[VOIPSEC] TLS and Firewalls
bazsi at balabit.hu
Tue Feb 8 18:51:18 GMT 2005
On Tue, 2005-02-08 at 18:25 +0100, Thorsten Brinkmann wrote:
> Hello *,
> securing VoIP (e.g. SIP) with TLS is a nice idea. But how can firewalls handle this?
> Look at the workarounds are needed to use HTTPS thru firewalls. Or have a look
> how firewalls can handle H.323.
> Having firewalls can look in application-layer is more and more needed in the future.
It is not impossible to look into TLS wrapped TCP stream, provided the
firewall is able to decipher it (using a MITM like approach). Products
like this work in practice, however TLS wrapping SIP certainly makes the
task of packet filters a nightmare. (even more than it is today with
MIME wrapped SDP payloads) I am wondering how certain packet filters
handle the complexity of SIP and what are the cornercases they do not
properly handle. (for example using DNS names in the endpoint
information, or SDP information spanning multiple packets) Any
experience in this area?
More information about the Voipsec