Security

20
7-
-0
20
o_
ol
ic
en
Content
_G
do

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
an
rn

1 Securing the OpenScape Session Border Controller . . . . . . . . . . . . . . . . . . 5

Fe

1.1 Changing the SNMP Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

._
_L

1.2 Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

EN

1.3 Password Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

00
EN

1.4 Used IP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

40

1.5 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
88
EN

1.6 Denial of Service Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.7 Denial of Service Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.8 SIP Message Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.8.1 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.9 Unauthorized / Unknown User blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.10 Registration Throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.11 Restrict access to certain User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 1
FN9850FN10FN_TBAZZZAIMHY
 2 TLS and Payload Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.1 Motivation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2 Transport Layer Security (TLS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3 Sample connection call flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4 TLS Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.5 OSV TLS Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.6 TLS Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.6.1 PKi on OpenScape Voice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.6.2 PKI on OpenScape SBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.6.3 Changing the OSV connection to MTLS . . . . . . . . . . . . . . . . . . . . . . . 41
2.7 Multiple PKI Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

20
2.8 Subscriber TLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

7-
2.8.1 Enforce TLS for Subscriber. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

-0
20
2.8.2 Publish Certificates to the Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

2 Security
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
01.2018
FN9850FN10FN_TBAZZZAIMHY
 Preface

Preface

Content of Module • Following sections describe the Security implementaion. Topics are:
• Securing the SBC (Firewall, Password, etc.)
• Denial of Service (DoS) Mitigation
• TLS secured communication

20
Objectives • All required steps to improve system security.

7-
-0
Prerequisites • Knowledge of OpenScape Solutions.

20
Time • appr. 4 hours (including import of certificates - no generation)

o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 3
FN9850FN10FN_TBAZZZAIMHY
 Preface

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

4 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Securing the OpenScape Session Border Controller

1 Securing the OpenScape

Session Border Controller
Securing the operating system involves setting and verification of SNMP, IPsec, TLS Signaling,
Firewall, Password and Denial of Service parameters and functions.

1.1 Changing the SNMP Community Name

SNMPV1 and SNMPV2 use the notion of communities to establish trust between managers

20
7-
and agents. Community names are essentially passwords. A community name allows a level

-0
of access to MIB data. Access levels are readonly (RO) for data retrieval and read-write (RW)

20
for data modification. Thus an SNMP Manager requires at least two community names or

o_
ol
passwords.
ic
en
The OpenScape Session Border Controller sets by default both the RO and RW community
_G

names to "public". It is very important to change these default values at the time of installation
do

as they are well known to the general public.

an
rn
Fe
._

Please note: SNMP community names are sent in

_L


EN

clear text, unless SNMP is used over a security pro-

tocol, which does not provide a very high level of
00
EN

security.
40
88
EN

The SNMP community names are stored in the file /etc/snmp/snmpd.conf, which may not be
edited manually. We have to configure the community names via the graphical GUI.
After logging in to the OpenScape SBC Manager we navigate to „Alarms --> SNMP Configura-
tion“:

SNMP v2c Read-Only Community Name - Its length must be minimum 1 character and may not exceed 32 characters.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 5
FN9850FN10FN_TBAZZZAIMHY
 Password policy

1.2 Password policy

Password rules are globally enforced using custom PAM module pam_passwdqc.so.
This module checks password strength for PAM-aware password changing programs, such as
passwd. In addition to checking regular passwords, it offers support for password history and
pass phrases, and can provide randomly generated passwords. All features are optional and
can be reconfigured without rebuilding.
It is possible to modify the password rules and aging management either via the file /etc/
pam_d/common-password. There are a number of supported parameters which can be used
to modify the behavior of pam_passwdqc (see next page for parameter description):

20
#%PAM-1.0

7-
-0
#

20
# This file is autogenerated by pam-config. All changes

o_
# will be overwritten.

ol
# ic
en
# Password-related modules common to all services
_G

#
do

# This file is included from other service-specific PAM config files,

an
rn

# and should contain a list of modules that define the services to be

Fe

# used to change user passwords.

._

#
_L
EN

password requisite pam_passwdqc.so min=disabled,disabled,disabled,8,8

max=40 passphrase=0 match=4 similar=deny random=42 enforce=everyone retry=3
00

pw_iteration_nr=3 pw_iteration_length=180
EN

password required pam_unix2.so use_authtok nullok

40
88
EN

Please note: Changing any parameter does not

 affect a new user or current password. Password

syntax rule changes take effect the next time a us-
er’s password is changed.

6 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Password policy

The table below lists and describes each (defaults are in brackets).

Parameter Description
min=N0,N1,N2,N3,N4 This parameter sets the minimum allowed password lengths
for different kinds of passwords and pass phrases. The key-
word disabled can be used to disallow passwords of a given
kind regardless of their length. Each subsequent number is
required to be no larger than the preceding one.
• N0 is used for passwords consisting of characters from one
character class only. The character classes are digits, lowercase
letters, uppercase letters, and other characters. There is also a
special class for non-ASCII characters, which cannot be classi-

20
fied, but are assumed non-digits.

7-
-0
(N0 is not supported on SBC)

20
• N1 is used for passwords consisting of characters from two

o_
character classes, which do not meet the requirements for a

ol
pass phrase.
ic
en
(N1 is not supported on SBC)
_G

• N2 is used for pass phrases. A pass phrase must consist of suf-

do

ficient words (see the pass phrase parameter description be-

an

low).
rn

• N3 is used for passwords consisting of characters from three

Fe

character classes. The minimum supported value

._

is 8.
_L
EN

• N4 is used for passwords consisting of characters from four

character classes.
00
EN

Default: [min=disabled,disabled,disabled,8,8]
40
88

max=N This parameter sets the maximum allowed password length.

