This document covers the configuration procedure to implement SIP Protection for securing devices and endpoints against various forms of attacks and vulnerabilities. Deploying a VoIP infrastructure introduces a new set of challenges and Securing Unified Communications allows the phones to communicate over the secure real time protocol and prevent access from allowing unsecured devices.
SIP Security Protection is a supplementary step that can provide greater protection from various forms of attacks.
SIP Security Protection Points
SIP Listening Port
SIP Digest Authentication
SIP Hostname Validation
1. SIP Listening Port
Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS). These ports are well-known and can be the target of attacks. Change the SIP Listen port to a different setting that is not well-known
voice service voip sip shutdown
voice service voip sip listen-port non-secure 2000 secure 2050
2. Host name Validation
Initial INVITEs with a hostname URI are compared to a configured list of up to 10 hostnames. If there is no a match to the INVITE, the Cisco Unified Border Element returns a "400 Bad Request—Invalid Host"