Gateway configuration task list
546
SmartWare Software Configuration Guide
45 • H.323 gateway configuration
H.235v2 Annex D provides H.323 RAS and H.225 message authentication and integrity check thus thwarting
any replay and spoofing attacks on H.323 calls. If H.235 is switched on, the following security attacks are
thwarted:
•
Denial of Service attacks
•
Man-in-the-middle attacks
•
Replay attacks (replay of recorded messages)
•
Spoofing
•
Connection hijacking
Among other information such as time stamp, sender and general ID, the H.235 needs a password for crypto
token generation. Since this password is intelligible when being configured by means of a Telnet session or dis-
played in a running configuration, it is possible to configure an encrypted password, which will be decrypted
on the SmartNode. For decryption a master password is needed. Configuration of the master password should
not be done over insecure links (links subject to wire-tapping). It is recommended to do so in a secure network
(local area network) only (before delivery to the customer).
Henceforth, the H.235 password can be reconfigured securely even over insecure links.
To generate an H.235 encrypted password by means of the master password as key, the password encryption
tool is used (‘getcryptopassword.exe’). The usage of the Windows based command line tool is as follows:
getcryptopassword <h235-password> <master-password>
The H.235 password must be a random alphanumeric character string of 1 through 12 characters (e.g.
12ygR34230kG). The master password must be a 32 digit hex number (characters 0-9, a-f ). To achieve best
encryption security, choose a random value (no repeating character sequences). The tool generates the
encrypted H.235 password and the hash of the master password. The encrypted H.235 password is then to be
used for remote (over insecure link) configuration of the H.235 password. The hash value of the master pass-
word can be used to verify proper configuration of all parameters. The command
show h235security
displays
all H.235 settings including a hash value of the master password. If this value is identical to the hash value out-
put by the tool
gencryptopassword.exe
, the configuration of the master password was successful. Note that this
last verification step can be done securely even over insecure links (subject to wire-tapping) since the algorithm
used for hash value calculation is a mathematical one-way function (virtually impossible to derive the password
from the hash value). To enable H.235 security on H.323 perform the steps described below.
Procedure:
To enable H.235 security on H.323 gateway
H.235 configuration
You can control on a per-message-type basis which RAS messages are sent H.235 signed and of which RAS
messages the H.235 signature shall be verified. Therefore the commands
h235-security ras-auth-int-rx
and
h235-security ras-auth-int-tx
have a new optional parameter that specifies the message type. The new
format is:
•
[no] h235-security ras-auth-int-rx [<msg>]
•
[no] h235-security ras-auth-int-tx [<msg>]