EN

This can be used to prevent users from setting passwords

which may be too long for some system services.The value 8
is treated specially : if max is set to 8,passwords longer than 8
characters will not be rejected, but will be truncated to 8
characters for the strength checks and the user will be
warned.
Default: [max=40]
passphrase=N This parameter sets the number of words required for a pass
phrase, or 0 to disable the support for pass phrases.
Default: [passphrase=0]

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 7
FN9850FN10FN_TBAZZZAIMHY
 Password policy

Parameter Description
match=N This parameter sets the length of common substring re-
quired to conclude that a password is at least partially based
on information found in a character string, or 0 to disable the
substring search. Note that the password is not rejected if a
weak substring is found; it is instead subjected to the usual
strength requirements with the weak substring removed.
The substring search is case-insensitive, and is able to detect
and remove a common substring spelled backwards.
Default: [match=4]
similar=permit|deny This parameter specifies whether a new password can be

20
similar to the old one. The passwords are considered to be

7-
-0
similar when there is a sufficiently long common substring

20
and the new pass-word with the substring removed would be

o_
weak.
ol
ic
en
Default: [similar=deny]
_G

random=N[,only] This parameter sets the size of randomly generated pass-

do
an

words in bits, (24 to 72 bits), or 0 to disable this feature. Pass-

rn

words that contain the offered randomly-generated string

Fe

are allowed regardless of other possible restrictions.

._
_L

Default: [random=42]
EN
00

The only modifier can be used to disallow user-chosen pass-

EN

words.
40

enforce=none|users|everyone This parameter permits the module to be configured to warn

88
EN

of weak passwords only, but not actually enforce strong

passwords. The users setting enforces strong passwords for
invocations by non-root users only.
Default: [enforce=everyone]
retry=N This parameter sets the number of times the module re-
quests a new password if the user fails to provide a sufficient-
ly strong password and enter it twice the first time.
Default: [retry=3]
pw_iteration_nr=N This parameter remembers the last N number of passwords
and does not allow the user to use it again for the next N
password changes. It is recommended to set N higher than
100. However, if the password is not used for
pw_iterations_length days, it can be used again.
Default: [pw_iteration_nr=3]

8 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Password Aging

Parameter Description
pw_iteration_length=N This parameter is the length in N days during which the pass-
word cannot be reused. N is number between 180 and 3650.
However, if the password is changed more than
pw_iterations_nr after a certain password has been used, this
password can be used again.
Default: [pw_iteration_length=180]

1.3 Password Aging

20
7-
-0
20
Password aging rules are globally enforced by one of the following methods:

o_
• By accepting the defaults for accounts creation in /etc/login.defs, which indi-
ol
ic
cate the password aging controls (used by useradd) listed in the table below.
en
Additionally, the following command must be executed to require the user to
_G

change the password upon initial logon:

do
an
rn

chage -d 0 <username>
Fe
._
_L

• By using the passwd command, as follows:

EN
00

passwd -x 90 -n 1 -w 14 -i 30 <username>
EN
40

In this command:
88
EN

• x sets the maximum number of days before the expiration.

• n sets the minimum number of days before the next change.
• w sets the number of days of warning days before the expiration.
• i sets the login grace period after password expired before the ac-
count is locked.

 Please note: That the root password does not

age.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 9
FN9850FN10FN_TBAZZZAIMHY
 Password Aging

login.defs parameter

Parameter Description
PASS_MAX_DAYS This parameter specifies the maximum number of days a pass-
word may be used.
Default: PASS_MAX_DAYS=90
PASS_MIN_DAYS This parameter specifies the minimum number of days allowed
between password changes.
Default: PASS_MIN_DAYS=1
PASS_WARN_AGE This parameter specifies the number of days’ warning given be-

20
fore a password expires.

7-
Default: PASS_WARN_AGE=7

-0
20
o_
LOGIN_RETRIES Max number of login retries if password is bad.

ol
Default: LOGIN_RETRIES=3
ic
en
LOGIN_TIMEOUT Max time in seconds for login.
_G

Default:LOGIN_TIMEOUT=60
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

10 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Used IP Ports

1.4 Used IP Ports

The IP ports used in OpenScape Session Border Controller and its associated servers are listed
in the Interface Management Data Base.
The OpenScape Session Border Controller SIP listening ports default to the well known SIP
ports:
• 5060 - UDP
• 5060 - TCP
• 5061 - TLS
Since these ports are well known in the network many security vulnerabilities can be instigat-
ed by external attacks to these ports. It is therefore required that the OpenScape Session Bor-

20
der Controller SIP listening ports be changed to other values which do not conflict with other

7-
provisioned ports. For example, within the port range 65000 to 65535, ports can be configured

-0
20
to:

o_
• 65060 - UDP
ol
• 65060 - TCP ic
en
_G

• 65061 - TLS
do

When the SIP list ports are changed to other values, the OpenScape Session Border Controller
an
rn

will only accept SIP requests received on the new SIP listening ports. This requires all SIP serv-
Fe

ers, OpenScape Branch Proxy Servers, Remote Subscribers and OpenScape Voice network in-
._

terfaces with the OpenScape Session Border Controller be reconfigured to use the assigned
_L
EN

ports otherwise no SIP communication will be possible.

