09-11-2020 11:15 AM
Hello
I have my ISR 4321 for voice gateway for my Sip trunks connection, the sip connections are not going to any firewall they go directly to the ISP, I would like to know what will be best practices so I can secure the connection between my device and ISP.
thanks
Solved! Go to Solution.
09-11-2020 11:25 AM
At a minimum you should have a ACL attached to your interface towards your ITSP that only allow the needed traffic for the SIP connection and a ACL that limits VTY connectivity to whatever works best for you.
09-11-2020 11:25 AM
At a minimum you should have a ACL attached to your interface towards your ITSP that only allow the needed traffic for the SIP connection and a ACL that limits VTY connectivity to whatever works best for you.
09-11-2020 12:25 PM
Should this be to specific port 5060?
09-11-2020 12:38 PM
It depends on what ports you use for the SIP trunk to/from the ITSP. Apart from signaling you’d also need to allow RTP traffic for the actual voice traffic payload.
09-11-2020 11:43 AM - edited 09-12-2020 01:23 AM
when you think of SIP trunk security, go through the below. Its from SIP Trunking Cisco press book.
Security Considerations
The security concerns of TDM trunking, primarily toll fraud, exist equally on SIP trunking. In addition, SIP trunking exposes your network to IP level threats similar to data WAN or Internet access, such as denial of service (DOS).
For a hacker to gain access to your enterprise IP network via a TDM voice trunk is virtually impossible to do unless the TDM connection is specifically configured for modem dial-up access—and most voice trunks are not. Perpetrating a DOS attack on a TDM trunk is also highly unlikely as it is both expensive to do and requires large-scale auto-dialer equipment the average Internet hacker does not have access to. Launching these same attacks on IP addresses is significantly easier and open to a much larger pool of perpetrators because no sophisticated equipment is necessary, and the attacks can be launched for free from any Internet access connection.
When considering security on SIP trunks, you need to take into account different aspects of security. These aspects call for a series of features and capabilities to mitigate the potential threats. Security is always best deployed in a layered architecture, rather than a single box or feature that strives to protect against all possible attacks. Areas worth exploring for SIP trunk security include
SIP Trunk Levels of Security Exposure
The level of security exposure depends on the characteristics of how the SIP trunk connects into your network and the strength of security protection your service provider offers.
Figure 7-2 illustrates four increasing levels of exposure depending on the connectivity method of your SIP trunk:
Figure 7-2 Increasing Levels of Security Exposure
Many security features on both firewalls and border elements protect against attacks on SIP trunks. The following sections discuss these techniques in more detail.
A general best practice for SIP trunk security is always to use a border element to terminate a SIP trunk coming into your network. This can be an appliance function (such as deploying a dedicated CUBE), or it can be an integrated function, such as an IAD or CUCM Express device that acts as a border element and a routing or IP-PBX device in your network.
In addition to a border element, you can choose also to deploy a firewall. Again, this might be a separate appliance, or it might be integrated into a Cisco IOS router providing multiple functions to your business. Separate, dedicated devices tend to be the norm for larger enterprise and higher volume SIP trunks, whereas integrated devices tend to be the cost-effective solution for smaller sites or small business networks.
Access Lists (ACL)
Always strictly limit the devices that can access your SIP trunk, both from internal to your network and external to it. If you terminate your SIP trunk on a border element, you do not need all these security mitigation measures on every enterprise application, only on the border element. The border element itself should be set up to accept connections on the service provider side only from the provider's SBC, and on the enterprise side only from legitimate CUCM, IP-PBX, or other valid applications (for example, SIP proxies and meeting conference servers).
United States federal information reports that hackers are as frequently located inside your enterprise network as on the outside, and for that reason, it is imperative to lock down your border element on both sides so that rogue endpoints and applications inside your network cannot use the SIP trunk service for fraudulent calls. Similarly, rogue endpoints on the Internet should contact your SIP trunk. This configuration is illustrated in Figure 7-3.
Figure 7-3 Locking Down a SIP Trunk with ACLs
Additionally, voice Source IP Groups can be used with the ACLs, as shown in Figure 7-3, to provide further restrictions on the devices that might originate SIP traffic to your border element. On devices in your network that should not run SIP traffic at all, the Control Plane Policing (CoPP) feature can be used to deny all SIP traffic.
CUCM has (by default) a feature that restricts traffic on a SIP trunk to be accepted only from the IP address configured on the SIP trunk.
Hostname Validation
You can use the hostname validation feature of the CUBE to restrict the valid hostnames that are accepted in the host portion of the SIP URI of an incoming SIP INVITE. Example 7-1 illustrates the commands used by this feature to enable calls only from the four hostnames listed.
Example 7-1. Hostname Validation
sip-ua
permit hostname dns:example1.sip.com
permit hostname dns:example2.sip.com
permit hostname dns:example3.sip.com
permit hostname dns:example4.sip.com
Security features often overlap to some extent, and it is a good practice to deploy these overlapping features because they provide layered security protection. Every layer might protect you against one particular attack that might have skirted around a single layer protection to exploit a weakness in a particular appliance, device, feature operation, or configuration.
