Manuals / AudioControl / Computer Equipment / Network Router

AudioControl VERSION 6.2 manual Data Security

Models: VERSION 6.2

1 178

Download 178 pages 57.24 Kb

Page 132

2.4.3Data Security

CPE SIP Products

2.4.3Data Security

The device supports the following new data security features:

1.Zero Configuration Firewall wizard with three security levels:

•Minimum (Inbound and Outbound policies set to ‘Accept’)

•Typical (Inbound policy set to ‘Reject’; Outbound Policy to ‘Accept’)

•Maximum (only selected applications are allowed in Outbound policy)

2.Access Control for pinpoint security policy.

3.Extensive list of ALG-modules combined with SPI for error-free configuration and maximum security.

4.Port-forwarding and DMZ support for local applications and hosts.

5.Website Restriction allows static URL-based blocking of public/extranet websites.

6.Advanced Filtering allows full control on Inbound/Outbound Rules per interface/device.

7.Site-to-Site VPN:

•Supports two IPSec use-cases:

♦Site-to-Site (Gateway-to-Gateway) VPN

♦Teleworker (User-to-Gateway) VPN

•Fully compliant with IPSec RFCs:

♦RFC 2401 - Security Architecture for IP

♦RFC 2402 - IP Authentication Header

♦RFC 2406 – ESP

♦RFC 2403 and RFC 2404 for Authentication

8.PPTP/L2TP Client-Server VPN:

•Supports two VPN use-cases:

♦Server support for remote Teleworker VPN access

♦Client-to-Gateway support with PPTP/L2TP

•Point-to-Point Tunneling Protocol - RFC 2637

•Layer Two Tunneling Protocol - RFC 2661 (with L2TP/IPSec)

•Support all WiN OS versions as well as Linux

9.DoS and IDS/IPS:

•Denial of Service (DoS) protection: TCP RST, Ping Flood, ICMP Echo storm, UDP snork attack, ICMP Smurf, UDP fraggle and more

•IP spoofing attacks: FTP bounce, Broadcast/multicast source IP attack

•Intrusion and scanning attacks:

♦IP source route, ICMP Echo reply without request, ICMP Ping sweep, TCP Stealth

♦Scan (FIN, XMAS, NULL), UDP port, FTP passive attack, loopback/Echo chargen, Block security hazard ICMP messages

