I have been reading up on VOIP and firewalls - Seems they don't mix too well
:-)

Now if one does not have a VOIP/SIP aware firewall then the only option is t
o
open up to UDP traffic. This comes, quite rightly, with all sorts of dire
warnings. But *if* the specific IP address being used was dedicated to phone
hardware rather than a computer I can't think of any problems it could cause
.

Am I missing something?

--

Regards

Dave Saville

NB Remove -nospam for good email address

[ Post a follow-up to this message ]

"Dave Saville" <dave@deezee-nospam.org> wrote in message
news:qnirqrrmrrbet.ivrlys2.pminews@news.aaisp.net.uk...
>I have been reading up on VOIP and firewalls - Seems they don't mix too
>well
> :-)
>
> Now if one does not have a VOIP/SIP aware firewall then the only option is
> to
> open up to UDP traffic. This comes, quite rightly, with all sorts of dire
> warnings. But *if* the specific IP address being used was dedicated to
> phone
> hardware rather than a computer I can't think of any problems it could
> cause.
>
> Am I missing something?

Not really, in terms of the security side of things. You can actually tie
things down a bit tighter than allowing any UDP through.

Most half decent ATAs/phones will allow you to specify the range of RTP
ports used.

For example my Sipura SPA-3000 is set to use RTP ports 16384-16482.

So a working lockdown configuration for this unit would be:

Allow incoming TCP to Sipura port 5060
[SIP on TCP is in the spec, though I've never actually seen it in practi
ce]
Allow incoming UDP to Sipura port 5060
[incoming SIP]
Allow incoming UDP to Sipura port 16384-16482
[incoming RTP]
Allow outgoing UDP from Sipura to any external port

[of course if someone finds a buffer overflow exploit in the SIP or RTP
handling code of your VOIP hardware then all bets are off!]

If your system is doing NAT as well as firewalling there are all sorts of
other problems though...
--
Thomas Sandford

[ Post a follow-up to this message ]

My SMC Barricade 7404 router/firewall managed to mess up Voip even when
the firewall was completely disabled. Foolishly, thinking that SMC made
good stuff, I replaced it with a 7908VoWBRA (or something like that)
with built in SIP support. After a firmware upgrade, the built in SIP
client works (though I can't access Sipgate voicemail because it
doesn't do DTMF out of band. But it still won't work with a soft phone
client.

SMC tech support never came back with a solution. They don't seem
interested in fixing their firmware. If you're using an SMC firewall,
just give up!
--
Julian Moss
The PC Guru: www.the-pc-guru.com

[ Post a follow-up to this message ]

I don't tell my firewall anything about my SIP and STUN setup (apart from
QoS.) There are no forwarded ports, no nothing it just works.

Joe

[ Post a follow-up to this message ]

on 07/03/2006, Joe Harrison supposed :
> I don't tell my firewall anything about my SIP and STUN setup (apart from
> QoS.) There are no forwarded ports, no nothing it just works.
>
> Joe

....and the make is?

[ Post a follow-up to this message ]

In message <mn.3cf67d633316c514.48968@notonyournelly.co.uk>, Jono
<nothanks@notonyournelly.co.uk> writes
>on 07/03/2006, Joe Harrison supposed : 
>
>....and the make is?
>

Can't comment on OP but i have no problems with my linksys WRT54G and
PAP2, possibly because they both support uPnP.
--
Chris

[ Post a follow-up to this message ]

Chris submitted this idea :
> In message <mn.3cf67d633316c514.48968@notonyournelly.co.uk>, Jono
> <nothanks@notonyournelly.co.uk> writes 
>
> Can't comment on OP but i have no problems with my linksys WRT54G and PAP2
,
> possibly because they both support uPnP.

Yes, I have the same router, however, I'm running the DD-WRT(Voip)
firmware. Excellent.

[ Post a follow-up to this message ]

"Jono" <nothanks@notonyournelly.co.uk> wrote in message
news:mn.3cf67d633316c514.48968@notonyournelly.co.uk...
> on 07/03/2006, Joe Harrison supposed : 
from[vbcol=seagreen] 
>
> ....and the make is?
>
>
Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in case
I had actually needed to do something for SIP and forgot... but no.

[ Post a follow-up to this message ]

Joe Harrison pretended :
> "Jono" <nothanks@notonyournelly.co.uk> wrote in message
> news:mn.3cf67d633316c514.48968@notonyournelly.co.uk... 
> Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in cas
e
> I had actually needed to do something for SIP and forgot... but no.

Cheers.

I've the same router although went for the DD-WRT reflash. One thing I
can't do with it is make a SIP=>SIP call internally (dialling out on
one Sipgate "line" and back in on another)

[ Post a follow-up to this message ]

"Dave Saville" <dave@deezee-nospam.org> wrote in message
news:qnirqrrmrrbet.ivrlys2.pminews@news.aaisp.net.uk...
> I have been reading up on VOIP and firewalls - Seems they don't mix too
well
> :-)
>
> Now if one does not have a VOIP/SIP aware firewall then the only option is
to
> open up to UDP traffic. This comes, quite rightly, with all sorts of dire
> warnings.

maybe this is backwards and you need a router which is SIP / Voip aware for
the protocol you are using?

But *if* the specific IP address being used was dedicated to phone
> hardware rather than a computer I can't think of any problems it could
cause.

A lot of the hardware in a phone or ATA or whatever may be more general
purpose under the surface, so you should sort of assume it may be vulnerable
to something and get attacked rather than expect that it is OK

FWIW a fair number of IP phones use TFTP to grab code upgrades and config
files. TFTP is not exactly secure.....
>
> Am I missing something?

i know this isnt much help if you already have the router (although
complaining about it to the manufacturer might help when they design the
next model) - but a SIP aware router should be what you look for. Fixing up
a compromise is only a fall back approach.
>
> --
>
> Regards
>
> Dave Saville
>
> NB Remove -nospam for good email address
--
Regards

stephen_hope@xyzworld.com - replace xyz with ntl

[ Post a follow-up to this message ]