cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

636
Views
0
Helpful
0
Replies
James Hawkins
Collaborator

CUBE Security

Hi,

I have configured CUBE on a 2900 ISR to link to an Internet Telephony Service Provider and want to make sure that it is secure.

I have connected Gi0/0 to an inside VLAN and Gi0/1 to the public Internet with a registered address.

So far for security I have set the ip trusted address list feature to include just the CUCM server and the IP address of the SIP provider

voice service voip

ip address trusted list

  ipv4 10.1.1.11 255.255.255.255              <-------------- CUCM server 1

  ipv4 222.222.222.222 255.255.255.255     <-------------- ITSP SIP server

address-hiding

mode border-element

I also have set an ACL to limit inbound connections from the Internet to SIP signalling and media traffic from the ITSP server

interface GigabitEthernet0/0

description CUBE Inside Interface

ip address 10.3.1.4.11 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description CUBE Outside Interface

ip address 111.111.111.111 255.255.255.255

ip access-group SIP-Inbound in

no ip unreachables

no ip proxy-arp

!

ip access-list extended SIP-Inbound

permit udp host 222.222.222.222 host 111.111.111.111 eq 5060

permit udp host 222.222.222.222  host 111.111.111.111  range 6000 40000

deny   ip any any log

!

I also set the call spike feature

!

call spike 5

!

I also limit the number of connections on the SIP ITSP dial peer

dial-peer voice 100 voip

description Outbound SIP calls

max-conn 40

destination-pattern .T

session protocol sipv2

session target ipv4:222.222.222

voice-class codec 1

voice-class sip privacy-policy passthru

voice-class sip early-offer forced

!

Note that the ITSP does not offer SIP registration by username/password or any form of encryption.

I would be interested in how secure people think the above is. Good enough or do I need a firewall? - if yes which of the options below:

Watchguard Firewall - the customer has a Watchguard firewall in place. I could move the CUBE to the DMZ so inbound connections would have to traverse the firewall. The issue I see with this is that the Watchguard firewall NATs outside connection to the DMZ and I am not sure how well this will work with SIP. Watchguard can apparently do SIP inspection and NAT but I am a bit dubious about it as I have no access to the firewalls (although the guys who manage them seem to know what they are doing).

IOS Firewall - could I just enable this on the CUBE and get it to do SIP inspection? - I have been trying to find a sample confug for this without success.

ASA Transparent firewall - deploy one of these as a bump in the wire between the CUBE and the ISP router. Benefit is that it is an all Cisco solution so support should be easier to come by.

I am also interested in other security features that could be enabled. The suggestion below seems interesting. Has anyone done this?

Trunk Access Codes Using Translation Rules: Protect calls to expensive PSTN destinations or undesirable locations (perhaps international calls, calls to certain countries, etc.) with trunk access codes in front of the PSTN direct dial string. These codes can be transparent to your legitimate user base by inserting the code at your call agent (e.g. 89923 for calls to country-X) and deleting the code at Cisco UBE before passing the call to the PSTN. The use of this precludes a hacker directly addressing the SIP trunk and dialing direct to expensive locations (while bypassing your call agent).

0 REPLIES 0
Create
Recognize Your Peers
Content for Community-Ad