NAT and Topology Hiding
Hiding the IP addresses of enterprise voice endpoints (such as those belonging to IP phones, call agents, and TDM voice gateways) from external view can in some cases be achieved with traditional NAT features. NAT adjusts the IP addressing of IP packet headers and some of the IP addresses appearing elsewhere in SIP packets, but generic NAT devices are Layer 3-capable only. Those that have Application Layer Gateways (ALG) have more sophisticated SIP awareness, but still, generally, might offer only suboptimal capabilities to translate deeply embedded IP addresses in SIP messaging.
It is therefore more secure to use a border element that is a full SIP back-to-back user agent (B2BUA) as the network demarcation offering 100 percent SIP packet inspection and address translation. The CUBE is a full SIP B2BUA and can therefore offer complete network address translation, usually referred to as topology hiding in this context to distinguish this function from appliance NAT devices. Both media and signaling flow through the CUBE and the service provider and off-net endpoints see only the addresses of the border element and never the addresses internal to your enterprise network.
Topology hiding is important to ensure that any attacks that might come from the service provider side can be directed only toward the border element, and the communications and call agents within your enterprise remain unaffected.
Figure 7-4 illustrates how topology hiding can be accomplished by using the CUBE.
Figure 7-4 Topology Hiding
Firewalls
Many security features on both firewalls and border elements protect against attacks on SIP trunks. A certain amount of overlap occurs between the capabilities, especially true for the higher end firewalls with sophisticated SIP ALGs.
Generally you should deploy a firewall to provide generic IP protection against any kind of IP traffic, and your border element as a much more focused, voice-specific session protection function. For the least capable firewall devices, you should simply open pinholes for the traffic destined to the border element and have the border element do all the SIP inspection. For firewalls with SIP ALGs, there is some overlap in the inspection the firewall does and the inspection done by the border element. The border element always provides the most sophisticated layer of protection because it is a B2BUA whereas the firewall essentially inspects and passes through traffic but does not terminate it.
Functions that firewalls are particularly well suited to mitigate are Layers 2 and 3 inspection functions including:
More sophisticated SIP capabilities that some firewalls can have include
Firewalls are not as well suited to protecting against attacks launched from inside your network or doing session management at the level of deciding whether packets are arriving for valid sessions only, in valid sequences (or SIP dialogs), and for valid codecs or other negotiated parameters of the session. Some of the more sophisticated firewalls, such as the Cisco ASA product series or the Cisco IOS Firewall, have SIP ALGs that offer some protection services at protocol layers higher than Layer 3.
Specific functions a border element is well suited for include Layers 5 to 7 SIP inspection actions such as:
Broadly, firewalls and border elements are deployed in one of two ways:
Figure 7-5 provides six possible deployment models of firewalls and border elements.
Figure 7-5 Possible Firewall and Border Element Designs
Models (a), (b), and (c) shown in Figure 7-5 are better suited to medium-to-large enterprises and high volume contact centers, and models (d), (e), and (f) are better suited to smaller businesses.
Security Protection at the SIP Protocol Level
SIP is a widely used and understood protocol and simple to create because it uses straight text encoding in its messages (unlike H.323 that uses ASN.1 encoding). This makes SIP an easy target for hackers. Many of the protocol attacks can be launched against H.323 as well, but very few incidents of this were in the industry because H.323 is not as accessible as SIP.
Several ways to protect your network against a variety of SIP protocol attacks include
Each of these areas is discussed in the following sections.
SIP Listening Port
Every Internet hacker knows the default SIP listen ports and can sweep them from any Internet location to find an open port to launch fraudulent calls, all while your business pays for them. One way to protect against this is to change the SIP listening port to a nondefault setting. It requires the service provider to set the complementary port on the provider edge SBC. This alone can protect you against the majority of hacker attacks launched against SIP port 5060.
Example 7-2 shows the commands needed to set the SIP listening port to a nondefault setting.
Example 7-2. SIP Listening Port Setting
voice service voip
sip
shutdown
voice service voip
sip
listen-port non-secure 2000 secure 2050
voice service voip
sip
no shutdown
Transport Layer Security (TLS)
Another way to protect against this attack is to use TLS (specified in IETF RFC-2246). TLS uses an authentication mechanism that ensures only valid endpoints connect to your SIP trunk, and if the authentication fails, the call is refused.
Although this is a good way to mitigate fraudulent SIP calls, none of the current SIP trunk offerings in the market include TLS as an option. Hopefully this situation will change.
Back-to-Back User Agent (B2BUA)
A B2BUA (such as the CUBE) terminates and reoriginates all calls before they enter your network. All SIP traffic passes through the SIP stack on the B2BUA twice (on ingress and egress) so that all malformed or rogue packets are dropped.
