|
Home > Archive > Voice Over IP in UK > March 2006 > Firewall question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Dave Saville 2006-03-07, 7:45 am |
| I have been reading up on VOIP and firewalls - Seems they don't mix too well
:-)
Now if one does not have a VOIP/SIP aware firewall then the only option is to
open up to UDP traffic. This comes, quite rightly, with all sorts of dire
warnings. But *if* the specific IP address being used was dedicated to phone
hardware rather than a computer I can't think of any problems it could cause.
Am I missing something?
--
Regards
Dave Saville
NB Remove -nospam for good email address
| |
| Thomas Sandford 2006-03-07, 5:45 pm |
| "Dave Saville" <dave@deezee-nospam.org> wrote in message
news:qnirqrrmrrbet.ivrlys2.pminews@news.aaisp.net.uk...
>I have been reading up on VOIP and firewalls - Seems they don't mix too
>well
> :-)
>
> Now if one does not have a VOIP/SIP aware firewall then the only option is
> to
> open up to UDP traffic. This comes, quite rightly, with all sorts of dire
> warnings. But *if* the specific IP address being used was dedicated to
> phone
> hardware rather than a computer I can't think of any problems it could
> cause.
>
> Am I missing something?
Not really, in terms of the security side of things. You can actually tie
things down a bit tighter than allowing any UDP through.
Most half decent ATAs/phones will allow you to specify the range of RTP
ports used.
For example my Sipura SPA-3000 is set to use RTP ports 16384-16482.
So a working lockdown configuration for this unit would be:
Allow incoming TCP to Sipura port 5060
[SIP on TCP is in the spec, though I've never actually seen it in practice]
Allow incoming UDP to Sipura port 5060
[incoming SIP]
Allow incoming UDP to Sipura port 16384-16482
[incoming RTP]
Allow outgoing UDP from Sipura to any external port
[of course if someone finds a buffer overflow exploit in the SIP or RTP
handling code of your VOIP hardware then all bets are off!]
If your system is doing NAT as well as firewalling there are all sorts of
other problems though...
--
Thomas Sandford
| |
| techpro 2006-03-07, 5:45 pm |
| My SMC Barricade 7404 router/firewall managed to mess up Voip even when
the firewall was completely disabled. Foolishly, thinking that SMC made
good stuff, I replaced it with a 7908VoWBRA (or something like that)
with built in SIP support. After a firmware upgrade, the built in SIP
client works (though I can't access Sipgate voicemail because it
doesn't do DTMF out of band. But it still won't work with a soft phone
client.
SMC tech support never came back with a solution. They don't seem
interested in fixing their firmware. If you're using an SMC firewall,
just give up!
--
Julian Moss
The PC Guru: www.the-pc-guru.com
| |
| Joe Harrison 2006-03-07, 5:45 pm |
| I don't tell my firewall anything about my SIP and STUN setup (apart from
QoS.) There are no forwarded ports, no nothing it just works.
Joe
| |
|
| on 07/03/2006, Joe Harrison supposed :
> I don't tell my firewall anything about my SIP and STUN setup (apart from
> QoS.) There are no forwarded ports, no nothing it just works.
>
> Joe
.....and the make is?
| |
|
| In message <mn.3cf67d633316c514.48968@notonyournelly.co.uk>, Jono
<nothanks@notonyournelly.co.uk> writes
>on 07/03/2006, Joe Harrison supposed :
>
>....and the make is?
>
Can't comment on OP but i have no problems with my linksys WRT54G and
PAP2, possibly because they both support uPnP.
--
Chris
| |
|
| Chris submitted this idea :
> In message <mn.3cf67d633316c514.48968@notonyournelly.co.uk>, Jono
> <nothanks@notonyournelly.co.uk> writes
>
> Can't comment on OP but i have no problems with my linksys WRT54G and PAP2,
> possibly because they both support uPnP.
