Top
Transport Layer Security (TLS)
The Transport Layer Security protocol provides data privacy and integrity for computer network communications.
- Server and Client authentication
- Data confidentiality
- Data integrity
- DGW Web Access
- HTTP-based Configuration/Firmware File Transfer
- 802.1X
- SIP communications
- TR-069 (CWMP)
-
- Cipher Suite
- TLS version
- Certificate validation and trust level
For more details on advanced parameters, refer to Transport Layer Security (TLS) Parameters.
Top
X-509 Certificates
The Mediatrix unit uses digital X-509 certificates which are based on the international X.509 public key infrastructure (PKI) standard. The certificates are a collection of data used to verify the identity of individuals, computers, and other entities on a network.
X.509 certificates provide guaranties on confidentiality, authentication, integrity, and non-repudiation. It is the Public Key Infrastructure (PKI) which includes hardware, procedures, and software than manages the certificates. The PKI also provides public-key encryption. Therefore, the Public Key Infrastructure provides information that can guaranty that the signed certificates can be trusted.
- SIP
- Configuration web pages
- File transfers (scripts, firmwares, etc.) with HTTPS
- Configuration using TR-069
- Wired Ethernet Authentication with EAP (802.1x)
- the certificate's name
- the issuer and issued to names
- the validity period (the certificate is not valid before or after this period)
- the use of certificates (TlsClient or TlsServer)
- whether or not the certificate is owned by a Certification Authority (CA)
Top
Hypertext Transfer Protocol Secure (HTTPS)
HTTPS is a transfer protocol widely used to secure communications over Internet telephony networks.
HTTPS allows for communications over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS). HTTPS is mainly used to secure the content of a Web site and securely transfer files.
A communication using HTTPS reasonably guaranties that the targeted peer is the proper one, not an impostor, and that media cannot be read or tampered by any third-party.
Top
TR-069 or CPE WAN Management Protocol (CWMP)
The Technical Report 069 (TR-069), also known as CWMP, is a Broadband Forum technical specification. This protocol can be used to monitor and update the Mediatrix unit configurations and firmware. In other words, when using TR-069, the Mediatrix unit can get in contact with an Auto Configuration Server (ACS) to initiate a configuration script transfer/execution and a firmware upgrade.
The first time the Mediatrix unit is connected to the network, it will attempt to contact the Auto Configuration Server (ACS), which is the entry point for the administrator. The Mediatrix unit will obtain the URL of the ACS using either the DHCP server with option 43 or by retrieving the information directly from the Customer's Profile. Therefore, upon start-up, the Mediatrix unit will contact the ACS, which in return will send the required configuration files and initiate, if necessary, a firmware update. This automated sequence is what is referred to as zero-touch, as the Mediatrix unit is automatically configured by the ACS according to the instructions given by the administrator without manual intervention on the unit.
- verify if new configurations are available,
- verify if a new firmware update is available and
- send notifications for monitoring purposes.
- Passive: the information is sent according to the schedule.
- Active: the information is sent immediately when a parameter status changes, regardless of the periodic schedule.
Furthermore, the administrator can initiate a connection to the Mediatrix unit to perform immediate maintenance or monitoring. This will only be possible if the NAT firewall has been configured to allow communications initiated by the ACS.
The TR-069 protocol can be activated on units that are already deployed with a licence key (For more details on licences refer to theTechnical Bulletin - How to activate a licence on a Mediatrix unit published on the Media5 Documentation Portal). However, it can be enabled/disabled for a specific configuration via the Management interface.
- SetParameterValues
- GetParameterValues
- AddObject
- DeleteObject
- Download
- Reboot
- Upload
- FactoryReset
Top
Authentication
As defined in the Oxford Dictionary, authentication is the process or action of verifying the identity of a user or process.
In an Internet telephony network environment, authentication will allow the Mediatrix unit to make sure the peer it is communicating with is the proper network or endpoint (unit or end-user device). This provides a level of security for communications as no communication will be allowed if the authentication is not confirmed.
Top
SIP over TLS
SIP Transport Types
You can globally set the transport type for SIP all the endpoints of the Mediatrix unit to either UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or TLS (Transport Layer Security).
Please note that RFC 3261 states the implementations must be able to handle messages up to the maximum datagram packet size. For UDP, this size is 65,535 bytes, including IP and UDP headers. However, the maximum datagram packet size the Mediatrix unit supports for a SIP request or response is 5120 bytes excluding the IP and UDP headers. This should be enough, as a packet is rarely bigger than 2500 bytes.
Top
TLS Persistent Connections
Transport Layer Security (TLS) Persistent Connections are associated with the SIP servers (outbound proxy, registrar, and home domain proxy).
Top
Unit Signaling Security
Signaling is the protocol that activates a device located in the network and establishes calls between peers.
To provide security to signaling, the Mediatrix unit will connect to the network via SIP over TLS. The network is then authenticated by a certificate that guaranties that the Mediatrix unit is connected to a "safe" network.
