Nortel Networks MCP 1.1 FP1(02.02) User Manual
44
Security and Administration
NN10035-111 Standard MCP 1.1 FP1 (02.02) April 2003
Copyright © 2003, Nortel Networks
Nortel Networks Confidential
As multimedia sessions are initiated, a port is chosen from the port pool
associated with the selected blade. When a multimedia session
completes, their associated ports are deallocated from the pool and
new replacement ports are allocated to the pool. The deallocation of
used ports and allocation of replacement ports provides randomization
in the port pools for the blades.
associated with the selected blade. When a multimedia session
completes, their associated ports are deallocated from the pool and
new replacement ports are allocated to the pool. The deallocation of
used ports and allocation of replacement ports provides randomization
in the port pools for the blades.
NAPT function
In order to obscure the private network topology, the RTP Media Portal
uses the NAPT functionality to secure the multimedia sessions so that
there is no leakage of topology information.
In order to obscure the private network topology, the RTP Media Portal
uses the NAPT functionality to secure the multimedia sessions so that
there is no leakage of topology information.
This is achieved by maintaining a list of media ports (NAPT table) which
are being used within active multimedia sessions. Only packets which
arrive on these active ports are processed. Packets which arrive on
non-active ports are rejected and logged as potential problems.
are being used within active multimedia sessions. Only packets which
arrive on these active ports are processed. Packets which arrive on
non-active ports are rejected and logged as potential problems.
RTP Media Portal component level security functions
The RTP Media Portal component also contributes to system security
by opening and closing media ports only in response to requests from
the SIP Application Module (which has pre-authenticated such
requests) and by rejecting any unauthorized packets on an active
connection.
by opening and closing media ports only in response to requests from
the SIP Application Module (which has pre-authenticated such
requests) and by rejecting any unauthorized packets on an active
connection.
Authenticated requests
All requests to manipulate the media resources on the RTP Media
Portal originate from the SIP Application Module. The SIP Application
Module ensures that all requests are made by, or made to, a valid
service subscriber. In this way, the SIP Application Module effectively
authenticates all requests.
All requests to manipulate the media resources on the RTP Media
Portal originate from the SIP Application Module. The SIP Application
Module ensures that all requests are made by, or made to, a valid
service subscriber. In this way, the SIP Application Module effectively
authenticates all requests.
In addition, the portion of the RTP Media Portal which processes these
requests to manipulate the media resources resides safely within the
private network.
requests to manipulate the media resources resides safely within the
private network.
Packet filter/firewall
As packets are received from the public network, the RTP Media Portal
analyzes each packet to ensure the following:
As packets are received from the public network, the RTP Media Portal
analyzes each packet to ensure the following:
•
the data format is RTP/RTCP/UDP (as indicated by the session
description). All other packet types are discarded and logged as
problems.
description). All other packet types are discarded and logged as
problems.
•
the source/destination addresses match the expected
source/destination addresses indicated in the session description.
source/destination addresses indicated in the session description.