Most organizations that have deployed VoIP have only done so internally to date, but many are now looking at giving IP Phones to work-at-home employees with high-speed Internet access. Others have installed large, fast and stable Internet links and are considering Internet-based VoIP trunks between sites.
For these sorts of applications, you'll likely want a full-featured firewall and fortunately, there are a number of full-featured firewalls that support SIP now. They do this by watching the initial signaling messages. Unbeknownst to the VoIP endpoints, the SIP-aware firewall can read the messages and find out which IP and port will be used for the media streams and then permit only those specific connections instead of a large range of UDP ports. This is good.
However, something else you should consider, particularly if you are in a large organization, is implementing some access-controls internally. You should strongly consider this because your IP-based PBX often needs more protection than other servers because it often runs complex code that is tightly integrated with the OS. This means that when the OS vendor releases a service pack it may be some time before the PBX developers verify that the service pack doesn't break any of their code. The result is that you may not be able to patch your IP PBX before a virus or worm is released that takes advantage of a vulnerability.
Even if it is SIP-aware, a full-featured "Internet firewall" may not be appropriate for use internally for a lot of reasons, so consider as an alternative putting your VoIP hosts on a dedicated subnet and using access-control lists on a router.
The problem with regular access-control lists, of course, is that you still need to open a wide range of ports. To fix this, use the Cisco IOS Firewall FeatureSet and CBAC. Normally, with this featureset, you configure it so that it allows certain traffic out, and only responses back in, however, to enable SIP connections to be initiated from either direction, use the following config:
access-list 101 permit udp any any eq 5060
!
ip inspect name mySIP sip
!
interface fa0/1
ip inspect mySIP in
!
interface fa0/0
ip inspect mySIP in
ip access-group 101 in
Obviously, you will of course have to tailor the ACL and interfaces to your own environment.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
