Protecting Yourself in a WebRTC World Lawrence Byrd Technology Evangelist
Speakers Mykola Konrad Karl Stahl Sonus CTO and Chairman, Ingate Systems
Merged Intertex Data AB and Ingate Systems AB Ingate’s SBCs do more than POTSoIP SIP. They were developed for standard compliant end-to-end multimedia SIP connectivity everywhere. WebRTC is just aligned – Ingate adds Q-TURN telepresence quality and the WebRTC & SIP Companion Gateway brings all WebRTC features to the enterprise PBX/UC Solution/call center and to the service provider next generation telephony. Merged Intertex Data AB and Ingate Systems AB Karl Stahl CTO and Chairman Ingate Systems info@ingate.com karl.stahl@intertex.se
WebRTC “Protection”– More or less challenging? Is there a “security difference” compared to soft clients and Webex-like screen sharing applications? Not much! But… The big difference is that the browser is “always available”, used and we now have to trust the browser to provide the basic protection. Can my screen be viewed also? Should we be concerned? Cannot even decline video… And HTTPS only asks first time… Firewalls and SBC won’t help. They don’t do (cannot do) these things. – They allow or not!
WebRTC & VoIP Security (and SBCs) – Confusing it is… And it is quite different: WebRTC in itself What is meant by “securing WebRTC”, “managing security” etc.? Says who? User: Privacy, confidentiality would be nice Carrier: Theft of service, DoS/Overload, don’t crash our systems Enterprise data department: Don’t send malicious packets into our LAN, don’t leak our information. Enterprise PBX / UC department: Make it work - always and everywhere, but keep our resources and information to ourselves. and integrated with the “Enterprise PBX / UC social network”
WebRTC in Itself has Excellent Privacy Media is always encrypted between the endpoints. With DTLS-SRTP, only the browsers know the key. Signaling is not standardized and is most often over https (i.e. encrypted) But that will not always be maintained when calls are gatewayed into other worlds VoIP Service Providers seldom use encryption anywhere Enterprise PBX / UC / call centers are hiding behind a firewall or an SBC Encryption is rarely used in the current PSTN and VoIP carrier world
WebRTC in Itself is Quite Secure, but Consider… Turn server needs DoS protection Does not traverse restrictive enterprise firewalls: ICE firewall traversal assumes it is open from the inside. Proposed media tunneling through open TCP 80 (http) or 443 (https) ports destroys quality. Data department may not want to open more. Quality on data-crowded pipes: WebRTC uses the Internet, where the access pipes are crowded with data traffic. No QoS since firewalls are unaware of real-time traffic, which ICE/STUN/TURN assumes. LAN Company Web Server Q-TURN RESOLVES
A Novel View on ICE – Q-TURN Knock-knock; Give my Media a Quality Pipe Regard ICE as a request for real-time traffic through the firewall. Interpret the STUN & TURN signals in the firewall Have the STUN/TURN server functionality IN the firewall and set up the media flows under control Security is back in the right place - The firewall is in charge of what is traversing Enterprise firewall can still be restrictive Q-TURN Q-TURN Enables QoS and More: Prioritization and Traffic Shaping Diffserv or RVSP QoS over the Net Authentication (in STUN and TURN) Accounting: Quality gigabits measured
WebRTC-SIP Gateways Will be Used – Are Required WebRTC-SIP Gateways Will be Used – Are Required! Often Built on Top of SBCs – Do such SBCs Protect? LAN Company Web Server SIP WS media An enterprise wants to have the WebRTC benefits into their PBX / UC / Call Center infrastructure. That is where their Auto attendant, Call Routing, Queues, Conference Bridge etc. are. and an enterprise UC solution of course benefits from browser-based clients, locally and remotely so do the IMS/VoLTE/RCS emerging networks Such WebRTC – SIP Gateways require SBC functions like security, interoperability fix-ups and NAT/firewall traversal
Questions (and Answers within parenthesis (Hidden Slide) If firewalls and SBC can’t do it: Will privacy and security concerns stop WebRTC? (Of course not! All applications invade us these days – We still use them, because we cannot be without them.) If firewalls just stop or allow WebRTC, what do SBCs do? Do SBCs really exist in the WebRTC world? (Not in the way rumored! Some SBC vendors have added WebRTC/SIP Gateways on top of their SBCs (Ingate, Acme/Oracle…). Others have added TURN servers in their SBCs (Ingate, Avaya/Sipera…) Shall we stop talking about SBCs in the WebRTC world? (I would say so. The word is too confusing – It actually is in the SIP world as well. SBCs are said to do many things they don’t do, and SBCs vary a lot from each other – some being just SIP fixup devices, and not providing firewall functions at all – The variation is large.)