One-X SIP client and securtiy

[yankblan]

Hi,

I got a customer who wants this solution, but the 4000+ RTP ports that need to be opened is worrying them.

What's your strategy to ensure security, aside from changing the default ports stated in the doc and the VoIP tab?

ACSS-SME

http://interconnexionsld.ca/

 

[Okkie26]

Setting up A VPN from your mobile device to the customers site?

 

[yankblan]

That is why they want the One-X VoIP client, to stop having to setup VPN every time.

That's what I suggested, but it was rejected. When they were at 8.1 they used 3CX softphone and VPN on their iPhone, but they want the full One-X integration (geo, IM and VM sync).

ACSS-SME

http://interconnexionsld.ca/

 

[sizbut]

They would only need 4000 ports open if they had an awful lot of simultaneous calls. The port range used is configurable within IP Office Manager.

Stuck in a never ending cycle of file copying.

 

[Pepp77]

If they have 10 users then change the port range to say 20 ports for voice. Then change the 5060 and 5061 to another port number as well.

| ACSS SME |

 

[jamie77]

If security is worrying them, get an ASBCE fitted in the way.

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer

 

[yankblan]

OK, I thought the number of ports defined in Manager had to be that wide; so you're saying it doesn't?

I have 5 users licensed, so I could open just potentially 10?

ACSS-SME

http://interconnexionsld.ca/

 

[sizbut]

Start IP Office Manager, press F1, read the help on RTP ports.

Stuck in a never ending cycle of file copying.

 

[yankblan]

It still needs a sizeable range, still less than 4100. Per the help:

For Release 8.1 and higher, the gap between the minimum and maximum port values must be at least 254.

ACSS-SME

http://interconnexionsld.ca/

 

[tlpeter]

You will want a ASBCE (session border controller) for security.
But that will cost money!
It is up to them and i think that security will be no more issue when they see your quote for an ASBCE

BAZINGA!

I'm not insane, my mother had me tested!

 

[IPGuru]

It is up to them and i think that security will be no more issue when they see your quote for an ASBCE

I hope it is (& they buy the necessary equipment) because this company currently sounds sensible in demanding security.

usually it is the other way around & the ask for corners to be cut to save cost

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[yankblan]

@IPGuru

Don't know about that. Have no idea how much this ASBCE would cost, but I'm guessing they will either, in order of likelyhood:

1.Drop it altogether;
2.Go back to SIP 3rd party on iPhone with VPN;
3.Go with less security but enforcing really strong passwords.


ACSS-SME

http://interconnexionsld.ca/

 

[tlpeter]

Yanklan, A VPN with the One-X Mobile app works too.
I always suggest strong passwords.

The point is that an SBC is an extra layer.
SIP trunks with authentication do not need a SBC but when you do you have one extra layer of security.
How far do you want to go and how much may it cost.


BAZINGA!

I'm not insane, my mother had me tested!

 

[Bas1234]

SBC is the best way, otherwise; changing port 5060/5061 into something like 5090/5091 on lan1 or 2 remote sip, also default NAT RTP range is set to 49xxx-53246 change that into 54000-54246 and use atleast 16 or longer digits as a login code.

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged (Avaya Search tool

http://tinyurl.com/bas1234

)
______________________________________