00

Additionally, it can generally be noted that according to the SIP protocol, the phones send a
EN

REGISTER message with 'Contact' information about their IP address and port number. Net-
40

work endpoints are typically statically provisioned with the same ‘Contact’ information.
88
EN

On the OpenScape Session Border Controller outside access or WAN network, Session Border
Controller sends SIP messages to the IP address / port number provided by the phones or as
statically provisioned for network endpoints.
Usually, these ports are 5060 (for UDP or TCP) or 5061 (for TLS), but can sometimes be config-
ured on the phones.
On the OpenScape Session Border Controller inside core or LAN network, OpenScape Session
Border Controller sends SIP messages to the OpenScape Voice provisioned IP address / port
number which is 5060 (for TCP) or 5061 (for MTLS).

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 11
FN9850FN10FN_TBAZZZAIMHY
 Used IP Ports

The IP ports can be changed in the „Network/Net Services“ menu under the „Interface config-
uration“ section. In the responsible realm entry the ports can be changed (recommended for
access side):

20
7-
-0
20
o_
ol
ic
en
_G

 Please note: The SIP Server will be restarted if the

do
an

ports will be changed.

rn
Fe
._
_L
EN
00
EN
40
88
EN

12 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Firewall

1.5 Firewall
The OpenScape SBC comes with a preconfigured firewall. Only needed ports are open and in
use. The firewall configuration is located on the „Security“ tab in the „Firewall“ section:

20
7-
-0
20
o_
The firewall rules will be applied per default („Main“ network ID) to all networks‘s/VLAN‘s. A

ol
specific firewall rule can be added by using the „Add“ button and choosing the network ID for
ic
en
which the rules should be applied:
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

A firewall rule can be deleted (excepting the „Main“ rule) with the „Delete“ button. To edit a
existing firewall rule, select the responsible line and click on „Edit“:

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 13
FN9850FN10FN_TBAZZZAIMHY
 Firewall

The firewall details will be shown then:

Network for which this rules will be applied

(can only be chosen when adding a new
firewall rule for a VLAN)

20
7-
-0
20
o_
Allowed / blocked services

ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40

Grant access (White list) or block access to a host or an entire subnet (for a service)
88
EN

This section allows to restrict the access to admin interface

(use with caution !)

14 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Firewall

Per default, only SIP, TLS, RTP and MGCP are allowed. To enable a service for everybody, just
change the setting for the responsible service from „Block“ to „Allow“.

 Please note: The GUI access can only be allowed

for a certain IP or network.

e.g.: to allow access to the time server for synchronizing the clients located on the WAN,
change the NTP service to „Allow“:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe

To enable a service only for a certain IP or network, a manual firewall entry can be created
._
_L

with the white list by providing the IP / network and port number. e.g. to allow access to the
EN

SBC‘s GUI as well via SSH only from certain IP‘s, the following two entries in the white list will
00

open the firewall:

EN
40

Click „Add“ to create a new entry or mark one and click „Delete“ to remove it
88
EN

A service can be specified either by his port number or the service name (as defined in /etc/
services). Multiple services can be entered comma separated. A port range can be specified
with colon, e.g. 1024:65535. If the Port field is zero, all ports will be allowed / blocked.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 15
FN9850FN10FN_TBAZZZAIMHY
 Firewall

Also the access to the admin interface can be restricted via the firewall settings. As long there
is no entry defined, everybody can access the GUI, linux shell via SSH or execute a file transfer
(SFTP). To restrict the access, add a single ip or a network to the access control list and select
the allowed services:

20
7-
-0
20
o_
ol
ic
In this example, the entire network 10.0.0.0 (class C) has access to all admin services. In addi-
en
tion, the single host 10.1.2.3 has access to the admin GUI. Every other admin traffic will be re-
_G

jected.
do
an
rn

7
Fe

Important: Make sure that at least one host ist left

._

which can be used to manage the SBC !

_L
EN
00
EN
40
88
EN

16 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Denial of Service Thresholds

1.6 Denial of Service Thresholds

The OpenScape SBC is equipped with a Denial of Service prevention by SNORT. If the curtain
limit of packages is received, traffic from this device will be blocked. Per default if a limit of
20.000 packages / second are reached, the responsible device will be locked out for 60 seconds.
This configuration can be changed on the „Security“ menu under „Message Rate Control Set-
tings“:

Enable / Disable Message Rate Control (SNORT)

20
7-
-0
Limit of packages / second

20
(1-256000, default 20000)

o_
ol
Lockout time
ic (1-2048, default 60)
en
_G
do
an
rn

Host(s) / network(s)
Fe

to be ignored
._
_L
EN
00
EN
40

During the installation, a large amount of data must be transferred to and from the server
88

from software servers and between nodes of the cluster, etc. In order to not impede this pro-
EN

cess, the threshold for detection of a denial of service attack has been intentionally set at
20,000 messages per second. After installation, this value should be adjusted based on the
OpenScape Session Border Controller WAN configuration, traffic patterns (calls per second),
simultaneous calls and background message traffic in support of subscribe registrations re-
quiring far-end NAT traversal.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 17
FN9850FN10FN_TBAZZZAIMHY
 Denial of Service Mitigation

Typically, no single network IP-Address (for example, single phone or server) will deliver
heavy amounts of packet traffic; however, message concentrators such as an SBC or proxy can
create heavier amounts of packet traffic and need to be taken into account when setting the
rate threshold value and the “white list” of trusted hosts, which is the list of IP addresses that
are exempt from the rate threshold limit:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn

In the example the host 1.23.11.188 can exceed the configured limit of 20000 packages / sec-
Fe

ond and will not be locked out from SNORT.