Yes, I have the same router, however, I'm running the DD-WRT(Voip)
firmware. Excellent.
| |
| Joe Harrison 2006-03-08, 7:45 am |
|
"Jono" <nothanks@notonyournelly.co.uk> wrote in message
news:mn.3cf67d633316c514.48968@notonyournelly.co.uk...
> on 07/03/2006, Joe Harrison supposed :
from[vbcol=seagreen]
>
> ....and the make is?
>
>
Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in case
I had actually needed to do something for SIP and forgot... but no.
| |
|
| Joe Harrison pretended :
> "Jono" <nothanks@notonyournelly.co.uk> wrote in message
> news:mn.3cf67d633316c514.48968@notonyournelly.co.uk...
> Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in case
> I had actually needed to do something for SIP and forgot... but no.
Cheers.
I've the same router although went for the DD-WRT reflash. One thing I
can't do with it is make a SIP=>SIP call internally (dialling out on
one Sipgate "line" and back in on another)
| |
| stephen 2006-03-08, 5:45 pm |
| "Dave Saville" <dave@deezee-nospam.org> wrote in message
news:qnirqrrmrrbet.ivrlys2.pminews@news.aaisp.net.uk...
> I have been reading up on VOIP and firewalls - Seems they don't mix too
well
> :-)
>
> Now if one does not have a VOIP/SIP aware firewall then the only option is
to
> open up to UDP traffic. This comes, quite rightly, with all sorts of dire
> warnings.
maybe this is backwards and you need a router which is SIP / Voip aware for
the protocol you are using?
But *if* the specific IP address being used was dedicated to phone
> hardware rather than a computer I can't think of any problems it could
cause.
A lot of the hardware in a phone or ATA or whatever may be more general
purpose under the surface, so you should sort of assume it may be vulnerable
to something and get attacked rather than expect that it is OK
FWIW a fair number of IP phones use TFTP to grab code upgrades and config
files. TFTP is not exactly secure.....
>
> Am I missing something?
i know this isnt much help if you already have the router (although
complaining about it to the manufacturer might help when they design the
next model) - but a SIP aware router should be what you look for. Fixing up
a compromise is only a fall back approach.
>
> --
>
> Regards
>
> Dave Saville
>
> NB Remove -nospam for good email address
--
Regards
stephen_hope@xyzworld.com - replace xyz with ntl
| |
|
| stephen wrote:
> maybe this is backwards and you need a router which is SIP / Voip aware
> for the protocol you are using?
What's a SIP/VoIP aware router?
--
<http://ale.cx/> (AIM:troffasky) (gebssnfxl@ubgznvy.pbz)
20:29:04 up 1 day, 1:19, 1 user, load average: 0.01, 0.05, 0.01
This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
| |
| stephen 2006-03-09, 5:45 pm |
| "alexd" <look@my.sig> wrote in message news:2138973.FfGBmBzLAg@ale.cx...
> stephen wrote:
>
>
> What's a SIP/VoIP aware router?
some boxes know how to fix up the info in specific apps that otherwise dont
like address translation, firewalls etc. Often this is because the app needs
several connections to be used for 1 logical link, or allocates port numbers
dynamically.
get this kind of stuff at work sometimes (mainly on firewalls rather than
routers) - the boxes designed of enterprise nets tend to have fixup routines
for various protocols
last one i played with was a PIX with H.323 voice.
here is note on their web site for IOS firewall which is on some of the low
end cisco routers that some use at home:
http://www.cisco.com/en/US/products...00800fd670.html
it might be useful even if you dont have cisco, since it gives a fairly
clear explanation about what is going on - search for "fixup"
>
> --
> <http://ale.cx/> (AIM:troffasky) (gebssnfxl@ubgznvy.pbz)
> 20:29:04 up 1 day, 1:19, 1 user, load average: 0.01, 0.05, 0.01
> This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
>
--
Regards
stephen_hope@xyzworld.com - replace xyz with ntl
|
|
|
|
|