Hi,
I have configured CUBE on a 2900 ISR to link to an Internet Telephony Service Provider and want to make sure that it is secure.
I have connected Gi0/0 to an inside VLAN and Gi0/1 to the public Internet with a registered address.
So far for security I have set the ip trusted address list feature to include just the CUCM server and the IP address of the SIP provider
voice service voip
ip address trusted list
ipv4 10.1.1.11 255.255.255.255 <-------------- CUCM server 1
ipv4 222.222.222.222 255.255.255.255 <-------------- ITSP SIP server
address-hiding
mode border-element
I also have set an ACL to limit inbound connections from the Internet to SIP signalling and media traffic from the ITSP server
interface GigabitEthernet0/0
description CUBE Inside Interface
ip address 10.3.1.4.11 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description CUBE Outside Interface
ip address 111.111.111.111 255.255.255.255
ip access-group SIP-Inbound in
no ip unreachables
no ip proxy-arp
!
ip access-list extended SIP-Inbound
permit udp host 222.222.222.222 host 111.111.111.111 eq 5060
permit udp host 222.222.222.222 host 111.111.111.111 range 6000 40000
deny ip any any log
!
I also set the call spike feature
!
call spike 5
!
I also limit the number of connections on the SIP ITSP dial peer
dial-peer voice 100 voip
description Outbound SIP calls
max-conn 40
destination-pattern .T
session protocol sipv2
session target ipv4:222.222.222
voice-class codec 1
voice-class sip privacy-policy passthru
voice-class sip early-offer forced
!
Note that the ITSP does not offer SIP registration by username/password or any form of encryption.
I would be interested in how secure people think the above is. Good enough or do I need a firewall? - if yes which of the options below:
Watchguard Firewall - the customer has a Watchguard firewall in place. I could move the CUBE to the DMZ so inbound connections would have to traverse the firewall. The issue I see with this is that the Watchguard firewall NATs outside connection to the DMZ and I am not sure how well this will work with SIP. Watchguard can apparently do SIP inspection and NAT but I am a bit dubious about it as I have no access to the firewalls (although the guys who manage them seem to know what they are doing).
IOS Firewall - could I just enable this on the CUBE and get it to do SIP inspection? - I have been trying to find a sample confug for this without success.
ASA Transparent firewall - deploy one of these as a bump in the wire between the CUBE and the ISP router. Benefit is that it is an all Cisco solution so support should be easier to come by.
I am also interested in other security features that could be enabled. The suggestion below seems interesting. Has anyone done this?
Trunk Access Codes Using Translation Rules: Protect calls to expensive PSTN destinations or undesirable locations (perhaps international calls, calls to certain countries, etc.) with trunk access codes in front of the PSTN direct dial string. These codes can be transparent to your legitimate user base by inserting the code at your call agent (e.g. 89923 for calls to country-X) and deleting the code at Cisco UBE before passing the call to the PSTN. The use of this precludes a hacker directly addressing the SIP trunk and dialing direct to expensive locations (while bypassing your call agent).
