System and method for providing security for SIP-based communications

US 8,464,329 B2
Filed: 02/21/2006
Issued: 06/11/2013
Est. Priority Date: 02/21/2006
Status: Active Grant

First Claim

Patent Images

1. A security device for SIP-based communication sessions, the security device comprising:

a firewall acting between SIP user agents, services and devices on a private network and a public network, the firewall including a blacklist of undesired SIP sources which are prevented from traversing the security device;

a Network Address Translator and Port Address Translator to alter the addresses and/or ports of data traversing the security device to hide addresses and ports on the private network from the public network;

a hardened SIP stack operable to examine all SIP messages traversing the security device to identify malformed messages and to discard said malformed messages;

an admission control process to identify a resource requested for use by an external user agent in a session to be established by a selected SIP message traversing the security device, wherein the requested resource is identified using resource request information in the selected SIP message, and to determine whether to refuse the session before the session is established based on the identified resource and a current resource utilization; and

a plurality of security processes to examine pre-selected SIP messages in accordance with one or more rules to prevent malicious attacks on SIP devices and/or services within the private network.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security device for SIP communications operates to inhibit the effect of malicious attacks and/or inadvertent erroneous events on the provision of SIP-based services within a private network and between private and public networks. The security device acts as a conventional Firewall, NAT and PAT to isolate SIP User Agents on the private network from SIP User Agents on the public network and to Blacklist undesired callers. Also, the security device preferably includes a virus scanner to scan attachments to sessions and/or other communications to identify and block virus contaminated data and the security device includes a hardened SIP stack to scan for and detect malformed SIP messages to prevent malicious attacks and/or inadvertent erroneous messages from adversely impacting the operation of SIP services.

Citations

21 Claims

1. A security device for SIP-based communication sessions, the security device comprising:
- a firewall acting between SIP user agents, services and devices on a private network and a public network, the firewall including a blacklist of undesired SIP sources which are prevented from traversing the security device;
  
  a Network Address Translator and Port Address Translator to alter the addresses and/or ports of data traversing the security device to hide addresses and ports on the private network from the public network;
  
  a hardened SIP stack operable to examine all SIP messages traversing the security device to identify malformed messages and to discard said malformed messages;
  
  an admission control process to identify a resource requested for use by an external user agent in a session to be established by a selected SIP message traversing the security device, wherein the requested resource is identified using resource request information in the selected SIP message, and to determine whether to refuse the session before the session is established based on the identified resource and a current resource utilization; and
  
  a plurality of security processes to examine pre-selected SIP messages in accordance with one or more rules to prevent malicious attacks on SIP devices and/or services within the private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A security device according to claim 1 wherein the plurality of security processes includes a process to authenticate SIP INVITE messages.
  - 3. A security device according to claim 1, wherein the requested resource is identified using Session Description Protocol (SDP) information associated with the selected SIP message.
  - 4. A security device according to claim 1, wherein the hardened SIP stack is to repair a malformed message when it is determined that the malformed message is malformed due to a non-malicious error, and wherein the repaired message is not discarded as a malformed message.
  - 5. A security device according to claim 1, wherein a IP source is automatically added to the blacklist responsive to detecting a threshold number of SIP request messages from the SIP source within a threshold time period.
  - 6. A security device according to claim 1, wherein the firewall comprises a whitelist identifying SIP sources that are allowed to traverse the security device, and wherein all of the SIP user agents in the private network are included in the whitelist.
  - 7. A security device according to claim 1, wherein the Network Address Translator and Port Address Translator is to identify malformed Real-time Transport Protocol (RTP) messages by comparing a format of the RTP messages to a message specification and is to discard RTP messages identified as being malformed.
  - 8. A security device according to claim 1, wherein the Network Address Translator and Port Address Translator is to determine whether incoming Real-time Transport Protocol (RTP) messages are associated with a SIP session and is to discard RTP messages that are not associated with a SIP session.
  - 9. A security device according to claim 1, further comprising a virus scanner to scan incoming SIP and Real-time Transport Protocol (RTP) messages for malicious content and to discard SIP and/or RTP messages identified as comprising malicious content.
  - 10. A security device according to claim 1, wherein a first one of the plurality of security processes associates a SIP INVITE message from a SIP source with a session, and wherein the first security process discards subsequent SIP messages associated with the session that are not from the SIP source.
  - 11. A security device according to claim 1, wherein the security device populates a FROM header of an outbound SIP message originating from a SIP user agent in the private network with data from a subscriber database.
  - 12. A security device according to claim 1, wherein the security device is to discard incoming SIP REGISTER messages having a contact field comprising an address of the security device.
  - 13. A security device according to claim 1, wherein the admission control process identifies the resource requested by the session using a codec specified in a SIP INVITE message.
  - 14. A security device according to claim 1, wherein the admission control process identifies the resource requested by the session using a bandwidth specified in a SIP INVITE message.
  - 15. A security device according to claim 2 wherein the plurality of security processes includes a process to authenticate SIP REGISTER messages.
  - 16. A security device according to claim 5, wherein a domain of a SIP source is automatically added to the blacklist responsive to detecting a threshold number of SIP request messages from SIP sources in the domain within a threshold time period.
  - 17. A security device according to claim 5, wherein the SIP source address is added to the blacklist for a pre-determined time period and is removed from the blacklist when the pre-determined time period expires.
  - 18. A security device according to claim 6, wherein a SIP source in the public network is automatically added to the whitelist responsive to determining that a communication request originating from a SIP user agent in the private network was successfully received at the SIP source in the public network.
  - 19. A security device according to claim 15 wherein the firewall automatically adds SIP sources which violate at least one predefined rule to the blacklist of undesired SIP sources.

20. A method of providing security in a network including private and public network branches and providing SIP services, the method comprising:
- examining SIP messages received at a security device to detect and dispose of malformed SIP messages;
  
  examining each remaining SIP message to compare a source of the SIP message to a source on a blacklist of sources maintained at the security device and to discard SIP messages whose source is on the blacklist;
  
  identifying a resource requested for use by an external user agent in a session to be established by a selected SIP message, wherein the resource is identified using resource request information in the selected SIP message, determining whether to refuse the session before the session is established based on the identified resource, current resource utilization, and an admission control policy; and
  
  for each remaining SIP message performing network address alteration and/or port address alteration to hide addresses and ports on the private network branch from the public network branch.

21. A method of providing security for communications sessions established using Session Initiation Protocol (SIP), comprising:
- receiving at a computing device incoming SIP messages sent from SIP sources in a public network to SIP user agents in a private network;
  
  the computing device discarding each SIP message that originates from a SIP source that is on a blacklist; and
  
  for each incoming SIP INVITE message, identifying at the computing device a resource requested for use by an external user agent in a session to be established by the SIP INVITE message using resource request information in the SIP INVITE message, andthe computing device determining whether to refuse the session before the session is established based on the identified resource requested by the session, a current resource utilization level, and a pre-defined admission policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Fogel, Richard Melvin
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Salehi, Helai

Application Number

US11/357,164
Publication Number

US 20070209067A1
Time in Patent Office

2,667 Days
Field of Search

726/11, 726/14, 713/154, 713/162, 380/264, 380/270, 370/356, 709/227
US Class Current

726/11
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 65/1079   of unsolicited session atte...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

System and method for providing security for SIP-based communications

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing security for SIP-based communications

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links