Introduction
This document covers the configuration procedure to implement SIP Protection for securing devices and endpoints against various forms of attacks and vulnerabilities. Deploying a VoIP infrastructure introduces a new set of challenges and Securing Unified Communications allows the phones to communicate over the secure real time protocol and prevent access from allowing unsecured devices.
SIP Security Protection is a supplementary step that can provide greater protection from various forms of attacks.
SIP Security Protection Points
- SIP Listening Port
- SIP Digest Authentication
- SIP Hostname Validation
- SIP Registration
- CDR
1. SIP Listening Port
Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS). These ports are well-known and can be the target of attacks. Change the SIP Listen port to a different setting that is not well-known
voice service voip
sip
shutdown
voice service voip
sip
listen-port non-secure 2000 secure 2050
2. Host name Validation
Initial INVITEs with a hostname URI are compared to a configured list of up to 10 hostnames. If there is no a match to the INVITE, the Cisco Unified Border Element returns a "400 Bad Request—Invalid Host"
sip-ua
permit hostname dns:example1.sip.com
permit hostname dns:example2.sip.com
permit hostname dns:example3.sip.com
permit hostname dns:example4.sip.com
3. Digest Authentication
SIP Proxy challenges INVITEs from the Cisco Unified Border Element to check endpoint validity with 401 Unauthorized. The Cisco Unified Border Element responds with INVITE including credentials
sip-ua
authentication username xxx password yyy
4. Registration
The Cisco Unified Border Element can send SIP REGISTER messages with credentials to a proxy. Register statically on behalf of endpoints behind the Cisco Unified Border Element that do not register.
x(config)#sip-ua
x(config-sip-ua)#credentials username 1001 password cisco realm cisco.com
sip-ua
registrar ipv4:172.16.193.97 expires 3600
credentials username 1001 password
0822455D0A16 realm cisco.com
Related Information