._
_L
EN

Please note: The administrator should carefully

00

 monitor the system after reducing the threshold

EN

values and modify the threshold and “white list” to

40

values for the specific customer configuration.

88
EN

1.7 Denial of Service Mitigation

This feature provides enhancements to help mitigate potential Denial of Service (DoS) attacks
by
• Message Rate Limits/Trust Levels on the WAN Interface of the SBC
• Blocking SIP User Agents (UA) attempts to obtain unauthorized ac-
cess
• Improved Registration throttling
Quarantine List is maintained for Message Rate Limit violators with configurable quarantine
intervals. Log file can be retrieved to view list of Unknown or Unauthorized SIP User Agents
attempting to access SBC.

18 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 SIP Message Rate Limiting

1.8 SIP Message Rate Limiting

The SIP Message Rate Limiting feature must be configured in two steps:
1: Enable the „SIP Message Rate Limiting“ on the system and config-
ure the quarantine time
2: Set the message rate limit and the security level on the realm (net-
work) configuration
First, enable the feature under Security --> Denial of Service Mitigation tab by checking the
„Enable gateway message rate limit“ checkbox:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN

Two Trust Levels are defined with quarantine intervals on the same page:
40

• Minimal (sec)Has default interval of 60 seconds, with range of 60-

88

3600 secs.
EN

• Medium (sec)Has default interval of 10 seconds, with range of 10-

3600 secs.
This „levels“ will then be used in the realm configuration (see next page).

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 19
FN9850FN10FN_TBAZZZAIMHY
 SIP Message Rate Limiting

The Message Rate Limit and Trust Level to each Access (WAN) realm interface (Network Id)
on the Network/Net Services tab:

20
7-
-0
20
o_
ol
ic
en
The Message Rate Limit has predefined set of possible values ranging from 5 msg/sec to 100
_G

msg/sec with a default of 100 seconds. The „Trusted level“ defines then if a device (IP) will be
do

blocked and how long in case that this limit is reached.

an
rn
Fe

1.8.1 Monitoring
._
_L
EN

The main page (dashboard) of SBC Local GUI contains a Show button for the Denial of Service
00

Quarantine List in the „System Status“ section:

EN
40
88
EN

20 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 SIP Message Rate Limiting

When a source IP is quarantined due to violating the Message Rate Limit on the Access Inter-
face, this source IP will be visible in this Quarantine Table along with the time remaining on
its quarantine.

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

If this table remains open on GUI, it will automatically refresh every 30 seconds.
If user wants to remove source IP from quarantine, the source IP can be selected and then un-
blocked with “Unblock” button. This will set the Quarantine TTL to 0, but will not remove it
from the list.
The Log files (dos.log and dos_quarantine_history.log) also contains this information which
can be found in the directory /var/log/.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 21
FN9850FN10FN_TBAZZZAIMHY
 Unauthorized / Unknown User blocking

1.9 Unauthorized / Unknown User blocking

Blocking of Unauthorized Users or Unknown Users can be enabled under Security-->Denial
of Service Mitigation tab:

20
7-
-0
20
o_
ol
Unauthorized Users ic
en
If a subscriber attempts to Register, but does not provide the right credentials after 3 tries (401
_G

Unauthorized), the user will be quarantined for the specified interval (60-36000 seconds with
do
an

a default of 300 sec.).

rn
Fe

Unknown Users
._
_L

When the OS-SBC receives a 404 Not Found response from OSV for a SIP REGISTER message,
EN

the unauthorized REGISTER message source IP address is quarantined for the specified inter-
00

val (60-90000 seconds with a default of 300 sec.).

EN
40
88
EN

Please note: Quarantined Unauthorized Users or

 Unknown Users are not displayed in the Quaran-
tine table via the GUI.

The only way to check if users are blocked is by checking the log file /var/log/dos.log to see
the quarantine entry for that source IP.

22 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Unauthorized / Unknown User blocking

In addition a checkbox also exists to enable “Process Initial Registration” requests to avoid the
SBC responding with 503 Server Unavailable message to the first REGISTER message:

20
7-
-0
But for security reasons (avoids port scans) it‘s not recommended to enable this option.

20
o_
ol
ic

en
Please note: It‘s safe to enable this option if the
_G

SBC is used in a „internal“ network environment.

do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 23
FN9850FN10FN_TBAZZZAIMHY
 Registration Throttling

1.10 Registration Throttling

The new „Registration Throttling“ for subscriber feature can be configured in the „Features“
menu under „Remote Subscribers“:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00

Minimum registration interval allows administrator to specify a minimum registration timer

EN

in REGISTER messages from remote subscribers (60-3600 sec., default 300).

40
88

Quarantine registration rate violators checkbox allows administrator to quarantine registra-

EN

tion attempts with session timer less than the configured minimum interval. Register re-
quests are blocked for the „Minimum registration interval“.
When register throttling is enabled, then separate timer values exist towards the subscribers
for UDP NAT subs and TCP/TLS NAT subscribers.

