1 Internet Telephony Network Security
At Media5, we use state-of-the-art security technologies to secure our units.
Therefore, when using Mediatrix Gateways for Internet telephony network applications, one can be
assured to be protected with the best security mechanisms and features available in the
In an Internet telephony network, there are two aspects that must be secured:
- customer communications
- network management
To provide security, the following must be tackled:
Furthermore, several security mechanisms are used in our Mediatrix products to ensure
As defined in the Oxford Dictionary, authentication is the process or action of
verifying the identity of a user or process.
In an Internet telephony network environment, authentication will allow the Mediatrix unit to
make sure the peer it is communicating with is the proper network or endpoint (unit or end-user
device). This provides a level of security for communications as no communication will be allowed
if the authentication is not confirmed.
1.2 X-509 Certificates
The Mediatrix unit uses digital X-509 certificates which are based on the international
X.509 Public Key Infrastructure (PKI) standard. These certificates are a collection of data used
to verify the identity of individuals, computers, and other entities on a network.
X.509 certificates provide guaranties on confidentiality, authentication, integrity, and
non-repudiation. The Public Key Infrastructure (PKI) is a set of rules, specific to an
environment, that manages, distributes, stores, and revokes the certificates. Therefore, the PKI
guaranties that the signed certificates can be trusted.
Certificates are used to secure the following TLS based connections:
- Configuration Web pages
- File transfers (scripts, firmwares, etc.) with HTTPS
- Configuration using TR-069
- Wired Ethernet Authentication with EAP-TLS (802.1x)
- the certificate's name
- the issuer and issued to names
- the validity period (the certificate is not valid before or after this period)
- the use of certificates (Client or server)
- whether or not the certificate is delivered by a Certification Authority (CA)
1.3 Transport Layer Security (TLS)
The Transport Layer Security protocol provides data privacy and integrity for computer
In other words, it provides Unit Signaling Security
and Communications Security
. TLS is a widely used security protocol that allows for:
- Server and Client authentication
- Data confidentiality
- Data integrity
TLS is used for:
- DGW Web Access
- HTTP-based Configuration/Firmware File Transfer
- SIP communications
- TR-069 (CWMP)
When a certificate
, a secure TLS
connection is established with a peer. Then SIP
, Hypertext Transfer Protocol Secure (HTTPS)
, and TR-069
can be used over the TLS connection.
TLS connections also prevents man-in-the-middle attacks.
The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways.
Although some parameters are available through the Web GUI, many parameters are not accessible
through the Web GUI:
- Cipher Suite
- TLS version
- Certificate validation and trust level
For more details on advanced parameters, refer to reference_wp5_5dq_4cb
1.4 Hypertext Transfer Protocol Secure (HTTPS)
HTTPS is a transfer protocol widely used to secure communications over Internet
HTTPS allows for communications over Hypertext Transfer Protocol (HTTP) within a connection
encrypted by Transport Layer Security (TLS)
(TLS). HTTPS is mainly used to secure the content of a Web site and securely
A communication using HTTPS reasonably guaranties that the targeted peer is the proper one, not
an impostor, and that media cannot be read or tampered by any third-party.
2 Communications Security
An important aspect of communications security, is that data sent and received from one
endpoint to another remains secured, reliable, and private at all times.
When configured for complete security, signaling is performed with TLS with the use of a
certificate and the unit transports the audio and video through Secure RTP (SRTP). The Mediatrix
unit will make sure that the certificate specifically encrypted for the session and issued by the
end user is valid, e.g.:
- the date and hour are not expired
- the certificate was issued by a recognised authority and configured within the unit
- the certificate was issued for the proper IP address or specific FQDN
The following diagram combines several use cases of communications security.
2.1 Unit Signaling Security
Signaling is the protocol that activates a device located in the network and establishes
calls between peers.
To provide security to signaling, the Mediatrix unit will connect to the network via SIP over
TLS. The network is then authenticated by a certificate that guaranties that the Mediatrix unit
is connected to a "safe" network.
The network will then authenticate the device with the username and password to make sure the
device is part of the network's subscriber list. This authentication is done with the digest
authentication. The result of these authentications and verifications provides private and
reliable communications between the network and the device. Calls will be established without
leaving any possibility to a third party to identify the called or callee number, or to be able
to interfere with the communication in any way.
Media is voice, video, or data exchanged between 2 endpoints during a
To secure media routed from one endpoint to another, a secret and unique encryption key is
generated for that specific exchange of media. For security, the key is exchanged during
signaling, via a TLS connection. Once the key is exchanged, endpoints will directly communicate
one with another using SRTP with an encrypted communication.
This ensures that voice, video or data, is impossible to decrypt by any one else than the
endpoints involved in the communication. Therefore calls will be carried out without leaving any
possibility to a third party to eavesdrop the media in any way.
2.3 Denial of Service Attacks
The Denial of Service (DoS) attack is an attempt to make a machine or network resource
unavailable by overloading it with useless traffic. This has the effect of temporarily or
indefinitely interrupting or suspending services of a user connected to the Internet.
The Mediatrix units can address these DoS with the use of Firewalls
and the Sbc service.
2.4 Sbc Service
The Sbc service, available only on the Mediatrix Sentinel series, offers major security
- set a demarcation point to protect your private network topology information by
substituting the IP addresses and the identifiers with aliases.
- secure the communications between the public and the private network by converting
signaling between UDP/TCP and Transport Layer Security (TLS)
- secure the media by converting it from RTP to SRTP.