The network will then authenticate the device with the username and password to make sure the device is part of the network's subscriber list. This authentication is done with the digest authentication. The result of these authentications and verifications provides private and reliable communications between the network and the device. Calls will be established without leaving any possibility to a third party to identify the called or callee number, or to be able to interfere with the communication in any way.
Top
Communications Security
An important aspect of communications security, is that data sent and received from one endpoint to another remains secured, reliable, and private at all times.
- the date and hour are not expired
- the certificate was issued by a recognised authority and configured within the unit
- the certificate was issued for the proper IP address or specific FQDN
Top
Basic Tasks
Preparing the Unit to Use TLS for SIP
Top
Enabling Secure Signaling (TLS)
The Ready LED will turn to a steady green. The SipEp Notification messages #303 and #310 are sent once the TLS connection is established. For example:
Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 303-TLS connection with remote host 10.5.128.14:5063 is now ready to be used for SIP gateway default.
Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 310-Server 10.5.128.14:5063 is now reachable for SIP gateway default.
Top
Selecting the Unit's Time Zone
Any DGW parameter referring to a time value will use the local time described by this time zone reference. The Hoc.SystemTime will return the unit local time in accordance with the configured time zone.
Top
Enabling TLS Debugging on Wireshark
Top
Selecting the SIP TLS Server Certificate Security Level
Only the setting for SIP over TLS transport is available over the Web GUI. For others, like file transfer or TR-069, settings are available with the script. And the levels of support are different. SIP over TLS security level has one more level (Trusted Certificate level) which other services do not have.
- Go to SIP/Interop.
- In the TLS Interop table, select the security level used to validate certificates.
Top
Advanced Parameters
Transport Layer Security (TLS) Parameters
- using a MIB browser
- using the CLI
- creating a configuration script containing the configuration parameters
For certificate transfert
- To set the HTTPS transfer cipher suite for certificate transfer: Cert.TransferHttpsCipherSuite
- To set the HTTPS transfer Tls Version for certificate transfer:: Cert.TransferHttpsTlsVersion
- To set the level of security to use when validating the server's certificate when connecting to the ACS using HTTPS: Cwmp.TransportCertificateValidation
For file transfer
- To set the HTTPS transfer cipher suite for file transfer: File.TransferHttpsCipherSuite
- To set the HTTPS transfer Tls Version configuration for file transfer: File.TransferHttpsTlsVersion
For DGW Web access
- To set the Https Cipher Suite for secure DGW Web access: Web.HttpsCipherSuite.
- To set the Http Mode used for DGW Web access: Web.HttpMode
- To select the Secure Server Port used to access the DGW Web interface: Web.SecureServerPort
- To set the HTTPS Cipher Suite for secure DGW Web access: Web.HttpsCipherSuite
- To set the Tls Version used for secure DGW Web access: Web.TlsVersion
For SIP TLS transport
- To set the TLS transport cipher suite used for secure SIP transport: SipEp.TransportTlsCipherSuite
- To set Transport Tls Version used for secure SIP transport: SipEp.TransportTlsVersion
- To set TLS client authentication: SipEp.InteropTlsClientAuthenticationEnable
For TR-069 (CWMP) establishment
- To set the HTTPS transport cipher suite configuration for TR-069 (CWMP): Cwmp.TransportHttpsCipherSuite
- To set the HTTPS Transport Tls Version configuration for TR-069 (CWMP): Cwmp.TransportHTTPSTlsVersion
- To set the level of security to use when validating the server's certificate when connecting to the ACS using HTTPS: Cwmp.TransportCertificateValidation
Top
Online Help
If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will bedisplayed.
Top
DGW Documentation
Mediatrix devices are supplied with an exhaustive set of documentation.
Mediatrix user documentation is available on the Media5 Documentation Portal.
- Release notes: Generated at each GA release, this document includes the known and solved issues of the software. It also outlines the changes and the new features the release includes.
- Configuration notes: These documents are created to facilitate the configuration of a specific use case. They address a configuration aspect we consider that most users will need to perform. However, in some cases, a configuration note is created after receiving a question from a customer. They provide standard step-by-step procedures detailing the values of the parameters to use. They provide a means of validation and present some conceptual information. The configuration notes are specifically created to guide the user through an aspect of the configuration.
- Technical bulletins: These documents are created to facilitate the configuration of a specific technical action, such as performing a firmware upgrade.
- Hardware installation guide: They provide the detailed procedure on how to safely and adequately install the unit. It provides information on card installation, cable connections, and how to access for the first time the Management interface.
- User guide: The user guide explains how to customise to your needs the configuration of the unit. Although this document is task oriented, it provides conceptual information to help the user understand the purpose and impact of each task. The User Guide will provide information such as where and how TR-069 can be configured in the Management Interface, how to set firewalls, or how to use the CLI to configure parameters that are not available in the Management Interface.
- Reference guide: This exhaustive document has been created for advanced users. It includes a description of all the parameters used by all the services of the Mediatrix units. You will find, for example, scripts to configure a specific parameter, notification messages sent by a service, or an action description used to create Rulesets. This document includes reference information such as a dictionary, and it does not include any step-by-step procedures.
Top
Copyright Notice
Copyright © 2023 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.