Overview of port security - A/V Edge

Security of UDP3478 and TCP443
The A/V Edge Server is an enterprise managed resource, so restricting access to authorized users is important for security and resource considerations. The UDP3478 and TCP443 ports are only accessible by clients that belong to the corporation managing that A/V Edge Server. A client uses these two ports to allocate UDP and TCP ports respectively within the 50,000 port range for the remote party to connect to. To access the A/V Edge, the client first acquires a 128-bit username and password as part of its Communicator or Meeting Console registration. These values are sent across the TLS protected signaling channel and are computer generated to mitigate against dictionary attacks. Next, the client uses digest authentication as follows to actually allocate the ports. An initial allocate request is sent from the client and responded with a 401 nonce/challenge message from the A/V edge. The client sends a second allocate containing the username and an HMAC hash of the username and nonce. A sequence number mechanism is also in place to prevent replay attacks. The server calculates the expected HMAC based on its own knowledge of the username and password, and if the HMAC values match, the allocate procedure is carried out. Otherwise, the packet is dropped. This same HMAC mechanism is also applied to subsequent messages within this call session. The lifetime of this username/password value is a maximum of 8 hours at which time the client will reacquire a new username/password for subsequent calls.

Security of UDP/TCP 50,000-59,999
The question arises, ôIsnÆt 10,000 ports less secure than a couple well known ports?ö You might think so, but actually the answer is no. From an attackerÆs standpoint, each of those 10,000 ports behaves exactly the same. The more pertinent question is: ôHow secure is each of those ports?ö One consideration is that allocations in this range are chosen randomly. At any given time, itÆs likely that many of these ports arenÆt even listening for packets. (Contrast that with a well known port which an attacker can focus on.) The security mechanism in place on each port is to filter traffic for only those packets that originate from the remote endpointÆs IP address. These IP address are communicated over the TLS secured signaling channel, and packets from other IP addresses are dropped. This means an attacker would need to break into the TLS signaling channel and spoof packets from that remote IP address to inject packets into the A/V Edge. Accomplishing both of these is very challenging indeed. Note that in this situation, having a range of ports actually improves security. Since a random port allocation happens for each call, this design forces the attacker to 1) deduce an active port, 2) break the TLS signaling channel, and 3) spoof the remote userÆs IP addressàall in the span of a single call. Some have asked whether this port range can be scaled back. Yes it can, but one should not do this under the guise of improving security. Reducing the port range limits A/V Edge scale in peak situations (e.g. 1pm conference calls). An adjusted port range should factor no less than 6 UDP/TCP ports per user in the peak load condition. Others have asked whether this port range can be eliminated altogether for companies that donÆt require audio/video federation. Unfortunately, this scenario has not been tested and is currently an unsupported configuration.

Security of end to end media
As mentioned above, the signaling channel is protected using 128-bit TLS encryption with validation that the server certificate has a matching FQDN and trusted authority. This mechanism is very similar to e-commerce sites use for online transactions. To secure the media, OCS implements the IETFÆs SRTP protocol. The mechanism employs a 128-bit key exchange over the secure signaling channel, which the two endpoints then use to encrypt and decrypt the media stream using 128-bit AES encryption. This ensures that even if an attacker can perform a ôman in the middleö attack of the media path, s/he is not able to eavesdrop on the conversation or inject additional media packets. In the latter case, the client will simply drop the packets.