Maintaining the Cisco SIP Proxy
This chapter contains the following information:
•Working with Logs
Note The following procedures should only be performed by system administrators.
IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF).
IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers"), such as Cisco SIP Proxies.
IPSec provides the following network security services. These services are optional. In general, local security policy will dictate the use of one or more of these services:
•Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.
•Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
•Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
•Anti-Replay—The IPSec receiver can detect and reject replayed packets.
Note The term data authentication is generally used to mean data integrity and data origin authentication. Within this document it also includes anti-replay services, unless otherwise specified.
IPSec for the Cisco SIP Proxy is supported on the following network configurations:
•Solaris machine to Solaris machine via manual keying
•Linux machine to Linux machine via:
–IKE via configuration files
–IKE via mod_ipsec_auto.c
•Solaris machine to Linux machine via manual keying
Configuring IPSec for the Cisco SIP Proxy on Solaris Platforms
IPSec on Solaris is a suite of security protocols that secure communication channels and ensure that only authorized parties can communicate on those channels.
Note The Cisco SIP Proxy implementation of Solaris IPSec requires Authentication and Data Encryption. By default, Authentication is installed with the Solaris Operating Environment 2.8. Data Encryption is available via a Solaris supplemental CD. To verify Data Encryption has been installed, determine the existence of /kernal/strmod/encrdes and the /kernel/strmod/encr3des files.
To configure IPSec for the Cisco SIP Proxy on a Solaris platform, you must complete the following tasks:
1. Configure the system security policy
2. Install the Authentication and Data Encryption security keys.
Working with Logs
Access logging and error logging is configured and controlled by the DebugFlag configuration file directives. By default, all internal errors are logged to ServerRoot/logs/error_log and access records are logged to ServerRoot/logs/access_log.
Note For Linux, ServerRoot is /usr/local/sip/. For Solaris, ServerRoot is /opt/sip/
The Cisco SIP Proxy Server reuses Apache existing logging facilities with enhancements to selectively enable and disable a particular module or functionality.
The error_log and access_log are text files. They can be viewed with any text editors. The logs can contain the following formats.
This format is printed unconditionally. Logs in this format are usually informational and contain important error messages sometimes.
[Fri Apr 20 21:44:51 2001] [notice] A new Apache child process (27413) has started.
This format is printed when a component DebugFlag is turned on. For instance, if the "StateMachine" DebugFlag directive is turned on, a call trace similar to the following example will be logged to the error_log file.
[Fri Apr 13 22:29:37 2001] sip_protocol.c(4322) Received 291 bytes UDP packets from 10.80.36.85:50117
REGISTER sip:220.127.116.11 SIP/2.0
The size of the error_log can grow significantly if many DebugFlags are turned on in the sipd.conf file. To better maintain the log file and preserve the server information, one can utilize the log rotation facility included in the Cisco SIP Proxy Server.
•To turn on error_log rotation, uncomment the following line in the sipd.conf file. This also instructs the Cisco SIP Proxy Server to rotate the logs/error_log file every 86400 seconds (24 hours).
ErrorLog "|ServerRoot/bin/rotatelogs ServerRoot/logs/error_log 86400"
•To turn on access_log rotation, uncomment the following line in the sipd.conf file. This also instructs the Cisco SIP Proxy Server to rotate the logs/access_log file every 86400 seconds (24 hours).
TransferLog "|ServerRoot/bin/rotatelogs ServerRoot/logs/access_log 86400"
Note The "CustomLog logs/access_log common" and "ErrorLog logs/error_log" line should be commented out if the above two rotatelogs lines are uncommented.