Secure SIP-based IP telephony networks

Secure SIP-based IP telephony networks

At some point in the evolution of your IP Telephony network, you're probably going to want to establish connections between your internal network and devices on the Internet. If this is in your future, even if it's far in the future, you should consider taking steps to secure it today.

The most obvious suggestion is to deploy a firewall that is:

  1. Capable of understanding and securing SIP (session initiation protocol);
  2. Able to minimize the security risks inherent in opening a large number of UDP ports for VOIP traffic;
  3. Fast, fast, fast;
  4. And, if possible, capable of integrating into your QoS scheme. This is a bonus, but not entirely necessary as the Internet is a best-effort class of service anyway.

Once you have such a firewall, consider deploying a SIP Proxy in a DMZ. In fact, it's not a bad idea to do this now, even if you're not currently supporting VOIP calls to or from the Internet. SIP Proxy servers can offer a number of security features that can protect your network internally and externally.

From a design standpoint, a SIP Proxy makes it easy to deal with external endpoints attempting to contact internal endpoints, of which the latter are usually dynamically addressed and also Network Address Translated. This offers substantial protection for internal endpoints, which can be very important in a diverse network where many brands of endpoints may be deployed and some will necessarily be less secure than others.

    Requires Free Membership to View

    Login

    SearchUnifiedCommunications.com members gain immediate and unlimited access breaking industry news, expert advice on UC, technical guides, and more -- all at no cost. Join me on SearchUnifiedCommunications.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchUnifiedCommunications.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchUnifiedCommunications.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

It also makes it easier to recognize outbound calls. You can block all signaling traffic between the your network and the Internet, and only allow traffic between your network and the DMZ, and the Internet and the DMZ. This is a major plus in an environment where regulatory mandates require you to record or monitor calls.

Some of the more expensive SIP Proxies have many other advantages, which include supporting IPSec for voice VPNs, the ability to restrict traffic with access-control lists, and implementation of various forms of authentication, such as HTTP Digest.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in November 2002

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top