[cisco-voip] SBC/CUBE placement Question

Rik Koenig mahgri at gmail.com
Thu Mar 1 02:04:27 EST 2012


Bob,

Thanks for the reply.
In this case, the CUBE-SBC connection is over the internet. There is
authentication running between the SP SBC and the CUBE, and of course, SIP
communication to the device is limited to the expected IP addresses. I was
curious if the firewall would add any headaches or would become a hindrance
on the performance of the media streams, or even if it would provide any
meaningful extra security. The indication here seems to be that it's likely
worth having the CUBE completely on the inside.

Thanks,

Rik

On Tue, Feb 28, 2012 at 9:23 AM, Bob Zanett (AM) <
bob.zanett at dimensiondata.com> wrote:

> Rik,****
>
> ** **
>
> A couple of clarifying questions:****
>
> **1.       **Does your SIP (assuming it is SIP) pipe connect over a
> regular internet connection or an internal MPLS network?****
>
> **2.       **What security do you have for your SIP connection?****
>
> ** **
>
> Security as you seem to indicate below is multiple steps/layers.   I have
> seen various setups at customers and it is always a balance between
> security and risk.   The more risk mitigation, the more costly the security
> measures – typically.   ****
>
> ** **
>
> For instance, if your SBC is connecting to your internal MPLS cloud and
> that is how the SIP trunk is being delivered – how likely is it that an
> external influence can impact that pipe?   This is always a good question
> for the telco, by the way.  If you do not have a firewall on every MPLS
> link, why add one for a SIP trunk running on that same link?  The answer
> will usually depend on the telco’s answer.   Many times in this situation,
> the SBC acts not only for a security step but also a demarcation point
> between the telco and your company.****
>
> ** **
>
> If your SIP trunk is coming in over the internet – I would always lean to
> having a firewall in front of the SBC.  I have seen companies simply stick
> with just an SBC but why not make use of a device that you already have
> deployed on such pipes?****
>
> ** **
>
> The next layer is security on your MPLS or Internet connection.   How is
> that being handled?  Secure handshake, simple password, IP addressing only,
> etc.****
>
> ** **
>
> Next look at the SIP trunk.  Security for the SIP trunk can range from
> simple static IP addressing for endpoints to some type of handshake.   This
> again is what to question your telco on.****
>
> ** **
>
> Many times, security can be drastically increased with simple measures:***
> *
>
> **1.       **Making use of already deployed infrastucture – firewalls on
> internet pipes, etc.****
>
> **2.       **SBC security features****
>
> **3.       **Increase security on connections – instead of simply using
> IP addresses – add a secure handshake, etc.****
>
> **4.       **Talk to your telco as they see many types and most likely
> may have some recommendations.****
>
> ** **
>
> Cheers -****
>
> Bob Zanett****
>
> Technical Services Architect****
>
> ** **
>
> *From:* cisco-voip-bounces at puck.nether.net [mailto:
> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Rik Koenig
> *Sent:* Monday, February 27, 2012 11:44 PM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] SBC/CUBE placement Question****
>
> ** **
>
>
>
> I have a question regarding placement of a CUBE. Given that the CUCM and
> phones are on the inside of the FW, and that the SP SBC is on the outside,
> is it better to
> 1: place the CUBE completely behind a firewall, and let the PSTN trunk go
> through the firewall
> 2: place the CUBE on the outside of the FW, or on a DMZ
> 3: Place one interface on the outside, one on the inside, and lock down
> the router with ACLs, so that the only connections allowed to it are from
> the service provider SBC and internal UC devices?
>
> 2 seems like it's a bad choice, you'd bog down the FW with dynamically
> opening up for all the RTP between the CUBE and phones. 3 would work, but
> you really have to trust that the ACLs aren't letting anything in... 1 does
> seem like the way to go, but I'm interested in what better and wiser heads
> say.
>
> If this is well-answered in documentation, please point me to it. I looked
> in the SRND, but it seemed to say that it can be done a lot of different
> ways. If there are other ways, I'm open
>
> Thanks,
>
> Rik
>
>
> itevomcid ****
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120301/10c0013a/attachment.html>


More information about the cisco-voip mailing list