SIP trunk security measures
By Avner Izhar on Mon, 08/30/10 - 1:09am.A recent product security announcement from Cisco and a blog post by Chris Jackson made me feel it may appear that SIP trunking is not secure enough as a PSTN (Public Switched Telephone Network) access method.
Indeed if you plug your Communication Manager (or Communication Manager Express) directly to the internet or to your service provider's 'private' SIP cloud directly, you are at risk. But if you take the minimum security measures that I'll specify below, you should be fine.
The risks are divided to three categories:
1. Toll fraud and excessive phone bills.
2. System crashes and phone productivity problems.
3. Corporate network hacking through the SIP trunk facing device.
How do you protect yourself against them, here is my recommendations:
Never connect the call processing (call manager) device directly to a public network (internet or SIP provider cloud. Static NAT of port 5060 in your firewall is also very risky.
Use a dedicated device for the outbound facing functions, a CUBE (Cisco Unified Border Element) in Cisco's world, or SBC (Session Border Controller) with other vendors.
Place a SIP aware firewall between the CUBE and the internet to protect the CUBE from DOS/DDOS attacks and malformed SIP packets. The only port that should be allowed to this device is tcp/udp 5060.
Treat your SIP provider's network as a public network, you don't control who is on it and attacks can be sourced from there.
Have toll fraud prevention measures configured in your dial plan, in Communication Manager it will be:
1. Block trunk to trunk transfers.
2. Use FAC (Feature Authorization Code for high cost calls.
3. Don's allow high cost route patterns in the Gateway's inbound CSS.
4. Configure Call logging and reporting to allow forensics.
With those in place, SIP should be safe enough and the advantages it provide will worth it.
No comments:
Post a Comment