24 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Restrict access to certain User Agents

1.11 Restrict access to certain User Agents

Some customers want to restrict the access to certain SIP device types for security or support
reasons. This is possible on the SBC by checking the “User-Agent” field in the SIP header and
comparing it with the allowed user agent list. The validation will not take place if the Allowed
User Agent List is empty (default).

7 Important: Soon one entry exist in the list, only

devices which will match the list are accepted !

20
This can be configured in the „Security“ menu under „Denial of Service Mitigation“:

7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN

To add a new device enter the „User Agent“ identifier and click on „Add“.
40

For Example: OpenStage, Tandberg, Lifesize

88
EN

Please note: The list is not case-sensitive and each

 entered name will be converted to lowercase let-
ters.

The user agent can be specified to match exactly or partly:

• For an exact match with the user agent name, use „$“ (dollar) sign
as suffix to the word
For Example: „Polycom$“ - This will exactly match the user agent
name Polycom, not PolyCom-V1.
• To match a user agent starting with a prefix name.
For Example: „Polycom“ - This will match the user agent name
PolyCom-V1 and PolyCom-V2

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 25
FN9850FN10FN_TBAZZZAIMHY
 Restrict access to certain User Agents

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

26 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 TLS and Payload Encryption

2 TLS and Payload Encryption

2.1 Motivation
The communication between the OpenScape Voice and the Endpoints (Signaling) as well the
RTP stream (Payload) is per default not encrypted and might be captured by somebody with
standard tools like Wireshark.

Example: Wireshark allows to decode an RTP stream when codec is G711

20
7-
-0
20
o_
ol
ic SIP
en
_G
do
an
rn
Fe

RTP
._
_L
EN
00
EN
40
88
EN

The payload encryption feature allows an encryption of the audio stream with SRTP „Secure
Realtime Protocol“.
SRTP provides a framework for encryption and message authentication of RTP and RTCP
streams.

2.2 Transport Layer Security (TLS)

Within a VoIP network, the signaling communication should be protected via TLS and this is
the precondition to encrypt the Payload (RTP) with SRTP. The TLS protocol allows applications
to communicate across a network in a way designed to prevent eavesdropping, tampering,
and message forgery. TLS runs on OSI layers beneath application protocols such as HTTP,
SOAP, and SIP, and above a reliable transport protocol—for example, TCP.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 27
FN9850FN10FN_TBAZZZAIMHY
 Transport Layer Security (TLS)

Server-side certificates are used on SIP endpoint devices to establish TLS connections.
OpenScape Voice and OpenScape SBC support TLS with mutual authentication to protect the
SIP signaling stream between.
TLS with mutual authentication should be used if the enterprise security policy requires
strong authentication and/or encryption of the SIP signaling stream between SIP servers.
With mutually authenticated TLS protection of SIP signaling, both interface partners support
the role of a TLS client and TLS server. When using TLS (not mutual TLS) only the client au-
thenticates / verifies the identity of the server. By using mutual TLS (MTLS) both sites will au-
thenticate each other which means the both devices must be able to verify the identity of the
other site.
TLS with mutual authentication (MTLS) is used to protect a SIP signaling interface between
the following devices:

20
• Two OpenScape Voice systems to protect the SIP or SIP-Q inter-

7-
-0
face.

20
• OpenScape Voice and the OpenScape 4000 to protect the SIP-Q in-

o_
ol
terface.
ic
en
• OpenScape Voice and a third-party trusted host or peer server that
_G

is not bound to a known OpenScape Voice element type.

do

• Optionally instead of IPsec: External OpenScape Voice Assistant

an

and OS MetaManagement application to secure OAM&P (Opera-

rn
Fe

tion, Administration, Maintenance and Provisioning) functions

._

that are performed using SOAP (Simple Object Access Protocol)

_L
EN

• Optionally: Subscriber EP (Endpoint) devices and soft clients (such

00

as OpenStage and OpenScape Desk Phone IP to secure the SIP sig-

EN

naling stream
40

• RG 2700 survivable media gateway

88

• RG 8700 survivable media gateway

EN

• OpenScape 4000 gateway

• OpenScape Business / HiPath 3000 gateway
• Survivable branch offices using OpenScape Branch
• OpenScape SBC or other Session border controllers
• OpenScape Xpressions server for unified messaging
OpenScape Voice supports a rapid recovery mechanism for TLS connections.
This mechanism is only supported for Unify SIP endpoints that also support this mechanism.
The rapid recovery mechanism is based on a frequent connectivity check (keepalive message)
the SIP endpoint sends to OpenScape Voice. The interval of the connectivity check is provi-
sioned in the SIP endpoint. The connectivity check is successful if the SIP endpoint receives
back the identical message within five seconds.

28 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Transport Layer Security (TLS)

The OpenScape Voice server responds to the keep-alive message when it is received. If the SIP
endpoint fails to receive the response within five seconds, it repeats the keep-alive message.
If a response is still not received after the number of attempts indicated by the specific phone
device, the SIP endpoint considers the TLS connection to be failed, then establishes a new TLS
connection.
To allow the Unify SIP endpoints that support rapid recovery of TLS connections (e.g. with OS
4000), OpenScape Voice includes a server version in its response to the SIP REGISTER mes-
sage. The following conditions must be present:
• The SIP signaling manager must be provisioned to include the
server version in its response to the SIP REGISTER messages. Refer
to the OpenScape Voice Configuration Manual: Volume 2, Config-
uration and Administration Using CMP and Assistant Plug-Ins.

