Showing results for 
Search instead for 
Did you mean: 

CUBE Security

James Hawkins
Level 8
Level 8


I have configured CUBE on a 2900 ISR to link to an Internet Telephony Service Provider and want to make sure that it is secure.

I have connected Gi0/0 to an inside VLAN and Gi0/1 to the public Internet with a registered address.

So far for security I have set the ip trusted address list feature to include just the CUCM server and the IP address of the SIP provider

voice service voip

ip address trusted list

  ipv4              <-------------- CUCM server 1

  ipv4     <-------------- ITSP SIP server


mode border-element

I also have set an ACL to limit inbound connections from the Internet to SIP signalling and media traffic from the ITSP server

interface GigabitEthernet0/0

description CUBE Inside Interface

ip address

duplex auto

speed auto


interface GigabitEthernet0/1

description CUBE Outside Interface

ip address

ip access-group SIP-Inbound in

no ip unreachables

no ip proxy-arp


ip access-list extended SIP-Inbound

permit udp host host eq 5060

permit udp host  host  range 6000 40000

deny   ip any any log


I also set the call spike feature


call spike 5


I also limit the number of connections on the SIP ITSP dial peer

dial-peer voice 100 voip

description Outbound SIP calls

max-conn 40

destination-pattern .T

session protocol sipv2

session target ipv4:222.222.222

voice-class codec 1

voice-class sip privacy-policy passthru

voice-class sip early-offer forced


Note that the ITSP does not offer SIP registration by username/password or any form of encryption.

I would be interested in how secure people think the above is. Good enough or do I need a firewall? - if yes which of the options below:

Watchguard Firewall - the customer has a Watchguard firewall in place. I could move the CUBE to the DMZ so inbound connections would have to traverse the firewall. The issue I see with this is that the Watchguard firewall NATs outside connection to the DMZ and I am not sure how well this will work with SIP. Watchguard can apparently do SIP inspection and NAT but I am a bit dubious about it as I have no access to the firewalls (although the guys who manage them seem to know what they are doing).

IOS Firewall - could I just enable this on the CUBE and get it to do SIP inspection? - I have been trying to find a sample confug for this without success.

ASA Transparent firewall - deploy one of these as a bump in the wire between the CUBE and the ISP router. Benefit is that it is an all Cisco solution so support should be easier to come by.

I am also interested in other security features that could be enabled. The suggestion below seems interesting. Has anyone done this?

Trunk Access Codes Using Translation Rules: Protect calls to expensive PSTN destinations or undesirable locations (perhaps international calls, calls to certain countries, etc.) with trunk access codes in front of the PSTN direct dial string. These codes can be transparent to your legitimate user base by inserting the code at your call agent (e.g. 89923 for calls to country-X) and deleting the code at Cisco UBE before passing the call to the PSTN. The use of this precludes a hacker directly addressing the SIP trunk and dialing direct to expensive locations (while bypassing your call agent).

0 Replies 0