locked
SIP trunk security RRS feed

  • Question

  • I am planning to implement a SIP trunks for my Clients. As far as I undderstand the trunk should go from ITSP and terminated on my Mediation server. From my experience Security administrators are not always happy to get a direct connection from outside to internal network where Mediation server normally resides (they do not care about traffic passing through that channel). I am not disscussing security of SIP/media traffic between ITSP and my border firewall here, just termination on my network. 

    So I was thinking about several possible solutions:

    1. Put a SIP security device in DMZ and terminate the trunk on it. Dell has one, but they suggest to connect the internal interface of such device to internal network. That will cause a fight with security again since it bypasses DMZ/Internal firewall

    2. Put a one-leg SIP proxy in DMZ. There are some Linux-based proxies, but I do not really want to force my Clients to look for Linux support. Do we have any solid commercial product with a good support for this? On other hand I do not want to add delays to media traffic.

    3. VPN from ITSP terminated in DMZ. Security may not be happy with VPN traversing a border firewall. If terminated on border firewall a SIP Pproxy in DMZ is necessary.

    4. Move Mediation server to DMZ and receive non-recommended configuration with all good stuffs of intra-domain communication through firewall.

    I guess my question is what is your approach in such case?

    Thanks.

     

     


    Alex Ignatenko | MCTS:UC Voice, Virtualisation, SCCM | MCSE: Security | MCITP:Server 2008
    • Changed type Ben-Shun Zhu Tuesday, September 28, 2010 5:04 AM
    • Moved by Ben-Shun Zhu Tuesday, September 28, 2010 5:17 AM better put here (From:Planning and Deployment)
    Tuesday, September 28, 2010 3:15 AM

Answers

  • Hi Alex,

    As a best practices a Session Border Controller (SBC) or VPN should be utilized between the SIP trunk and the mediation server.  There are a few issues that the SBC will help address as well, such as 3 way call sending the 3rd party a SIP URI instead of a Line URI.  I would recommend looking at the NET VX and UX series, I know specifically the UX can support this scenario and comes out of the box licensed for it.  I believe Audio Codes, Dialogic, Ferrari and a number of other vendors can also support this solution.

    Here are a couple of good references on the topic:

    http://technet.microsoft.com/en-us/library/dd425095(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425087(office.13).aspx

    Hope this helps!

    -kp


    Kevin Peters blog: www.ocsguy.com MCITP: Enterprise Administration | MCTS:OCS | MCSE | MCSA | CCNA
    • Marked as answer by Alenat Tuesday, September 28, 2010 6:48 PM
    Tuesday, September 28, 2010 3:55 PM

All replies

  • Hi Alex,

    As a best practices a Session Border Controller (SBC) or VPN should be utilized between the SIP trunk and the mediation server.  There are a few issues that the SBC will help address as well, such as 3 way call sending the 3rd party a SIP URI instead of a Line URI.  I would recommend looking at the NET VX and UX series, I know specifically the UX can support this scenario and comes out of the box licensed for it.  I believe Audio Codes, Dialogic, Ferrari and a number of other vendors can also support this solution.

    Here are a couple of good references on the topic:

    http://technet.microsoft.com/en-us/library/dd425095(office.13).aspx

    http://technet.microsoft.com/en-us/library/dd425087(office.13).aspx

    Hope this helps!

    -kp


    Kevin Peters blog: www.ocsguy.com MCITP: Enterprise Administration | MCTS:OCS | MCSE | MCSA | CCNA
    • Marked as answer by Alenat Tuesday, September 28, 2010 6:48 PM
    Tuesday, September 28, 2010 3:55 PM
  • Alex,

    Don't be fooled by everyone saying SIPs is safe, since it has the largest growth of Hackers of all areas in IT! The SBC does nothing but secure two points and not what goes through the connection.

     

    SIPTrunkSecurity.com - Last week VoIP/SIP Security Breach of Week below.

     

    TelePacific Network Outage: Cyber-Terrorism FBI - By Josh Long  3/30/2011

    The unprecedented attack" on the network occurred March 24 and March 25, TelePacific President and CEO Dick Jalkut wrote in a letter dated Monday to his SmartVoice customers. “This event, which has been determined to be a cyber-criminal act, was from an external source that circumvented the normal protocol and prevention methods recommended by our vendors Broadsoft and Acme Packet and followed by those in our industry, including TelePacific," Jalkut said.

     

    • Policy Enforcement - Who can use what UC application from where and from what device?

    • Privacy / Encryption - Encrypting SIP, Skinny Signaling, IM over TLS - VoIP/Video over SRTP,...

    • Treat Protection/Mitigation - With Ongoing Updates

    • Prevent - DoS, Spoofing, Eavesdropping, Fuzzing, Callwalking, Toll Fraud,...

    • Access Control 2 Factor Authentication

    Know What Your SBC Doesn't Do???

    We Provide These SIP Trunk Services:

    • Exceptional SIP, UC, VoIP/Video Security Support/trouble-shooting
    • Block Hours in 10, 20, 50 hour blocks - No support contract required
    • Proof of Concepts, Pilots, Assessments, Recommendations
    • Design/Architect, planning/project management, and deployment services
    • Secure universal client access and Advanced Access Controls
    • SIP Trunk, SIP Trunk Security, UC Security, VoIP, VoIP Security, Video, Security, consulting, support
    • SIP Upgrade/Installation Assistance for UC, VoIP and Video
    • SIP Trunks, IP-PBX, PSTN, Internet, Between VLANs or In front of PBX
    • Cisco, Avaya, Polycom, Microsoft,...
    • Onsite Training and Workshops...

     

    Call for SIP Trunk Security Support!
    ...
    480-759-2225...
    • Review/Recommendation for Secure UC, VoIP, and Video System
    • Review/Recommendation for SIP Trunk Design and Architecture.
    • Review/Recommendation from Security Assessment of UC, VoIP, and Video System.
    • Review/Recommendation from Penetration Test.
    • Review/Recommendation for Compliancy of UC, VoIP, and Video System.
    • Remote Management and Hosting
    • Upgrades and Changes

    Is Your SBC Got This Security in the Box?

              1. Firewall

              2. IDS/IPS

              3. Access Control
              4. Authentication

              5. UC Proxy
              6. VPN/Encrypt

              7. Policy Enforcement

              8. SBC,....

    Tuesday, April 5, 2011 2:10 PM