- protect against Denial of Service attacks (Denial of Service Attacks
automatically blacklisting peers attempting to connect at a frequency higher than
3 Management Security
An important aspect of Management security is that data used for operation,
administration, maintenance, provisioning, and troubleshooting (OAMPT) of the CPE device
remains private and secured at all times when management tasks are being carried out.
The Mediatrix units can be configured with different tools, but in all situations, data
is always protected; either by using passwords or by Transport Layer Security (Transport Layer Security (TLS)
3.1 TR-069 Remote Management
The TR-069 also known as CWMP, is a Broadband Forum technical specification. This
protocol can be used to remotely monitor and update customer-premise equipment configurations and
Simply said, TR-069 defines a protocol to remotely and automatically configure and manage
Mediatrix devices with Auto Configuration Servers (ACS).
Because data used to remotely manage end-user devices include personal and private information
(for instance username and passwords) it is vital that the communication channel be secured and
the device always be authenticated by the ACS.
Using the HTTPS protocol, the device authenticates the ACS by verifying the ACS certificate and
device identity is verified by the ACS using a password which can be changed at each session.
3.2 Password Protection
The unit configuration is password-protected.
The unit configuration is restricted in all the interfaces by password protection i.e. a
password is required for all security protections (TR-069, SNMPv3, etc.). Local passwords or a
centrally managed password (with RADIUS) can be used.
3.3 Security Using a Customer Profile
A profile is a factory customisation where parameter values, skins, and branding are
defined specifically for a customer.
The customer profile can include security information such as:
- default administrator accounts and Password Protection
- security parameters to be activated
- specific services to activate or not
- TR-069 Remote Management
- force secure access only (HTTPS and SSH)
- set/disable management options:
- encrypt configuration scripts for remote management using custom private keys
3.4 Configuration Scripts
Carriers and service providers usually define a configuration that will apply to a large
number of units in compliance with the network architecture. It is the commands and the parameter
values grouped in a text file that produce the Configuration Scripts.
To enforce security, configuration scripts can be encrypted and only Mediatrix units with the
matching encryption key will be capable of decrypting and applying the configuration settings.
Furthermore, configuration scripts can be downloaded and uploaded using Hypertext Transfer Protocol Secure (HTTPS)
3.5 Command Line Interface (CLI)
The Command Line Interface (CLI) provides an access to interactively configure all the
Mediatrix unit parameters.
The CLI is accessed through either a secure SSH session (default) or an unsecure TELNET
session. When using a secure SSH session, all communications between Client and server are
encrypted before being sent over the network, thus packet sniffers are unable to extract user
names, passwords, and other potentially sensitive data. This is the default and recommended way
to access the Command Line Interface.
The command interpreter interface of the CLI allows the user to browse the unit parameters,
write the command lines, and display the system's notification log.
3.6 Simple Network Management Protocol (SNMP)
The Simple Network Management Protocol (SNMP) allows you to configure and monitor the
device parameters inside a network.
The Mediatrix units support SNMPv3, allowing the authentication and encryption of the
management traffic. This feature provides secure connections between Mediatrix devices and
Element Management System (EMS). Interoperable, SNMPv3 is a standard-based protocol that is
defined in RFCs 3413 to 3415.
Firewalls allows you to create and configure rules to filter packets to ensure the
information comes from a trusted sender.
The Mediatrix units support two types of firewalls:
- Local firewalls to filter incoming packets that have the Mediatrix unit as
- Network firewalls to filter packets forwarded by the Mediatrix unit used as a router to
secure the traffic routed to the devices inside the network.
The local firewall is a security feature that allows you to protect your Mediatrix unit from
receiving packets from unwanted or unauthorised peers. The local firewall, by default, drops
all incoming packets and lets incoming packets go through only if they match the requirement
of a rule.
The network firewall provides a means to dynamically create and configure rules to filter
packets forwarded by the unit. Since this is a network firewall, rules only apply to packets
forwarded by the unit. The traffic is analysed and filtered by all the rules configured.
Firewalls provides a protection against Denial of Service attacks by limiting the connection
frequency under the configurable thresholds and by sending the faulty peers to a
6 DGW Documentation
Mediatrix units are supplied with an exhaustive set of documentation.
Mediatrix user documentation is available on the
Several types of documents were created to clearly present the information you are looking for.
Our documentation includes:
- Release notes
: Generated at each GA release, this document includes the known and
solved issues of the software. It also outlines the changes and the new features the release
- Configuration notes
: These documents are created to facilitate the configuration of a
specific use case. They address a configuration aspect we consider that most users will need to
perform. However, in some cases, a configuration note is created after receiving a question
from a customer. They provide standard step-by-step procedures detailing the values of the
parameters to use. They provide a means of validation and present some conceptual information.
The configuration notes are specifically created to guide the user through an aspect of the
- Technical bulletins
: These documents are created to facilitate the configuration of a
specific technical action, such as performing a firmware upgrade.
- Hardware installation guide
: They provide the detailed procedure on how to safely and
adequately install the unit. It provides information on card installation, cable connections,
and how to access for the first time the Management interface.
- User guide
: The user guide explains how to customise to your needs the configuration
of the unit. Although this document is task oriented, it provides conceptual information to
help the user understand the purpose and impact of each task. The User Guide will provide
information such as where and how TR-069 can be configured in the Management Interface,
how to set firewalls, or how to use the CLI to configure parameters that are not available in
the Management Interface.
- Reference guide
: This exhaustive document has been created for advanced users. It
includes a description of all the parameters used by all the services of the Mediatrix units.
You will find, for example, scripts to configure a specific parameter, notification messages
sent by a service, or an action description used to create Rulesets. This document includes
reference information such as a dictionary, and it does not include any step-by-step
7 Copyright Notice
Copyright © 2019 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or