•IP fragment overlap, Ping of Death, Fragmentation attacks and more

SIP Release Notes

132

Document #: LTRT-26901

Image 132

AudioControl VERSION 6.2 manual Data Security

Contents

Multi‐Service Business Gateways SIP CPE Release NotesVersion MediaPackTM Media Gateways MediantTM Media GatewaysPage Table of Contents 1 Whats New in Release1.13 List of Tables Reader’s Notes CPE SIP ProductsSIP Release Notes Document # LTRT-26901Trademarks WEEE EU DirectiveCustomer Support Abbreviations and TerminologyRelated Documentation Document Name1 Whats New in Release 1.1 Supported Hardware Platforms 1.1.1 New Hardware Platforms1.1.1.1 MediaPack 1.1.1.2 Mediant1.1.1.4 Mediant 1.1.1.5 Mediant 1000 MSBG1.1.1.6 Mediant 1.1.1.7 Mediant1.1.2 Existing Hardware Platforms 1.1.2.1 MediaPack1.1.2.2 Mediant 1.1.2.3 Mediant 800 MSBG SIP Release Notes1. Whats New in Release Version1.1.2.4 Mediant 1000 MSBG CPE SIP ProductsSIP Release Notes Document # LTRT-269011.1.2.4.1 Module Hardware Revision Compatibility List Item NoDescription H/W Revision1.1.2.5 Mediant 1.1.2.6 MediantItem No Description1.1.3 Hardware Platforms Not Supported 1.1.2.7 Mediant1.2 SIP New Features 1.2.1 SIP General New Features1. Maximum SIP Message Size 2. Time Limit for Receipt of SIP Messages3. SDP Offer/Answer Negotiation upon Modified Session 4. SIP Secure Connection Vulnerability Securing memory resourcesSIP Vulnerabilities TCP maximum message length is dictated5. Transcoding Mode for SBC and IP-to-IP Applications 6. Proxy Redundancy Mode per Proxy Set7. SIP Authorization Header in Initial Registration Request 9. CRLF Keep-Alive Mode 8. SIP Route Header in Initial Registration Request10. Increase in SIP Configuration Tables 11. Increase in SIP Media Realm Table12. Increased Characters for Request-URI Host Name per IP Group 13. Destination SRD in Tel-to-IP Routing TablePage 1.2.2 SIP Gateway New Features 1. Microsoft’s Wideband Real-Time RTAudio Codec Support2. Transparent Codec Packetization Time 3. Adapting Comfort Noise to Remote Party 4. Hotline Duration per Port for Automatic Dialing6. Channel Select Mode for Ringing Hunt Group 5. Distinctive Ringing per FXS Based on Destination Number7. Increase in Characters for Endpoint Phone Number ForwardOnBusyTrunkDest 1 = 2, 112@10.13.4.125060transport=tcp9. Flash-Hook with Digit Sequence 10. On-Board, Three-Way Conferencing11. High Definition Three-Way Conferencing 12. SIP Proprietary Header for Call QoS Statistics13. GRUU Support According to RFC X-RTP-Stat PS=207OS=49680PR=314OR=50240PL=0JI=600LA=4014. Sending/Receiving IP Calls to/from Trusted IP Addresses 15. Trunk Re-Registration upon Return to Service 16. Maximum Simultaneous TLS Connections18. Enhanced IP-to-Tel Number Manipulation 19. RTCP XR Voice Quality Monitoring 20. T.38 SDP T38MaxBitRate Negotiation21. New Range and Defaults for T.38 Fax Maximum Buffer Size 22. New Range and Defaults for T.38 Fax Maximum Datagram Size23. Fax Transmission behind NAT 24. Euro-ISDN Message Waiting Indication MWI for IP-to-Tel Calls25. B-Channel Off-Hook Cut-Through 26. Sending and Receiving RTP Packets without SIP Messages27. Pre-emption of IP-to-Tel E911 Emergency Calls 28. Combined Support for Digit Map and External Dial Plan File29. Multi-AMD Sensitivity Table 30. Answer Machine Detector AMD per Call31. Additional VXML Script Attributes for Invoking VXML Scripts 32. Activating VXML Script on Receipt of Regular INVITE33. Enhanced ISDN BRI Support 34. Registration Status Display for BRI Endpoints35. BRI Call Forwarding Supplementary Service 36. BRI Suspend-Resume Supplementary Service 37. Attended Call Transfer for BRI Interfaces38. MWI for BRI Interfaces 39. Keypad Protocol for DTMF Digits According to ETS 30040. Interworking Date/Time between SIP and Euro-ISDN 41. Interworking ISDN Offhook IE to SIP INVITE42. Redirect Number Overwritten by Destination Number for IP-to-Tel Calls 44. Manipulation of Redirect Reason for Tel-to IP Calls 45. UC Namespace for MLPP Calls46. Response to SIP OPTIONS only if Trunk Group 1 is Available 47. ISDN Facility IE Trace1.2.3 SIP SAS New Features 1. Blocking Incoming Calls from Unregistered SAS Users2. Maximum Registered SAS Users 3. SAS Normal Mode Routing Enhancement 4. SAS Manipulation on INVITE Requests1.3 Session Border Controller New Features 1. SBC Support by Mediant2. Maximum Registered SBC Users 3. Maximum Registered SBC Users4. SBC Registration Timers 5. IP Alert Timeout to SBC Outgoing INVITE Message6. Max-Forwards SIP Header Size 9. SIP-Dialog Rate Control CPE SIP Products 10. Mediation without Transcoding11. Interworking SIP Diversion and History-Info Headers Parameter ValueParameter Value History-Info12. GRUU Support According to RFC Public-GRUU