SIP trunk and Internet handoff on same circuit Security Advice

Unanswered Question

Looking for some opinions on security concerns with a Dynamic IP handoff from a service provider that sends both internet and SIP traffic down the same physical circuit. The provider separates the SIP and Internet traffic with separate DLCI's going into there MPLS cloud via frame relay. SIP traffic is routed to a private ip address in the provider cloud that is specific to my individual setup and they route the public ip's to the public address attached to my internet dlci. On my end I have a 2811 with Advanced ip services and CUBE. The public addresses will be handed off via my second ethernet interface on the 2811 and will plug into the outside interface of an ASA and will act as the clients secondary internet connection. The primary ethernet interface is connected directly to the LAN. Both the SIP DLCI and internet dlci have pubic assigned ip addresses going upstream into the cloud. However there seems to be some level of security in the MPLS environment by default because I can't access my SIP DLCI from the internet (I don't have the internet DLCI running yet). I'm being cautious because my router has one leg on the net and one on the LAN and voice traffic is flowing in and out via SIP through the CUBE. While I'm very familiar with voice and routing/security I'm not so much with SIP trunks and CUBE so I guess I don't know what I don't know and am looking for suggestions on making sure this is locked down properly. I do know the sip-ua is set up to hide the internal ip address. I've attached a visio that shows the logical setup minus ip addresses. Here's quick breakdown of interfaces.

Inside F0/1= 10.150.X.2 (Voice LAN)

Outside F0/0= 209.X.X.1 (Internet gateway for outside of ASA).

S0/0.500= DLCI 500 for internet 74.X.X.X/30

S0/0.501= DLCI 501 for SIP upstream 73.X.X.X/30

Upstream Provider SIP server= 192.168.X.X

Any help would be appreciated




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 07/10/2009 - 08:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jerry,


>>I can't access my SIP DLCI from the internet (I don't have the internet DLCI running yet).


if the provider is doing its work well it is putting the SIP service dlci in a different VRF / MPLS VPN and if so you should be safe:

if all ip addresses on the SIP network are private there is no need to have them on the public internet rather they need to be in a private network.


Each DLCI can be associated to a different FR subinterface and each can be in a different VRF.


Ask provider stuff to explain their setup


Edit:

if in a different VRF even if they look like public ip addresses they cannot be reached from public internet


Hope to help

Giuseppe


Actions

This Discussion