SIP Trunk Setup. Security? 1

[ega218]

Hello,

I have successfully setup a SIP Trunk with my provider to my IP Office R6.1. However, I am not certain about having a WAN connection on the IP Office unit and also having the IP Office connected to my LAN. Shouldn't I have some time of firewall policy to ensure there is no possible way of any entry to my LAN through that WAN connection used for the SIP.

If anyone has any thoughts on this, please advise.

Thanks in advance

Elmo

 

[ega218]

BTW. SIP is setup on the LAN2 tab which is where i have a static WAN IP setup and my LAN IP is setup on the LAN1 tab.

Thanks.

 

[amriddle01]

Any decent SIP trunk will pass through a router, so no need to be on an external address


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)

 

[ega218]

Thank you amriddle01. I will check with my ISP.

 

[AACon]

And why exactly would any decent sip trunk need to pass through a router? Yes, security, but there is no REAL reason for it, especially if you are trying to weed out possible issues.
I'm headed down this path with my own IPO, merely for educational purposes. It works fine behind my firewall, but, I like to dig. I plan to put the LAN2 directly on my WAN...and plan to use the built in firewall to block everything but SIP/RTP. I have to make heads or tails of this first, however.

· Match Offset
The offset into the packet (0 = first byte of IP packet) where checking commences for either a specific port number, a range of port numbers, or data.

· Match Length
The number of bytes to check in the packet, from the Match Offset point, that are checked against the Match Data and Match Mask settings.

· Match Data
The values the data must equal once masked with the Match Mask. This information can be obtained from "TCP Dst" parameter in a Monitor trace (the firewall uses hex so a port number of 80 is 50 in hex)

· Match Mask
This is the byte pattern, which is logically ANDed with the data in the packet from the offset point. The result of this process is then compared against the contents of the "Match Data" field.


-Austin
ACE: Implement IP Office

 

[amriddle01]

AACon, the IPO firewall is not that flexible or effective, if its on the WAN the system can be accessed if someone tries hard enough (not that hard). If that's what you want then fine, but the firewall/security in even the most basic routers is better than the IPO one. The question I ask is if it works through the router why put it external? My PC works through the router but will also work on the WAN, by your thinking I may as well put it on the WAN ...because I can


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)

 

[amriddle01]

But, if you are going to do it, make an IP route that only responds to traffic from your SIP providers address/range, that's better than relying on the firewall


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)

 

[hairlessupportmonkey]

IP route that only responds to traffic from your SIP providers address/range, that's better than relying on the firewall

unless you can spoof the ITSPs address then a good firewall will detect that

All I can recommend is a good managed broadband and a good firewall. We use a combination of Easynet and Watchguard and it fulfills every requirement

ACSS - SME
General Geek

 

[AACon]

Ah I am totally aware of the limitations of the software firewall. Like I said, it was just an educational pursuit. I didn't know how to configure it, and wanted to learn. It's sitting fine behind a ddwrt based router for now, so no issues.

-Austin
ACE: Implement IP Office

 

[amriddle01]

That's cool Austin, but not particularly relevant to the OP and his post specifically with a security concern


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)