sipuserA@domain.comgr=unique-idCPE SIP Products 13. New IP Group Type “GATEWAY”SIP Release Notes Document # LTRT-2690114. Minimum Session Expires SIP Min-SE Header 15. Multiple RTP Media Streams per Call Session16. General SBC Configuration Enghancements 1.4 Media New Features 1. Media Packet Forwarding2. V.34 Fax Relay over T.38 Version 3. G.722 Codec Support 4. Wideband AMR Codec Support1.5 PSTN New Features 2. Implicit Mode for Explicit Call Transfer ECT1. E1/T1 PSTN Interface 3. T310 Timer Configuration for ISDN Variant NI2 4. Removing Validation Check of UUIE Data1.6 Networking New Features 1. ARIA Encryption Algorithm for TLS2. VoIP Firewall 3. VoIP Firewall per Network Interface 4. LAN Port Monitoring5. Default Gateway per IP Interface 6. Static Routing Table Enhancements7. Increase in Maximum Call Control/Media Interfaces 8. Remote GARP Detection of Media Streams VoIP9. Internet Protocol Version 6 IPv6 Support 1.7 Data-Router New Features 1. Dual WAN over T1 Interface Ports2. BER Test for T1 WAN Interface 4. WAN Ethernet Port Settings Speed and Duplex Mode 3. Local-line Loopback on T1 WAN Interface5. IPSec Crypto CLI 6. Ethernet in the First Mile EFM for SHDSL WAN Interface 7. Virtual Routing and Forwarding VRF Lite1.8 Security New Features 1. ARIA Encryption Algorithm for SRTP1.9 Infrastructure New Features 1. Enhanced Syslog Message Management using Facility Levels2. Power over Ethernet PoE Port Status 1.10 Management and Provisioning New Features 1.10.1 Web New Features1. New Web Navigation Tree 2. Management Web Pages Re-design3. Reorganization of SIP Menus in Web Navigation Tree 4. Home Page Display of Device State1.10.2 SNMP New Features 1. ini File Configuration through SNMP2. Engine ID Configuration 1.10.3 CLI New Features 1. Main CLI Configuration Modes2. CLI show Command 1.10.4 SSH New Features 2. Maximum SSH Login Attempts1. RSA-2048 Public-Key Encryption for SSH 3. SSH Last Login 4. Maximum Simultaneous SSH Sessions1.10.5 Utilities New Features 1. Running DConvert from Command Line1.11 New Parameters 1.11.1 SIP New Parameters1.11.1.1 SIP General Parameters Table 1-3 New SIP General Parameters for ReleaseRTP media using Static NAT Rules. This table creates NAT rules for ParameterDescription Static NAT Table1.11.1.2 SIP Gateway Parameters EmptyAuthorizationHeadTable 1-4 New SIP Gateway Parameters for Release ParameterEnableSDPVersionNegoti ParameterDescription ationRTP-Only Mode ParameterDescription QoSStatisticsAMDDetectionSensitivityHighResolution parameter ParameterDescription RTPOnlyModeForTrunkICRLF Keep-Alive Mode Parameters VQMonEnableVQMonDelayTHR ParameterDisableRTCPRandomize ParameterDescription VQMonEOCRValTHR1.11.1.3 SIP SAS Parameters ParameterDescription Cut Through Parameters1.11.2 SBC New Parameters SBCAlertTimeoutTable 1-6 New SBC Parameters for Release ParameterSBC Registration Timers ParameterDescription SBCUserRegistrationTime1.11.3 Media New Parameters NoOpEnable and NoOpInterval parametersTable 1-7 New Media Parameters for Release Parameter1.11.4 PSTN New Parameters Tel2IPDefaultRedirectReasonTable 1-8 New PSTN Parameters for Release ParameterParameter DescriptionSuppServCodeCFB SuppServCodeCFBDeactBRI Supplementary Services Table CPE SIP ProductsParameter Description1.11.5 Networking New Parameters SSHMaxLoginAttemptsSSHEnableLastLoginMessage Table 1-9 New Networking Parameters for ReleaseCPE SIP Products ParameterDescription StaticRouteTable1.11.6 Management and Provisioning New Parameters Table 1-10 New Management and Provisioning Parameter for ReleaseParameter Description1.12 Modified Parameters 1.12.1 SIP Parameters1.12.1.1 SIP General Parameters Table 1-11 Modified SIP General Parameters for ReleaseProxyRedundancyMode applies default ParameterDescription Modifications1.12.1.2 SIP Gateway Parameters ParameterDescription PrefixTrunk Group Settings Table TrunkGroupSettingsParameter DescriptionParameter DescriptionModifications IPProfileParameter DescriptionFlashKeysSequenceStyle 3WayConferenceMode is set toParameter Descriptionthe parameter MaxInBoardConferenceCalls T38FaxMaxBufferSizeMLPPDefaultNamespace ParameterDescription VoiceMailInterfaceParameter DescriptionFor IP-to-ISDN calls 1.12.1.3 SIP SAS Parameters Table 1-13 Modified SIP SAS Parameters for ReleaseParameter Description1.12.2 SBC Parameters Table 1-14 Modified SBC Parameter for ReleaseParameter Description1.12.3 Networking Parameters AccessListTable 1-15 Modified Networking Parameter for Release Parameter1.13 Obsolete Parameters AMDSensitivityResolutionAMDDetectionSensitivityHighResolution EnableStandardSIDPayloadType2 Supported Features 2.1 SIP Gateway Features2.1.1 Supported SIP Features DTMF out-of-band transfer using Table 2-1 Supported IETF RFC’sRFC Number