20
• The SIP REGISTER message from a SIP endpoint must be received

7-
on a TLS connection. The OpenScape Voice server does not provide

-0
20
the server version when the SIP REGISTER message is received on

o_
UDP or TCP without TLS.
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 29
FN9850FN10FN_TBAZZZAIMHY
 Sample connection call flow

2.3 Sample connection call flow

The following figure provides an example of a simple connection one-way TLS example, in-
cluding a full handshake.

Client Hello

Server Hello

Server Certificate

Server Hello Done

20
Client Key Exchange

7-
-0
20
Change Chiper Spec

o_
ol
Client Server
Finished
ic
(SIP Endpoint) (OpenScape Voice
en
_G

Change Chiper Spec or

OpenScape SBC)
do
an

Finished
rn
Fe

Application Data (e.g.: SIP)

._
_L
EN
00

1: A client sends a ClientHello message specifying the highest TLS

EN

protocol version it supports, a random number, a list of suggested

40

cipher suites and compression methods.

88
EN

2: The server responds with a ServerHello message, containing the

chosen protocol version, a random number, cipher suite, and com-
pression method from the choices offered by the client. The server
may also send a session id as part of the message to perform a re-
sumed handshake.
3: The server sends its Certificate message.
4: The server sends a ServerHelloDone message, indicating it is done
with handshake negotiation.
5: The client responds with a ClientKeyExchange message, which
may contain a PreMasterSecret, public key, or nothing. (Again, this
depends on the selected cipher.)
6: The client and server use the random numbers and PreMasterSe-
cret to compute a common secret, known as the master secret. All
other key data for this connection is derived from this master se-
cret and the client- and servergenerated random values, which is
passed through a carefully designed pseudo-random function.

30 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Sample connection call flow

7: The client sends a ChangeCipherSpec record, essentially telling the

server, “Everything I tell you from now on will be encrypted.” Note
that the ChangeCipherSpec is itself a record-level protocol, and
has type 20, and not 22.
8: The client sends an encrypted Finished message, containing a hash
and MAC over the previous handshake messages.
9: The server attempts to decrypt the client’s Finished message, and
verify the hash and MAC. If the decryption or verification fails, the
handshake is considered to have failed and the connection should
be torn down.
10: The server sends a ChangeCipherSpec and its encrypted Finished
message, and the client performs the same decryption and verifi-

20
cation.

7-
-0
At this point, the handshake is complete and the application protocol is enabled, with content

20
type of 23. Application messages exchanged between client and server will be encrypted.

o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 31
FN9850FN10FN_TBAZZZAIMHY
 TLS Certificates

2.4 TLS Certificates

Certificates are created in hierarchies; levels above are known as certificate authorities (CAs).
The CA is used to sign the certificates. The public root certificate from the CA is used to verify
the signatures ot the „server certificates“. The following diagram shows a typical certificate
structure:

Chain Certificate
Depth hierarchy

0 root CA

20
7-
-0
20
server CA OpenScape Voice OpenScape SBC

o_
1 (optional) Client Certificate Server Certificate
ol
ic
en
_G
do
an

OpenScape Voice OpenScape Voice

rn

2 Server Certificate Server Certificate

Fe
._
_L
EN

The Issuing CA, or Root CA certificates are located on the peers of the OpenScape Voice serv-
00

er. Similarly, the equivalent CA certificate is also located on the OpenScape Voice server.
EN
40

The OpenScape Voice server as well the OpenScape SBC accepts certificates in PEM format
88

only. If another format is used —for example, PKCS#12— a conversion to PEM format is re-
EN

quired before the certificate can be used. The conversion to PEM format can be completed us-
ing the openssl command line utility.

Please note: If no PKI infrastructure can be deliv-

 ered by the customer, use a self-signed PKI infra-
structure based on the Unify simple-ca tool.

In environments where a separate PKI is required, all certificates must be signed by this CA

32 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 OSV TLS Certificates

2.5 OSV TLS Certificates

The OpenScape Voice as well the OpenScape SBC will be delivered with preinstalled certifi-
cates. It is very important to use unique certificates because this pre-installed certificates in-
clude the private server key, which is a risk.

Important: The preinstalled Certificate is equal on

7 each OpenScape Voice / OpenScape SBC System and
should not be used in a customer environment !

The required X.509 certificates can be provided from the customer or created with recom-

20
7-
mended tools.

-0
20
o_
Please note: Customers with a PKI in place can use

ol
their own PKI tool to create the TLS certificates.
ic
en
Those customers need only to install the certificate
_G

files into the appropriate directories on the Open-


do

Scape Voice / imported into the OpenScape SBC. It

an

may be necessary to first convert the certificate for-

rn
Fe

mat as generated by a PKI tool (for example,

._

PKCS#12) to the pem files required on OpenScape

_L

Voice and OpenScape SBC.

EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 33
FN9850FN10FN_TBAZZZAIMHY
 OSV TLS Certificates

OSV handles OpenSSL by files located in the directory /usr/local/ssl.

/usr/local/ssl/

directory directory directory directory

certs crls dh_keys private

root.pem dh1024.pem server.pem

dh2048.pem client.pem

20
7-
-0
20
o_
Diffie-Hellman Key

ol
ic
en
_G

preconfigured selfsigned rootCA X509 certificate

do
an
rn
Fe

two X509 certificates, signed by rootCA

._
_L
EN
00
EN

By default, OpenScape Voice PKI scenarios are single CAs with only one common Selfsigned X509 certificate,
40

the file „root.pem“.

