System and method for providing security for SIP-based communications
First Claim
1. A security device for SIP-based communication sessions, the security device comprising:
- a firewall acting between SIP user agents, services and devices on a private network and a public network, the firewall including a blacklist of undesired SIP sources which are prevented from traversing the security device;
a Network Address Translator and Port Address Translator to alter the addresses and/or ports of data traversing the security device to hide addresses and ports on the private network from the public network;
a hardened SIP stack operable to examine all SIP messages traversing the security device to identify malformed messages and to discard said malformed messages;
an admission control process to identify a resource requested for use by an external user agent in a session to be established by a selected SIP message traversing the security device, wherein the requested resource is identified using resource request information in the selected SIP message, and to determine whether to refuse the session before the session is established based on the identified resource and a current resource utilization; and
a plurality of security processes to examine pre-selected SIP messages in accordance with one or more rules to prevent malicious attacks on SIP devices and/or services within the private network.
15 Assignments
0 Petitions
Accused Products
Abstract
A security device for SIP communications operates to inhibit the effect of malicious attacks and/or inadvertent erroneous events on the provision of SIP-based services within a private network and between private and public networks. The security device acts as a conventional Firewall, NAT and PAT to isolate SIP User Agents on the private network from SIP User Agents on the public network and to Blacklist undesired callers. Also, the security device preferably includes a virus scanner to scan attachments to sessions and/or other communications to identify and block virus contaminated data and the security device includes a hardened SIP stack to scan for and detect malformed SIP messages to prevent malicious attacks and/or inadvertent erroneous messages from adversely impacting the operation of SIP services.
-
Citations
21 Claims
-
1. A security device for SIP-based communication sessions, the security device comprising:
-
a firewall acting between SIP user agents, services and devices on a private network and a public network, the firewall including a blacklist of undesired SIP sources which are prevented from traversing the security device; a Network Address Translator and Port Address Translator to alter the addresses and/or ports of data traversing the security device to hide addresses and ports on the private network from the public network; a hardened SIP stack operable to examine all SIP messages traversing the security device to identify malformed messages and to discard said malformed messages; an admission control process to identify a resource requested for use by an external user agent in a session to be established by a selected SIP message traversing the security device, wherein the requested resource is identified using resource request information in the selected SIP message, and to determine whether to refuse the session before the session is established based on the identified resource and a current resource utilization; and a plurality of security processes to examine pre-selected SIP messages in accordance with one or more rules to prevent malicious attacks on SIP devices and/or services within the private network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method of providing security in a network including private and public network branches and providing SIP services, the method comprising:
-
examining SIP messages received at a security device to detect and dispose of malformed SIP messages; examining each remaining SIP message to compare a source of the SIP message to a source on a blacklist of sources maintained at the security device and to discard SIP messages whose source is on the blacklist; identifying a resource requested for use by an external user agent in a session to be established by a selected SIP message, wherein the resource is identified using resource request information in the selected SIP message, determining whether to refuse the session before the session is established based on the identified resource, current resource utilization, and an admission control policy; and for each remaining SIP message performing network address alteration and/or port address alteration to hide addresses and ports on the private network branch from the public network branch.
-
-
21. A method of providing security for communications sessions established using Session Initiation Protocol (SIP), comprising:
-
receiving at a computing device incoming SIP messages sent from SIP sources in a public network to SIP user agents in a private network; the computing device discarding each SIP message that originates from a SIP source that is on a blacklist; and for each incoming SIP INVITE message, identifying at the computing device a resource requested for use by an external user agent in a session to be established by the SIP INVITE message using resource request information in the SIP INVITE message, and the computing device determining whether to refuse the session before the session is established based on the identified resource requested by the session, a current resource utilization level, and a pre-defined admission policy.
-
Specification