![Authorization - group
25
example of usage: group module with SQL backend
loadmodule “group.so”
modparam("group", "db_url","mysql://openser:openserrw@localhost/openser")
....
if (method=="INVITE") {
if (uri=~"sip:00[1-9][0-9]+@.*") {
if (!is_user_in("From", "international")) {
sl_send_reply("403", "No permission for international calls");
exit;
}
}
}](https://image.slidesharecdn.com/2012-fosdem-kamailio-secure-141101121417-conversion-gate02/85/Kamailio-Secure-Communication-25-320.jpg)
Kamailio - Secure Communication
- 1. Kamailio SIP Server Secure Communication Daniel-Constantin Mierla www.kamailio.org www.asipto.com Co-Founder
- 3. History 3 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Oct 2009 Jan 2010 Same application: Kamailio - SER v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years
- 4. Kamailio & SER 4
- 5. State of the union 5 Internal architecture refactored for v3.0.0 − support asynchronous processing TCP and TLS SIP request handling − transaction management − internal libraries Right now • very stable core and main components ➡ toped with our well known scalability and flexibility • safe framework for future development ➡ your work (extensions and deployments) is safe from now on for many years - there is no need to change the architecture again • focus is on new features ➡ 3.x.x (and the next slides) show that Scalability (info from public domain) • services with millions of active subscribers ➡ 1&1 Germany (> 3M) • services routing billions of call minutes per month ➡ might be the guy next to you (or pay attention tomorrow)
- 6. 6
- 7. Features 7 SIP Application Server proxy, redirect, registrar, location IPv4-IPv6 Asynchronous UDP/TCP/TLS/SCTP DNS NAPTR & SRV DNS Failover and Load Balancing DNS Internal Cache Carrier Routing Dynamic Routng ENUM lookup support Advanced routing (Load Balancing and LCR) DID, Aliases & speeddial Multi-domain support LDAP/H.350 support Embedded HTTP Server Plug in module interface (over 150 mods) Small footprint Customizable routing policy Presence & IM Services End-to-End SIMPLE Server RCS - RCS-e Presence User Agent Resource Lists XCAP Client & Server MSRP Relay
- 8. Features NAT traversal Security permissions anti-DOS attacks User call preferences Call Processing Language 8 Embedded Lua, Perl Python, C# Java SIP Servlet programming interface Database API MySQL PostgreSQL SQLite UNIXODBC BERKELEYDB ORACLE Text files RADIUS No-SQL Memcached Redis Cassandra Gateway SMS XMPP Accounting through log file, database or Radius/DIAMETER servers Link any application to Kamailio using FIFO/UNIXSOCK/DATAGRAM/XMLRPC interfaces
- 9. New in 3.1.0 Flexibility Maintenance Performance Features 9 • Embedded Lua • Embedded Python • Extended preprocessor directive • #!define • #!subst • New variables • Interactive config debugger • step-by-step execution • execution trace • xlog enhan’s • print cfg line • k&s modules integration • Asynchronous TLS • UDP raw sockets • Multi-homed improvements • Load balancing • weight • call load • Traffic shaping • GeoIP API • Registration to remote servers • Reason header for Cancel • Embedded HTTP & XCAP servers • Cfg tree cashing & message queue systems
- 10. SIP Beyond VoIP - Presence Services APPLICATIONS XCAP SERVER XCAP_SERVER XCAP_CLIENT PUA_USRLOC PUA_MI PUA_XMPP PRESENCE_MWI PRESENCE_XML 10 MI MODS XMPP KAMAILIO CORE USRLOC PUA PRESENCE Kamailio modules PUA_DLGI DIALOG RLS P...E_PROFILE P...E_CONFERENCE P...E_DIALOGINFO
- 11. New in 3.2.0 - Oct 2011 11 RLS OMA specs split NOTIFY bodies XPath support within doc Reg-Info Implementation Embedded RFC3860 XCAP pub-sub service for location data server OMA - specs Presence Server If-Match cond data distribution across many instances through database Presence User Agent updates for latest RL services Many native extensions to Lua cfg routing logic all in Lua SQLite connector use file based database for embedded systems Distributed Message Queue Using SIP and Peer-to-Peer
- 12. New in 3.2.0 JSON JSONRPC 12 ipops module a set of operations for handling IPv4/IPv6 addresses async module run asynchronously parts of config file (route blocks) sdpops module SDP body management New features in old parts acc - write full CDR at once dialog - attach extra attributes core - more pre-processor directives pv - new variables and transformations tmx - export of async TM functions sqlops - support for xavps uac - enhancements to remote registration siptrace - traffic replication enhancements ..... IMS Extensions about 10 new modules (P-CSCF, I-CSCF, S-CSCF...) Redis No-SQL connector from config Partitioned user location service many nodes sharing location data