88
EN

For distribution of root.pem to the phones, ensure that the privat key part has been removed !

Please note: OSV V7 or higher does not provide a

 CA private key anymore to ensure nobody uses the
default certificates.

34 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

2.6 TLS Provisioning

Prerequisites:

Please note: You should never use the default cer-

 tificates on productive systems ! For training pur-

pose please ask your lecturer to provide certifi-
cates. Proceed as follows ...

We need to change and copy the following files or certificates:

• OpenScape Voice Server:

20
- Root Certificate: root.pem

7-
- X509 Certificate: server.pem

-0
20
- X509 Certificate: client.pem

o_
- DiffiHellman Keyfile: dh2048.pem
ol
• OpenScape SBC ic
en
- Root Certificate: root.pem
_G

- X509 Certificate: sbc.pem

do
an

- Privat Key: sbc.key

rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 35
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

2.6.1 PKi on OpenScape Voice

STEPS:
1: Put the files to OpenScape Voice into /tmp/pki with WinSCP

20
7-
-0
20
2: Copy the new files content to the OSV-PKI files login as srx user on OSV:

o_
$ cd /tmp/pki
ol
ic
cat kv300_n1_s.pem >/usr/local/ssl/private/server.pem
en
cat kv300_n1_c.pem >/usr/local/ssl/private/client.pem
_G

cat rootCA.pem >/usr/local/ssl/certs/root.pem

do

cd /usr/local/ssl/dh_keys
an
rn

cp -p dh1048.pem dh2048.pem
Fe

cat /tmp/pki/dh2048.pem > dh2048.pem

._
_L

3: Change srx parameter via StartCli Expert Mode for new dh key
EN

confModifyParameter "SSL/CSTAMutualAuth/Server/SupportedDH" "dh2048.pem"

00

confModifyParameter "SSL/EndPoint/Server/SupportedDH" "dh2048.pem"

EN

confModifyParameter "SSL/MutualAuth/Client/SupportedDH" "dh2048.pem"

40

confModifyParameter "SSL/MutualAuth/Server/SupportedDH" "dh2048.pem"

88

4: Restart OSV (as srx user)

EN

srxctrl 3 0
srxctrl 4 0
srxctrl 0 3
srxctrl 0 4

36 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

2.6.2 PKI on OpenScape SBC

The OpenScape SBC uses Certificate profiles to assign different certificates for different pur-
poses.
Certificate profiles are bound to certificate services, these are:
• SIP-TLS: Used for all SIP connections
• HTTPS: Used for the embedded Web GUI
• GTC: User for the telephony connector (circuit)
• TURN: Used for the TURN service

Dropdown box Certificate services

20
7-
-0
20
o_
The certificate and the key must be imported into the SBC‘s certificate store as followed:
ol
ic
en
1: Transfer the SBC‘s certificate files to the PC which has access to the
_G

SBC‘s admin interface.

do

2: On the SBC local GUI navigate to the „Security“ menu under „Gen-
an

eral“ and click on „Certificate management“ in the „Certificates“

rn
Fe

section
._
_L

:
EN
00
EN
40
88
EN

3: In the „CA Certificates“ section, click on „Browse“, select the root-

CA.pem file from your local PC and upload the file to the SBC with
„Upload“:

pem files on local PC

rootca

The certificate should appear then in the „X.509 Certificate“ list.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 37
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

4: In the „X.509 Certificates“ section, click on „Browse“, select the

ossbc.pem file and upload the file to the SBC with „Upload“:

pem files on local PC

x509

The certificate should appear then in the „X.509 Certificates“ list.

20
5: In the „Key Files“ section, click on „Browse“, select the

7-
-0
ossbc_privatekey.pem file and upload the file to the SBC with „Up-

20
load“:

o_
ol
ic
en
pem files on local PC
_G
do
an
rn
Fe

key
._
_L
EN
00

The certificate key should appear then in the „Key Files“ list.
EN

6: To use the new TLS certificates it must be either assigned to a new

40

certificate profile or replaced in the existing default „OSV Solution“

88

profile. In this example we replace the certificate in the existing

EN

„OSV Solution“ profile:

Screenshot shows the preinstalled default certificate profile

38 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

If a new profile is created, enter a profile name and select the Cer-
tificate service „SIP-TLS“. Then select the server certificate, CA and
key uploaded in the previous step:

only if a new profile is created

20
7-
-0
20
o_
the new files will be selected automatically

ol
ic
en
_G

And click on „OK“ to save the profile.

do

•
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

Screenshot shows the new certificate profile

7: The default certificate profile (used for subscribers) can be used by

selecting it in the „System TLS Certificate“ section.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 39
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

8: Change the VoIP Settings to TLS

Next step we set the communication between OSV and SBC to
MTLS (port 5161 !)

20
7-
-0
20
o_
ol
ic means mtls
en
_G
do
an
rn
Fe

Please Note: The port 5161 means MTLS on Node 1, on SBC GUI we can choose
._

for Transport TLS only.

_L
EN
00
EN
40

Again: Save all changes and apply the new configuration.

