Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP Security Practices 1

Status
Not open for further replies.
SupportDude

SupportDude

Technical User
Mar 1, 2006
1,667
US
Hello group!
Looking for some best practices for implementing security on SIP trunking installs where the provider does not supply a Session Border Controller.

I know the IPO firewall is a nightmare to configure, but has anybody had any success in using it to only allow SIP on the WAN/LAN2 interface?

Are you using external firewalls?
If so, how are you configuring them ... port forwarding?

Any other strategies for securing the IP Office from SIP based Toll Fraud?

Any and all ideas appreciated!

-SD-
 
Sort by date Sort by votes
Even without a SBC you should still be able to use a public STUN server and leave the system NATd behind the router, no issues with security then :)

 
Upvote 0 Downvote
@amriddle01,
Could you please name some free/public/reliable STUN servers that we can use?

Thanks in advance
 
Upvote 0 Downvote
# source : # A list of available STUN server.

stun.l.google.com:19302
stun1.l.google.com:19302
stun2.l.google.com:19302
stun3.l.google.com:19302
stun4.l.google.com:19302
stun01.sipphone.com
stun.ekiga.net
stun.fwdnet.net
stun.ideasip.com
stun.iptel.org
stun.rixtelecom.se
stun.schlund.de
stunserver.org
stun.softjoys.com
stun.voiparound.com
stun.voipbuster.com
stun.voipstunt.com
stun.voxgratia.org
stun.xten.com


Avaya_Red.gif

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged (Avaya Search tool )
______________________________________
 
Upvote 0 Downvote
We typically put the IPO behind a firewall running full cone NAT.
No stun required.

This site is a good general VoIP reference and also lists some public STUN servers.

-SD-
 
Upvote 0 Downvote
SupportDude, that means he provider(s) you use have a SBC, when they don't you need your own or a STUN server programmed otherwise nothing adjusts the packets and it cannot traverse NAT :)

 
Upvote 0 Downvote
Sorry amriddle,
I guess I should have been more specific. [smile]
I meant we didn't need to use a public STUN server.

Full Cone Nat is a 1 to 1 setup between my public IP/ports and my private IP/ports.
Instead of using a public STUN server, we just configure the necessary information statically on the Network Topology tab.
Configure firewall type as full cone NAT.
Configure Binding refresh time, public IP (the public interface on the firewall), and public port.
This allows the IP Office to provide the correct connection information in the SDP portion of the SIP INVITE or Response.
It works great and I don't have to go searching for a working STUN server.

I also neglected to add the link on my previous post, so here it is.
A good resource for VoIP info.

Still looking for more good/common security practices.

-SD-
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rsv23
  • Question
SIP Trunk Routing
Replies
3
Views
246
rsv23
rsv23
phoneDTC
  • Locked
  • Question
SIP Trunk Question
Replies
5
Views
382
phoneDTC
phoneDTC
claudiotele
  • Question
Sip Trunk over TLS not working
Replies
6
Views
206
derfloh
derfloh
William C290
  • Locked
  • Solved
Avaya SBCE for SIP Trunk & Workplace 2
Replies
13
Views
870
derfloh
derfloh
salert
  • Locked
  • Question
SIP Trunk registration issue TELUS
Replies
5
Views
592
Menniss
Menniss

Part and Inventory Search

Sponsor

Back
Top