At some point in the evolution of your IP Telephony network, you're probably going to want to establish connections between your internal network and devices on the Internet. If this is in your future, even if it's far in the future, you should consider taking steps to secure it today.
The most obvious suggestion is to deploy a firewall that is:
- Capable of understanding and securing SIP (session initiation protocol);
- Able to minimize the security risks inherent in opening a large number of UDP ports for VOIP traffic;
- Fast, fast, fast;
- And, if possible, capable of integrating into your QoS scheme. This is a bonus, but not entirely necessary as the Internet is a best-effort class of service anyway.
Once you have such a firewall, consider deploying a SIP Proxy in a DMZ. In fact, it's not a bad idea to do this now, even if you're not currently supporting VOIP calls to or from the Internet. SIP Proxy servers can offer a number of security features that can protect your network internally and externally.
From a design standpoint, a SIP Proxy makes it easy to deal with external endpoints attempting to contact internal endpoints, of which the latter are usually dynamically addressed and also Network Address Translated. This offers substantial protection for internal endpoints, which can be very important in a diverse network where many brands of endpoints may be deployed and some will necessarily be less secure than others.
It also makes it easier to recognize outbound calls. You can block all signaling traffic between the your network and the Internet, and only allow traffic between your network and the DMZ, and the Internet and the DMZ. This is a major plus in an environment where regulatory mandates require you to record or monitor calls.
Some of the more expensive SIP Proxies have many other advantages, which include supporting IPSec for voice VPNs, the ability to restrict traffic with access-control lists, and implementation of various forms of authentication, such as HTTP Digest.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.