Best options to secure webrtc

What is the best options to secure webrtc?

I’m getting ready to expose my asterisk server to the work as part of project. Previouly i have had to have users in VPN sessions to gain a pjsip session.

Now its full on webrtc. I have a ingate separator that I have put infront of this. any recommendations. The Separator sits on the internet on one interface and one on the local network where my asterisk servers are.

Very open ended question… so… while i’m not familiar with the Ingate products, its probably some SIP Voip solution - like an SBC.

You may need to do your own research on how this SBC can terminate webrtc connections (if it can). Remember that WebRTC uses a TCP connection - not UDP (like traditional Voip SIP). TCP is also stateful, and the connection will (should) be established using TLS (most browsers don’t support ws: for media any more).

These are massive differences in terms of networking… The initial connection that your websocket connection will establish should be limited to TLS only, and so be inherently secure, but there are a number of things you need to consider with that initial connection;

Will that connection be forwarded in directly to the Asterisk box (to the mini http service), or will you terminate before and reverse proxy back to the Asterisk box? I can tell you now, the Asterisk mini HTTP service is simply not built for mass connections, and will fail quickly especially under a DOS attack.

If you terminate before hand, what will you use - does the Ingate offer this? not sure… find out. If it does what are the connection limits there… what TLS versions does it offer, what certificates can you load on it? Will you use Self-Signed certificates? All questions you need to find out.

Either way… ok, now you have a LTS connection from a websocket client to Asterisk (or proxy), and SIP packets can flow between them… now you need to consider your password policy… are you going to use passwords? or is it IP auth? IP auth is more secure, but a massive hassle because IPs can change easily, and especially if you allow connections from the greater internet, their ISP may change the IP address mid session… so you use username-password auth… what username policy do you apply? what password policy do you apply? how do you communicate the password to users… do you bang them off and email?

These questions and many more are endless, and some are food for thought… but all form part of security. Good luck :slight_smile:

1 Like