- 13. New in 3.2.0 http://www.kamailio.org/w/kamailio-openser-v3-2-0-release-notes/ 13 http://www.kamailio.org/wiki/features/new-in-3.2.x
- 14. New in devel (3.3.0) - 2012 before the summer 14 Enhancements to existing modules auth, auth_db rr, app_lua, tls, textops dialog, dialplan New in core - tls connections, fork delay, tcp buffer clone, socket workers, RPC commands New modules xhttp_rpc - execute RPC commands via HTTP presence_profile - get phone configuration via SIP Presence mechanisms app_mono - embedded execution of managed code (C#) db_cassandra - DB connector for Cassandra msrp - embedded MSRP relay tmrec - time based recurrence matching (RFC2445) http://www.kamailio.org/wiki/features/new-in-devel
- 15. Secure Communication Authorization and Confidentiality
- 16. Digest authentication 16 200 OK To: sip:alice@kamailio.org REGISTER To: sip:alice@kamailio.org Authorization: Digest username="alice", nc=00000001, cnonce="edfe", response="1f2d" 401 Unauthorized WWW-Authenticate: Digest realm=”kamailio.org", qop=auth, nonce="abcd" REGISTER To: sip:alice@kamailio.org
- 17. Auth Modules 17 auth common frame for authentication provides functionalities for auth challenge and nonce management functions to do authentication taking password from a script variable auth_db authentication check against database auth_radius authentication check against a RADIUS server auth_diameter authentication check against a DIAMETER server (alpha)
- 18. Auth modules – DB backend subscribers are stored in DB - table subscriber password may be store in plain text (insecure) or in a pre-computed format 18 (HA1) modparam("auth_db", "password_column", "password") versus modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "ha1") authentication means checking the user profile (password) in DB and. in most scenarios, we need more than only the password: Kamailio provides a mechanism to configure a custom set of attributes to be loaded from DB during the authentication process advantage: reduce the number of DB hits modparam("auth_db", "load_credentials", "$avp(i:12)=rpid; $avp(i:14)=email_address")
- 19. Auth modules – DB backend 19 www_challenge(realm, qop) proxy_challenge(realm, qop) www_authorize(realm, table) proxy_authorize(realm, table)
- 20. Auth modules – DB backend 20 Manage users with kamctl: - add, remove, change password # kamctl add user@domain.com passwd
- 22. Authorization 22 AUTHENTICATION I know now who you are... AUTHORIZATION What are you allowed to do? access control list
- 23. Authorization help implementing authorization mechanisms it is very important to be fast and reliable, being the way to allow the access to resources in the system have in mind the provisioning system, ACL update should apply in real-time having a well-designed ACL system can be extended to be used as a user capability list 23 Kamailio capabilities for ACLs group membership binary acl string acl custom acl
- 24. Authorization - group 24 Manage users’ group ACL with kamctl: - grant, revoke, show # kamctl acl grant user@domain.com groupid
- 25. Authorization - group 25 example of usage: group module with SQL backend loadmodule “group.so” modparam("group", "db_url","mysql://openser:openserrw@localhost/openser") .... if (method=="INVITE") { if (uri=~"sip:00[1-9][0-9]+@.*") { if (!is_user_in("From", "international")) { sl_send_reply("403", "No permission for international calls"); exit; } } }
- 27. IP Auth - Config 27
- 28. IP Auth - Permissions - by address 28
- 30. TLS and Kamailio 30 Dependencies openssl, libssl openssl-dev, libssl-dev Completely re-factored since v3.0.0 scalability simplified installation flexible configuration (modparams or own config file) asynchronous communication Kamailio Config Requirementents compile and install TLS module load TLS module loadmodule "tls.so" enable tls in config disable_tls=0 listen=tls:10.0.0.1:5061 default config file -- add: #!define WITH_TLS
- 31. TLS Config 31 Config by module parameters set tls attributes via modparam tls method (sslv1, sslv2, tlsv1), ciphers list, certificates, timeouts, ...
