Filtering SIP traffic?
Posted on 2014-02-24
Our phone system has been hacked recently and since then we have been instructed by our telephony co to lock down the devices.
Here is whats required:
Here are more details of what traffic/ports/ips that need to be filtered:
• SIP Application Layer Gateway or Fixups feature disabled
• A NAT without port modification (i.e. use the original port without PAT/layer 3 NAT only) on all traffic from the 172.16.10.35 (Ingate SIParator) going out towards exermanl ip 1 / external ip 2. Perform NAT from 172.16.10.35 to <public address>
• A NAT without port modification (i.e. use the original port without PAT/layer 3 NAT only) on all traffic arriving at the firewall from external ip 1 / external ip 2. Forward traffic to 172.16.10.35. Perform NAT from <public address> to 172.16.10.35
• Firewall rules to only accept traffic from the source ip address on the ports listed below. Inbound port forwards for packets arriving at <public address> to be sent towards 172.16.10.35
• Source -> Destination
external ip 1 (Gamma signalling) 5060/UDP --- forward to ----> 172.16.10.35 5060/UDP
external ip 2 (Gamma media) 6000 - 40000/UDP --- forward to ----> 172.16.10.35 6000 - 40,000/UDP (i.e. whole range one to one port mapping/no translation)
This is to prevent one-way audio caused by the non-layer 5 aware/disabled device
• Firewall rules to allow 172.16.10.35 to talk to DNS servers
• Firewall rules to allow 172.16.10.35 to talk to NTP servers
• Expedited forwarding/priority queue QoS on egress towards the Internet (for the 30 trunks we require a minimuim priority bandwidth of 2856 kbps)
• Expedited forwarding/priority queue QoS on egress from the firewall towards 172.16.10.35
The phone system is a shoretel over SIP and we have an Ingate between our firewall and Shoretel.
Does anyone know if these options/filters/port changes can be applied to a Cisco ASA 5505 firewall or our HP 2910al POE L3 Switch?