cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

Tech Note: SIP Protection

708
Views
0
Helpful
0
Comments

 

 

Introduction

 

This document covers the configuration procedure to implement SIP Protection for securing devices and endpoints against various forms of attacks and vulnerabilities. Deploying a VoIP infrastructure introduces a new set of challenges and Securing Unified Communications allows the phones to communicate over the secure real time protocol and prevent access from allowing unsecured devices.

 

SIP Security Protection is a supplementary step that can provide greater protection from various forms of attacks.

 

 

SIP Security Protection Points

 

 

  • SIP Listening Port
  • SIP Digest Authentication
  • SIP Hostname Validation
  • SIP Registration
  • CDR

 

 


1. SIP Listening Port

 

Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS). These ports are well-known and can be the target of attacks. Change the SIP Listen port to a different setting that is not well-known

 

 

voice service voip
sip
shutdown

voice service voip
sip
listen-port non-secure 2000 secure 2050

 

2. Host name Validation

 

Initial INVITEs with a hostname URI are compared to a configured list of up to 10 hostnames. If there is no a match to the INVITE, the Cisco Unified Border Element returns a "400 Bad Request—Invalid Host"

 

sip-ua
permit hostname dns:example1.sip.com
permit hostname dns:example2.sip.com
permit hostname dns:example3.sip.com
permit hostname dns:example4.sip.com

 

3. Digest Authentication

 

SIP Proxy challenges INVITEs from the Cisco Unified Border Element to check endpoint validity with 401 Unauthorized. The Cisco Unified Border Element responds with INVITE including credentials

 

sip-ua
authentication username xxx password yyy

 

4. Registration

 

The Cisco Unified Border Element can send SIP REGISTER messages with credentials to a proxy. Register statically on behalf of endpoints behind the Cisco Unified Border Element that do not register.

 


x(config)#sip-ua
x(config-sip-ua)#credentials username 1001 password cisco realm cisco.com

sip-ua
registrar ipv4:172.16.193.97 expires 3600
credentials username 1001 password
0822455D0A16 realm cisco.com

 

 

Related Information

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here