Firewalling voice is always

Chris Ingram · ‎07-17-2014

Does anyone know of any concerns, issues, problems, or hidden gotchas that have been experienced with creating a VRF for a VoIP network? What I would actually like to do is place everything (except the media gateways) in a VRF and firewall it. Thus only call signaling, management traffic, and any required database connectivity would have to pass through the firewall. Any thoughts, anyone?

George Thomas · ‎07-17-2014

This is certainly doable and I remember the SRND recommending this. However, this will come with its cost as far as management goes since you have a firewall in the mix and all kinds of inspection that happens with it. You can also look at the SRND for Trusted Relay points which will help in maintaining the number of ports you need to open on a firewall for media traversal. Good luck!

Please rate useful posts.

Chris Ingram · ‎05-08-2015

Thank you!

rothomas2 · ‎07-17-2014

Firewalling voice is always a headache. Unfortunately a lot of signaling protocols are proprietary like SCCP, and MGCP (not really). Or just change a lot, or not completely standardized like SIP.

Between the time a Dev on a VTG group decides to add a new field to a protocol like SCCP, and the time it takes the corresponding Dev on a Firewall group to add the support for that field on its 'Inspection' engine sometimes takes months. And the fact that all communications are opened on random dynamic ports between the 16K and 32K makes matters worst.

I do think it's a good idea, specially with cybersecuirty threads on the rise, and toll fraud so prevalent this days. I think SBC and Media relay points are a good way to get everything more in control.

I just wanted to raise some awareness that if you want to go down that path, you do need a solid roll-out and testing plan as things will likely get bizarre a few times.

Chris Ingram · ‎05-08-2015

Thank you!

VoIP and VRFs