88
EN

40 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

2.6.3 Changing the OSV connection to MTLS

On the OpenScape Voice endpoint for the SBC, the transport protocol must be changed to
MTLS and the port number to 5161 on the „SIP“ tab:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

Please note: The OpenScape Voice Signaling IP and

 port number can be obtained from the CMP. Check
the SIP Signaling management settings on the CMP.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 41
FN9850FN10FN_TBAZZZAIMHY
 TLS Provisioning

Check the System status on the „Operation & Maintenance“ tab if the connection could be es-
tablished again.

• "normal" indicates full connectivity to primary and/or backup

server.
• „Survivable“ mode indicates that the OSV node(s) is currently
unreachable.

20
7-
Simplex system

-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L

OpenScape Voice Node 1 can be reached

EN
00
EN
40
88
EN
Duplex system

OpenScape Voice Node 2 can be reached

If the OSV connection cannot be established, the HiqLogAlert.log under /log on the Open-
Scape Voice can be used to identify the reason for.

42 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Multiple PKI Environment

2.7 Multiple PKI Environment

A SBC can interface various endpoints e.g. SSP „Sip Signaling provider“, OpenScape Branches
or simple gateways. All connections may use TLS or MLTS. If these remote endpoints belong
to their own PKI, they use certificates signed by different certificate authorities.

Example:
C-SBC is connected to three dif-
ferent endpoint which belong
to different CAs.

We have to create three TLS

20
Profiles, which are used in the

7-
relevant remote endpoint con-

-0
20
figuration.

o_
ol
ic
en
_G
do
an
rn
Fe

Different TLS profiles can be used for endpoints, by selecting in the „Remote Location domain
._
_L

list“ for the responsible endpoint mapping entry.

EN
00
EN
40
88
EN

Defines the used TLS mode: Select the certificate profile Enables „Keep-Alive“
- Server Authentication for the certificates to be used messages for this
- Mutual authentication for this endpoint. endpoint
- Client mode only

9: Click on „Save“ and „Apply Changes“ to activate the new configura-

tion.

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 43
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

2.8 Subscriber TLS Configuration

Remote Subscribers (SBC Feature) which are directly connected to the centralized SBC can
use TLS. In this case the TLS connection will be established among Phone and C-SBC.
The administrator can use on a per-subscriber-basis a certificate profile or one common pro-
file for all remote subscribers.

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN

Please note: We have to activate the SBC feature „remote subscribers“.

40
88
EN

44 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

Example: TLS for Homeworkers:

In this example we use for the remote subscriber a special certificate profile which is com-
posed by:
• root certificate
• x509 certificate
• x509 private key
The mentioned root certificate must be supplied to the phones via DLS server, which is de-
scribed later in this module.

Please note: Remote Subscribers connected with

20
7-
 TLS need the Default ROOT CERTIFICATE of the

-0
SBC, or the ROOT CERTIFICATE from the certificate

20
profile bound to the subscriber.

o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 45
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

2.8.1 Enforce TLS for Subscriber

Optional, change the Transport Protocol of the Subscriber to TLS on the „SIP“ tab to force sig-
naling encryption. If the parameter is left to UDP / TCP, the phone (or additional phones) are
still be able to register with a unencrypted communication.

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

Please note: The enryption of the signaling connec-

 tion is the precondition for encrypting the payload

but it will not force the endpoint to use payload en-
cryption.

46 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

Change the Transport Protocol now on the Endpoints on Administrator Menu  System  SIP
interface. The TLS Communication will be provided on Port 5061 from the SIP Signaling Man-
ager.

20
7-
-0
20
o_
ol
ic
en
_G

SIP Environment (OptiPoint) from Administrator Menu  Network  Port configuration

do
an
rn
Fe
._
_L

port 5061 has to be used for TLS

EN
00

port used from phone

EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 47
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

The Payload Encryption can be enabled via Administrator Menu  System  Security.

If an encrypted connection can be established, a flashing locker symbol will be displayed at

the phone’s display in the upper right corner.
An optional warning tone can be enabled at the User Menu via Configuration  Connected

20
Calls if no encrypted connection could be established.

7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

Important: The Payload Encryption will only Work if

the Endpoint Time has been synchronized. A
7 maximum Time difference of 3 Minutes is allowed !
The Timezone has no impacts because the Endpoints
works internally with UTC.

48 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

2.8.2 Publish Certificates to the Phone

Get the previous created or default Root Certificate and import it via the DLS to the Phone.
The Certificates are located as followed:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

 Please note: The Phone my be rebooting after im-

porting the Certificate!

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 49
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

After a couple of minutes, check the imported Certificate. Select the option „Selected Entry“
to display detailed information.

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40

Certificate stored in Certificate in

88
EN

the Phone DLS Server

And last enable the SIP Server Certificate Validation under Administrator Menu  Security
and Policies  Certificates  Authentication Policy by settings the policy to „Full“. This forces
the phone to verify the server certificate and the identity. A connection can only be estab-
lished if the server’s certificate matches with the certificate stored on the phone.

50 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

Or directly with the DLS on the „Certificate Policy“ tab under the „Security Settings“ menu by
setting the „SIP Server Authentication Policy“ to „Full“:

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
Security 51
FN9850FN10FN_TBAZZZAIMHY
 Subscriber TLS Configuration

20
7-
-0
20
o_
ol
ic
en
_G
do
an
rn
Fe
._
_L
EN
00
EN
40
88
EN

52 Security 01.2018
© Unify Software and Solutions GmbH & Co. KG 2018 All rights reserved
FN9850FN10FN_TBAZZZAIMHY