4. #TWILIOCON
What is SIP about? Initiating & Managing Sessions.
Wednesday, September 25, 13
5. #TWILIOCON
What is a SIP session? It can be anything!
Wednesday, September 25, 13
6. #TWILIOCON
SIP at Twilio. A deep dive.
Let’s take a look at what Twilio does with SIP and some of the new features
that we’ve announced.
Wednesday, September 25, 13
7. #TWILIOCON
<Dial>
<Sip>alice@example.com</Sip>
</Dial>
Wednesday, September 25, 13
16. #TWILIOCON
Twilio + SIP = Harmony.
Twilio is making SIP easy. Map your domain
ahoy.sip.twilio.com
to a voice URL and secure it with Twilio’s SIP tools.
Wednesday, September 25, 13
18. #TWILIOCON
How does Twilio handle SIP Security?
Let’s take a look at some of the tools that are available to help you secure
your Twilio SIP integration.
Wednesday, September 25, 13
19. #TWILIOCON
SIP != HTTP. We have to think about security differently.
We can’t approach securing SIP in the same way that we secure HTTP.
Attackers have very different goals in mind.
Vs.
HTTP
Vandalism & Data Theft
SIP
Telco Fraud
Wednesday, September 25, 13
20. #TWILIOCON
Twilio SIP Security: Features
1. IP Access Control Lists (IP ACLs)
2. Authentication Credentials Lists
3. The <Reject /> Verb
Wednesday, September 25, 13
21. #TWILIOCON
Twilio SIP Security: IP Access Control Lists
Think of IP ACL as a firewall for your SIP domain.
When using a multi-tenant system, IP ACL alone won’t
do the trick.
HOW IT WORKS
Each IP ACL can be associated with many domains.
Each domain can be associated with many IP ACLs.
SETUP
Wednesday, September 25, 13
22. #TWILIOCON
Twilio SIP Security: Authenticated Credentials List
All requests to the domain require username / password
to authenticate. Identical to HTTP Digest Auth.
AUTHENTICATION
Works with IP ACL to accept traffic from multi-tenant
systems. Without IP ACL, allows traffic from any IP.
IP ACL INTEGRATION
Wednesday, September 25, 13
23. #TWILIOCON
Twilio SIP Security: The <Reject/> Verb
Your TwiML application knows good behavior from bad.
Includes info about SIP INVITE.
TwiML + SIP
Use the <Reject /> verb to block suspicious, excessive,
& incorrect traffic.
RESTRICT TRAFFIC
Wednesday, September 25, 13
24. #TWILIOCON
• Twilio now accepts incoming calls with SIP
Twilio SIP: In Closing
• Security is managed via IP ACLs, Credentials, & TwiML
• Incoming calls map to TwiML URLs via SIP Domains
• All this can be managed in the Account Portal or the REST API
Wednesday, September 25, 13