SIP Normalization
There are certain numbers, names, or other internal information you might want to populate informative displays on the endpoints in your network. When these calls exit over the SIP trunk to external destinations, you might not want all this information to remain in the SIP messaging, especially non-DID numbers used by your organization. You can use SIP normalization features to insert, delete, or change this kind of information in the SIP messaging on your border element.
Examples 7-3, 7-4, and 7-5 show how SIP normalization can be used on the CUBE to modify the From header in an INVITE to a gateway@ip-addressformat and to add the phone-context=gateway field to the To header of the INVITE. Example 7-3 shows the commands needed for the configuration; Example 7-4 shows the original SIP INVITE; and Example 7-5 shows the resulting INVITE after normalization has been applied.
Example 7-3. SIP Normalizations Commands
voice service voip
sip
sip-profiles 1
voice class sip-profiles 1
request INVITE sip-header From modify "(<.*:)(.*@)" "\1gateway@"
request INVITE sip-header To modify "<(.*)>" "<\1;phone-context=gateway>"
Example 7-4. Original SIP INVITE
INVITE sip:22220000205060 SIP/2.0
Via: SIP/2.0/UDP 9.13.24.6:5060;branch=z9hG4bK1AD9E2
Remote-Party-ID: "sipp " <sip:sipp@9.13.24.6>;party=calling;screen=no;privacy=off
From: "sipp "<sip:sipp@9.13.24.6>;tag=23C3F840-99A To: <sip:2222000020@9.13.24.7> Date: Thu, 30 Aug 2007 07:04:36 GMT
Example 7-5. Normalized SIP INVITE
INVITE sip:22220000205070 SIP/2.0
Via: SIP/2.0/UDP 9.13.24.7:5060;branch=z9hG4bK1191BFD
Remote-Party-ID: "sipp " <sip:sipp@9.13.24.7>;party=calling;screen=no;privacy=off
From: "sipp "<sip:gateway@9.13.24.7>;tag=1EDB2D94-11DD To: <sip:2222000020@9.13.32.240;phone-context=gateway> Date: Thu, 30 Aug 2007 07:04:36 GMT
Digit Manipulation
Another technique to suppress or change nonpublic numbers from exiting your network is to use digit manipulation techniques at the border of your network. For example, a non-DID number can be changed to your organization's basic public PSTN number if the call should go off-net.
SIP Privacy Methods
Various SIP specifications control the privacy of end user information in SIP messaging such that numbers and names can travel in the messaging but still be suppressed from delivery or display to the destination endpoint. Similar methods exist in ISDN when interconnecting to the traditional PSTN.
SIP specifications (and CUBE capabilities) of interest in this area include
If your applications are not SIP-capable, or if they do not insert these headers, you can have your border element insert (or change) the content of these headers as a call leaves your premises over the SIP trunk. The CUBE can also convert between the widely deployed Remote-Party-ID (RPID) header to and from PAI/PPI and Privacy headers.
Registration and Authentication
You can use SIP mechanisms to validate the originator of a SIP call and therefore provide a mechanism to reject SIP INVITEs that come from rogue endpoints. These mechanisms include
Example 7-6 shows sample commands to configure the CUBE to do a SIP registration with credentials, and Example 7-7 shows the configuration for SIP Digest Authentication.
Example 7-6. SIP Registration
x(config)#sip-ua
x(config-sip-ua)#credentials username 1001 password cisco realm cisco.com
sip-ua
registrar ipv4:172.16.193.97 expires 3600
credentials username 1001 password 0822455D0A16 realm cisco.com
Example 7-7. SIP Digest Authentication
sip-ua
authentication username xxx password yyy
Toll Fraud
Toll fraud has existed for as long as telephone networks have been in operation. This constitutes making unauthorized calls that someone else pays for. The perpetrator can be inside your network (for example, an employee making personal international calls) or an external hacker using your SIP trunk to make calls that your company pays for.
Ensure that whatever measures you took to combat toll fraud in your TDM PSTN access network are also implemented on your SIP trunk PSTN access network. Some of the common CUBE tools that enable you to mitigate toll fraud attacks include
Signaling and Media Encryption
Another area of security to consider is the privacy of communications, that is, how to keep hackers from recording calls or hijacking them and inserting or deleting segments. Several encryption features for voice call flows mitigate these types of attacks. Separate features for protection of the signaling traffic (TCP or UDP) and the media traffic (RTP) exist.
As the media encryption keys are exchanged in the signaling stream, there is no point in encrypting media without also encrypting the signaling. Only encrypting signaling is a valid option.
None of the current SIP trunk offerings in the market include TLS or SRTP as an option. Hopefully this situation will change. The CUBE can convert between encrypted communications (TLS/SRTP) on one side and nonencrypted (SIP/RTP) on the other side, so if your business can benefit from (or demands) encryption in the enterprise, you can still connect to a SIP trunk provider.
09-11-2020 12:07 PM
@Nithin Eluvathingal This must be the longest ever response I’ve ever seen. +5 for effort.
09-12-2020 01:35 AM
when we think of security, we need to tighten all possible options.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide