Securing my SIP trunk with CUBE

Unanswered Question
Jun 20th, 2010

Hi Guys

I recently started looking at breaking out via SIP to my SP for my voice calls.

The first question that popped up is how would I secure my internal network from my SP network.

Since they supply me with and IP and if their network got compromised or some not so friendly staff would be able to connect to my network.

Sure one can setup some ACL's and so forth but I want to know what is best practice.

I did some reading spoke to some guys and they say a session border controller is the way to go.

Found some documents regarding how to set it up but nothing that explains the security aspects.

I must say I am not a expert in the field.

Could I ask if  someone has done this setup before to please guide me as to what needs to be done.

Any help is much appreciated

Regards

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Loading.
Jason Burns Wed, 06/23/2010 - 19:23

Marius,

I assume you're using CUCM and want to put the CUBE in place to interface with the Service Provider. When you do that it means that as far as the Service Provider is concerned all voice calls are being sourced from the IP of the CUBE. Anyone in the SP network would see only the IP address and port range of the CUBE.

This means you could put a firewall in front of this device and only allow inbound voice calls to the CUBE, and disallow all voice calls to any non CUBE IP from the outside world. You could also put digest authentication between the CUBE and the Service Provider so only calls that use the agreed upon authentication can succeed.

If the Service Provider allows, it would also be possible to setup TLS using certificates between the CUBE and the SP, but I don't believe this is as common. It would involve some work from the provider to trust your CUBE certificate, and you to configure the CUBE to trust theirs.

Let me know if this helps.

Nick.Britt_2 Tue, 02/19/2013 - 05:22

Does anyone know if there is best practices white paper for securing each of the SIP deployments (centralized, distributed, and hybrid)?

Ayodeji oladipo... Tue, 02/19/2013 - 12:02

Nick,

The link provides adequate information on security..

I will attempt to list a few things here in addition to what you have there

1. Always use a CUBE. It provides a demarcation point between your trusted internal network and the public network. Also configure CUBE for flow-through so that your media is terminated on the CUBE.

CUBE des a security demarcation (border) between the trusted Enterprise network and un-trusted Public network

• Provides hiding of internal Enterprise IP addresses presenting a single IP address for signaling and media to the outside world

• Has built in tools to manage common vulnerability exploits,prevent Denial Of Service attacks and detect malformed packets.e.g. Intrusion Prevention System, IOS Firewall.

2. Configure Peer IP addressing by using toll fraud prevention features on the CUBE. Dont just accept any connection from any device

e.g

voice service voip
ip address trusted list
ipv4 10.10.10.1
ipv4 10.10.10.2
ipv4 11.11.11.1

3. Most ITSP providers do not use the default port 5060 as it is suceptible to attacks because it is well know. Ask your provider if they use a different port and implement your solution on that.

4. Put a firewall at the outside of your CUBE facing the ITSP as suggested in the documentation

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Actions

This Discussion