

A protocol anomaly is a field name or value in the protocol header that is RFC compliant, but deviates from usual use.

For example, the presentation of a field value which contains hundreds of characters, where normally, fewer than ten characters is usual. This is an anomaly.

If a protocol anomaly is found in the VoIP packet, this is a good indication that the VoIP network is being attacked.

RFC 3261 section 6, has rules for the structure of SIP headers:

• SIP messages are made up of a header and a body
• A header is structured as a sequence of header fields
• A header field can show as one or more header field rows
• Each header field:
  • Consists of a field name
  • Is followed by a colon (:) and zero or more field values, field-name:field-value
• Multiple header field values on a given header field row are separated by commas
• Some header fields can only have a one header field value, and show as a single header field row

Protocol anomalies can result in buffer overflow conditions, parser errors, and malformed packets. Protocol anomalies in SIP messages make SIP applications vulnerable to attacks that send repeated, huge quantities of fraudulent data. The data that eventually overwhelms the server.

For example, many buffer-overflow attacks send repeated, large headers to the VoIP phone. Buffer overflow conditions can also result in arbitrary code execution.

Stateful and Stateless protocol validation is done on SIP headers. SIP messages with header values that do not match correct usage are blocked.

To configure Protocol Anomaly Protection:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter SIP.
3. A list of Settings options shows.
4. Double-click the settings you want to configure.
5. Click OK.

There are two header security protections found in the main Protocol Anomaly protection.

• General Header Security

  In the general SIP header and not in specified header fields

• Specific Header Security

  In specific SIP header fields

Configuring SIP Engine Settings

To configure Engine Settings:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter SIP - General Settings.

   The SIP - General Settings window opens.

3. Select Advanced and configure the fields.
4. Click OK.

Fields

• Timeout Configuration
  • Default registration expiration timeout

    This determines how long endpoint registration information is kept in the database if a timeout is not specified in a registration message.

    • The time period must be greater than or equal to the registration time period of the endpoint or the proxy.
    • The default registration expiration period is 3600 seconds.

    If the endpoint does not send a user registration message in this period, registration information is deleted from the database.

  SIP signaling idle timeout when RTP/RTCP traffic does not pass via the gateway

  • This determines the maximum allowed time period between one SIP signaling message and the next. This includes scenarios where Dynamic Pinholing is disabled, or for calls between two external endpoints or two internal endpoints.
  • The default idle period is 3600 seconds.
• NAT Configuration
  • Hide NAT changes source port for SIP over UDP

  If you check this option when you use Hide NAT, the gateway is configured to translate the IP address and source port of SIP endpoints.

  If this option in not checked, the gateway uses Hide NAT only on the IP address of the SIP endpoint phones. You must enable this option in environments where:

  • The gateway is configured to use Hide NAT on the internal endpoint IP addresses
  • The SIP server can register only one endpoint with a given IP address and port combination. For example, if the server is a Cisco Unified communications Manager.

  Note - To register all internal phones successfully on the server, the source port of the REGISTER message sent by the phone must be the same as the port in the Contact header of the REGISTER message. In Cisco IP Phones, for example, this is done by selecting the NAT Enabled option.

For more information, see SIP service on a non-default port.

• Extension Length
  • Assume VoIP network uses extension length

    The gateway can be configured to:

    • Support short extension numbers for SIP
    • Identify a shortened name as belonging to an already registered endpoint

  Endpoints register with the SIP server using their full name (usually a number). Calls to and from endpoints are made using a short extension name, such as a suffix of the full name.

  The length of the extension name is configurable.

  For example, If the full name of an endpoint registered with the SIP server is 987654321@example.com, the configured extension length is 4. The gateway can associate calls to or from 4321@example.com instead of the longer extension number.

• Dynamic Pinholing
  • Block dynamic opening of ports for SIP media channel

    This prevents SIP media channels from opening. A Security Gateway dynamically opens ports for the VoIP media channel based on the data in the signaling connection. Do not select this option if the SIP media channel passes through the gateway.

  • Block dynamic opening of ports for Push to Talk Over Cellular