|
Summary Development ahead of other VoIP H.323 protocol. As the Internet's openness and lack of effective monitoring, as well as the agreement itself H.323 protocol cluster loopholes, H.323 to H.323 network security issues pose many threats to the system. H.323 system first introduces security threats, network security and then on H.323 describes a detailed analysis, and finally introduced the relevant standards of international and domestic situation. With the rapid development of Internet, VoIP business has been widely carried out. In the past few years, due to the development of early and consistent H.323 system operators operating ideas, so its development is far ahead of other VoIP protocols, and a large number of deployed operating the network. At present, the vast majority of operations are based on the H.323 protocol, VoIP cluster. However, due to the openness of the Internet itself and the lack of effective monitoring, as well as the agreement itself H.323 protocol cluster loopholes, H.323 network security is more important in bringing a number of threats to the H.323 system, a serious impediment to the H.323 of development, the main security threats in the following areas: denial of service attacks. Based on the open port denial of service attacks. Key equipment on the H.323 system to synchronize (SYN), Internet Control Message Protocol (ICMP) packets in the high-volume attacks can lead to communications disruption can not be normal to provide services. theft of services. Mainly directed against non-authorized access. These include: user identity theft counterfeit legitimate user; impersonate legitimate nodes network services to deceive. signaling flow attack. H.323 control signaling as the open, anyone can monitor the network listener H.323 signaling stream. Malicious user to intercept and tamper with the network transmission of signaling data packet, modify the packet domain, so that H.323 call is not working. Thus the introduction of session hijacking, man-in-phone tracking threats. media stream monitoring. H.323 system, RTP / RTCP is the transmission of voice information in the IP Internet protocol. As the protocol itself is open, a malicious user can monitor the network monitoring the media stream, if you can understand the content of the media stream can undermine the confidentiality of the media stream. With network security using IP networks increasingly become the greatest concern, therefore, the same network security has become the most important problems facing the H.323 system, one can say that the network security problem is not solved, not only H.323 would be no future development prospects, the existing H.323 soon lost its vitality. 1, H.323 network security architecture H.323 systems to enhance network security, international and domestic standards organizations, related manufacturers to carry out active H.323 network security research. Figure 1 Schematic diagram of network security system for the H.323, H.323 which is involved in the shadow of some of the security scope of the study. Figure 1 H.323 network security system to indicate Can be seen from Figure 1, H.225.0 and H.245 is the H.323 system, the core of the agreement. H.225.0 for call control, including two parts: the call to accept (RAS) and call signaling protocol. RAS is mainly used for sending the terminal registration information, authentication information and call processing information. Q.931 call signaling protocol is based on enacted primarily used to complete the call setup process. H.245 for media control, the main stream communication channel to achieve the establishment, maintenance and release. RTCP media streaming real-time transmission control protocol, RTP is a real-time transport protocol media streams. Secure transmission of streaming media would be given to use H.245 channel coding algorithms and keys. Communication relationship between H.323 endpoints general implementation of the three control process: RAS, call control (call signaling) and the connection control (H.245). H.323 to achieve safe operations, we must first ensure that the terminal or MCU and Gatekeeper RAS message transmission between the security to complete the secure registration, to ensure that only legitimate users can use the H.323 services and resources accordingly License, such as international, long distance service authorization. RAS on the basis of ensuring the safety, you can establish a secure call connection channel (H.225.0) and call control (H.245) channels, in this based on the RTP protocol for the use of real-time media stream communications encryption algorithm and key agreement complete media stream communications confidential. Second, the specific security solutions H.323 Network Security There are two main security mechanisms: the network layer / transport layer secure channel (such as SECtarget = _blankclass = qqx_gjz> IPSec, SSL, TLS), to achieve H.323 security; by on the H.323 protocol cluster involved in signaling increased security mechanism itself, the security capacity of the channel to achieve a variety of consultation and security. Specific H.323 network security can be based on the actual network environment, and the integrated use of these two kinds of security mechanisms. As a secure channel security is common security, only the external protection for H.323, and H.323 protocol cluster does not have much relationship, so this article focuses on the second mechanism: on the H.323 Protocol Stack involved in signaling their increased security. Shown in Figure 1, H.323 security research mainly includes the following sections: Terminal registered safety, safety of call connection, call control security, confidentiality and the media stream key management security. 1. Terminal registered safety Registered security is mainly embodied in the terminal authentication and integrity, not including the gatekeeper and endpoint information between the secret. Terminal registered security mainly in the following 3 methods: (1) symmetric encryption password + authentication algorithm (2) password + hash (Hash) authentication algorithm (3) certificate + digital signature authentication algorithm Above three authentication methods, can achieve one-way authentication (Terminal to Gatekeeper), or two-way authentication. Each authentication method is based on both timestamp of the second handshake protocol can also use the challenge / response of the three-way handshake protocol. For the time stamp mechanism between the terminal and gatekeeper must have an acceptable time base. Time the number of acceptable deviations considered by the local concrete implementation. Challenge / response protocol using a randomly generated number as the unpredictable challenges of those questions from the certification. Each authentication method, which requires the terminal and the gatekeeper identifier is knowable. Time stamp authentication mechanism must adjust the time fine particle size, to prevent message replay attacks. 2. Call connection security Call The e-commerce company in China offers quality products such as Tool Chest , China Roller Cabinet, and more. For more , please visit Tool Cart today!
Related Articles -
Tool Chest, China Roller Cabinet,
|