- 32. TLS Config 32 Config by .ini-like file dedicated file which can contain tls attributes can include config for more than one server can include config specific for clients
- 33. TLS module 33
- 34. TLS Routing with Kamailio Nothing special to do when destination address is over TLS t_relay() detects the destination transport layer and uses appropriate outgoing socket 34 Dedicated functions to enforce TLS transport layer t_relay_to_tls(address, port); t_relay_to(“tls:address:port); Checking if request was coming via TLS if(proto==TLS) { ... } Checking if the request is going out via TLS in: onsend_route { ... if($snd(proto)==3 { ...} ... }
- 35. Out there 35 TLS Tutorial - The README for TLS Module http://kamailio.org/docs/modules/stable/modules/tls.html GREEN VoIP Research Project at Columbia University http://www.kamailio.org/w/2011/05/green-voip-energy-efficiency-and-performaces-of-v3-0/
- 36. Security Flood detection Brute force attacks
- 37. DoS Attacks misconfigurations (e.g., too low max expire time) • bandwidth • cpu • memory 37 involuntary attacks client side broken clients server side malicious attacks primary for attacker benefits get access to the host and call for free primary for damages on target consume resources on target
- 38. 38 Pike PIKE module keeps track of all or selected incoming request's IP source blocks the ones that exceeded the threshold support for IPv4 and IPv6 addresses use it at top of your cofig file initial checks no internal actions for blocking reports that the there is an high traffic from an IP is the administrator decision in the config file drop silently send stateless reply
- 39. Pike Config 39
- 40. Brute force attack 40 HTABLE module generic cache system track failed authentication forbid new attempts if a threshold is reached in a certain period of time - 3 failed authentication in a raw, block for 15min send alerts to admin, etc. example with registrations prevent discovery of user passwords detect mistyped passwords
- 41. Brute force attack 41
- 42. Out there 42 Online Tutorial Scanning Attacks => IP Banning block rule in config block rule in firewall - fail2ban (friendly scanner anyone?!?!) http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
- 44. Topology hiding 44 goals hide sensitive IP addresses contact header Via stack Record-Route and Route stacks design stateless processing no track of transactions or dialogs distributed processing encoding/decoding can be done by different servers transparent processing config writer should not care about topology hiding everything is in clear while config processing
- 45. Topology hiding 45 TOPOH module secret key to encode/decode encoded fields are SIP grammar valid encoding IP and prefixes can be set via parameters survive restarts no functions to be called in config file everything is done automatically hooks in core after receiving and before sending just load the module and adjust parameters use it with a media relay to hide the source of media traffic
- 46. Topology hiding - config file 46 ... loadmodule "topoh.so" ... # ----- topoh params ----- modparam("topoh", "mask_key", "my secret here") modparam("topoh", "mask_ip", "10.1.1.10") ...
- 47. Topology hiding - INVITE in U 2011/02/18 20:09:05.622472 192.168.178.27:40416 -> 192.168.178.26:5060 INVITE sip:101@192.168.178.26 SIP/2.0. Via: SIP/2.0/UDP 192.168.178.27:40416;branch=z9hG4bK321149767. From: "105" <sip:105@192.168.178.26>;tag=166646806. To: <sip:101@192.168.178.26>. Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH. CSeq: 50 INVITE. Contact: "105" <sip:105@192.168.178.27:40416>. Max-Forwards: 70. User-Agent: Grandstream GXV3140 1.0.7.3. Privacy: none. P-Preferred-Identity: "105" <sip:105@192.168.178.26>. Supported: replaces, path, timer. Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE. Content-Type: application/sdp. Accept: application/sdp, application/dtmf-relay. Content-Length: 483. . 47
- 48. Topology hiding - INVITE out U 2011/02/18 20:09:05.628883 192.168.178.26:5060 -> 192.168.178.22:1056 INVITE sip:101@192.168.178.22:1056;line=mu3z2i1j SIP/2.0. Record-Route: <sip:192.168.178.26;lr=on>. Via: SIP/2.0/UDP 192.168.178.26;branch=z9hG4bK8d21.062561f6.0. Via: SIP/2.0/UDP 10.1.1.10;branch=z9hG4bKsr- JfymiMenCtp4urS5CX1ZiHvRItc.TM5nCHOBT6SfCXN94v5pswyRIRDZN80HU6gBI8LqTwDiCMe.CXm0TMNP . From: "105" <sip:105@192.168.178.26>;tag=166646806. To: <sip:101@192.168.178.26>. Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH. CSeq: 50 INVITE. Contact: "105" <sip:10.1.1.10;line=sr-ORylIHvlTJS.IXenCXNciHvPItcZTMWfC6m.T5**>. Max-Forwards: 69. User-Agent: Grandstream GXV3140 1.0.7.3. Privacy: none. P-Preferred-Identity: "105" <sip:105@192.168.178.26>. Supported: replaces, path, timer. Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE. Content-Type: application/sdp. Accept: application/sdp, application/dtmf-relay. Content-Length: 483. . 48
- 49. 49 Questions? Contact •Daniel-Constantin Mierla •twitter: miconda •http://linkedin.com/in/miconda •daniel@asipto.com •http://www.asipto.com •http://www.kamailio.org