RFC TitleInterworking of ISDN overlap signalling to SIP RFC NumberRFC Title RFC 4497 orObtaining and Using Globally Routable User Agent UA URIs GRUU in SIP Signaled Telephony Events in the Session Initiation Protocolsignaled-digits-01 SIP Package for Voice Quality Reporting Event, using SIP PUBLISH2.1.2 SIP Compliance Tables 2.1.2.1 SIP Functions2.1.2.2 SIP Methods Table 2-2 Supported SIP Functions2.1.2.3 SIP Headers Table 2-4 Supported SIP HeadersHeader Field Supported2. Supported Features SIP Release NotesHeader Field Supported2.1.2.4 SDP Headers 2.1.2.5 SIP ResponsesTable 2-5 Supported SDP Headers SDP Header Element2.1.2.5.1 1xx Response - Information Responses 2.1.2.5.22xx Response - Successful Responses 2.1.2.5.3 3xx Response - Redirection Responses2.1.2.5.4 4xx Response - Client Failure Responses Table 2-9 Supported 4xx SIP Responses4xx Response Supported2. Supported Features SIP Release Notes4xx Response Supported2.1.2.5.5 5xx Response - Server Failure Responses2.1.2.5.6 6xx Response - Global Responses2.2 Supported PSTN-SIP Interworking Features Configurable channel-select mode per trunk group 2.3 Supported IP Media Features 2.4 Supported Data-Router Features 2.4.1 LAN Switching2.4.2 Routing Mediant 800 MSBGUp to 8 IP interfaces for EFM/2Base-TL 2.4.3 Data Security 2.4.4 Supported RFCs IP/RoutingIPSec 2.5 DSP Firmware Templates Voice Codecs 2.5.1 MediaPackDefault SRTP Enabled2.5.2 Mediant 600 and Mediant Default SettingsInterfaces DSP TemplateDefault SettingsFeatures FeaturesAssembly Slot Number Default Settings0 or 1 or2.5.3 Mediant 800 MSBG Table 2-16 DSP Firmware CapabilitiesNumber of Advanced DSP Capabilities2.5.4 Mediant 1000 MSBG Default Settings0, 1, 2, 4, 5 10, 11, 12, 14,15Default SettingsFeatures FeaturesAssembly Slot Number Default SettingsTable 2-19 DSP Firmware Templates for Mediant 1000 MSBG MPM Module 0 or2.5.5 Mediant Default SettingTable 2-20 DSP Firmware Templates for Mediant DSP Template2.5.6 Mediant DSP TemplateSupplementary Capabilities Number of ChannelsTable 2-22 DSP Firmware Templates for Mediant 3000 16E1/21T1 DSP TemplateSupplementary Capabilities Number of Channels2.5.6.1 DSP Template Mix Feature for Mediant Table 2-23 Template Mix Feature Channel CapacityDSP Template Mix Number of ChannelsReader’s Notes CPE SIP ProductsSIP Release Notes Document # LTRT-269013 Known Constraints 3.1 SIP ConstraintsNote for Mediant 1000 MSBG Note for MediantThe following SIP Methods are omitted by the IP-to-IP application 3.2 Media Constraints 3. The Transparent coder RFC 4040 poses the following limitations 6. Announcements and streaming cannot be performed on IP-to-IP wideband calls 12. 30 msec RTP frames using the EG.711 coder is not supported 3.3 PSTN Constraints 3.3.1 DS3 Constraints 3.3.2 SDH Constraints 3.3.3 SS7 Constraints CPE SIP ProductsSIP Release Notes Document # LTRT-26901SS7 and UAL configuration must be the same on devices that share the same Point Code 3.4 IP Media Constraints 6. The Regular Expression Digitmaps MSCML feature is not supported 3.5 Networking Constraints 3.6 Security Constraints 3.7 High Availability Constraints 3. During HA switchover, the APS active interface status e.g., PSTN-B is currently “Active” and PSTN-A is “Inactive” is not transferred to the redundant blade. As a result, if the PSTN-B interface was active before switchover, PSTN-A can be active after switchover. The information regarding which interface is active is not maintained after switchover 3.8 Infrastructure Constraints WebLogoText 3.9 Management Constraints 3.9.1 Web Constraints4. The Web Search feature may produce incorrect search results. For example, a search result for the TLS version parameter directs the user to the incorrect page instead of the Security Settings page under the System menu 8. A monitoring-only Web user “User Monitor” is a read-only user that cannot perform any configuration or actions. However, some of the action buttons such as Burn and Submit are not disabled when in this mode. Note that clicking these buttons results in an error message, and the action will not be performed 12. On the Software Upgrade Wizard page, the software upgrade process must be completed prior to clicking the Back button. Clicking the Back button before the wizard completes causes a display distortion 16. On some SS7 Web pages, all available buttons become visible for a split second while the page is loaded, even though they should not appear 3.9.2 SNMP Constraints 6. The dsx3Total Table is not supported 8. The Admin State does not change to “Redundant” 3.9.3 CLI Constraints 4 Resolved Constraints 4.1 SIP Resolved Constraints4.2 Web Resolved Constraints Reader’s Notes SIP Release Notes4. Resolved Constraints VersionRelease Notes Ver