Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP and Security

Status
Not open for further replies.

malibu1979

Programmer
Sep 7, 2011
52
US
I'm new to the sip world and could use a little advise on the best way securely run sip trunks. I'm not a big fan of opening ports on the router/firewall but I had to do so to get my test system up and running with a sip trunk. Should all my local ip traffic be set up on lan 1 and sip on lan 2? Should the sip be on a different vlan all together? How secure is the lan 2 firewall? I know I can make a sip trunk work, but would like it to be as secure as possible. Any advise would be great.

Thanks Jason
 
If you want it as secure as possible then buy a Session Border Controller
Info Avaya SBC

A simple mind delivers great solutions
 
Ive been reading on here about keeping voice and data on different networks for qos. How does this work when your using one-x or say a pc softphone?
 
ve been reading on here about keeping voice and data on different networks for qos. How does this work when your using one-x or say a pc softphone?
Off topic! Please start a different thread for different questions


The answer - you can't separate voice and data lans if you are using a softphone.

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.
 
if you don't use a SBC like intigrant says you can impose strict rules on the sip provider, ip office and customer firewall. basically restrict all traffic to the static ips for signalling. port 5060 is probed across ip ranges by sending sip packets and checking responses. responses are a weakness in sip protocol and how a sip device wil respond to different call setups, registration, packet size, invites, you name it. if the probing server gets a response from a host ip on udp5060 the hackers can then try many different methods of comprimising the device. Best rule of practice is lock down registration on the sip provider to IP whitelists, if not possible use a IP authenticated sip account. Block all traffic on the customer firewall to only allow authorised sip traffic through and limit your IP routes on the IPO to only the subnets required, not default 255.255.255.255/255.255.255.255. all 3 of these are advisdable, they protect the sip account on the provider side and excess traffic ont the IPO.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top