[cisco-voip] SBC/CUBE placement Question

Dennis Heim Dennis.Heim at cdw.com
Thu Mar 1 02:51:08 EST 2012


Remember when dealing with voice and a firewall, you are dealing with lots of small packets. 20ms of audio per packet.

Dennis Heim
Senior Engineer (Unified Communications)
CDW  Advanced Technology Services
10610 9th Place
Bellevue, WA 98004

425.310.5299 Single Number Reach (WA)
317.569.4255 Single Number Reach (IN)
317.569.4201 Fax
dennis.heim at cdw.com<mailto:dennis.heim at cdw.com>
cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Rik Koenig
Sent: Wednesday, February 29, 2012 11:04 PM
To: Bob Zanett (AM)
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] SBC/CUBE placement Question

Bob,

Thanks for the reply.
In this case, the CUBE-SBC connection is over the internet. There is authentication running between the SP SBC and the CUBE, and of course, SIP communication to the device is limited to the expected IP addresses. I was curious if the firewall would add any headaches or would become a hindrance on the performance of the media streams, or even if it would provide any meaningful extra security. The indication here seems to be that it's likely worth having the CUBE completely on the inside.

Thanks,

Rik

On Tue, Feb 28, 2012 at 9:23 AM, Bob Zanett (AM) <bob.zanett at dimensiondata.com<mailto:bob.zanett at dimensiondata.com>> wrote:
Rik,

A couple of clarifying questions:

1.       Does your SIP (assuming it is SIP) pipe connect over a regular internet connection or an internal MPLS network?

2.       What security do you have for your SIP connection?

Security as you seem to indicate below is multiple steps/layers.   I have seen various setups at customers and it is always a balance between security and risk.   The more risk mitigation, the more costly the security measures – typically.

For instance, if your SBC is connecting to your internal MPLS cloud and that is how the SIP trunk is being delivered – how likely is it that an external influence can impact that pipe?   This is always a good question for the telco, by the way.  If you do not have a firewall on every MPLS link, why add one for a SIP trunk running on that same link?  The answer will usually depend on the telco’s answer.   Many times in this situation, the SBC acts not only for a security step but also a demarcation point between the telco and your company.

If your SIP trunk is coming in over the internet – I would always lean to having a firewall in front of the SBC.  I have seen companies simply stick with just an SBC but why not make use of a device that you already have deployed on such pipes?

The next layer is security on your MPLS or Internet connection.   How is that being handled?  Secure handshake, simple password, IP addressing only, etc.

Next look at the SIP trunk.  Security for the SIP trunk can range from simple static IP addressing for endpoints to some type of handshake.   This again is what to question your telco on.

Many times, security can be drastically increased with simple measures:

1.       Making use of already deployed infrastucture – firewalls on internet pipes, etc.

2.       SBC security features

3.       Increase security on connections – instead of simply using IP addresses – add a secure handshake, etc.

4.       Talk to your telco as they see many types and most likely may have some recommendations.

Cheers -
Bob Zanett
Technical Services Architect

From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Rik Koenig
Sent: Monday, February 27, 2012 11:44 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] SBC/CUBE placement Question



I have a question regarding placement of a CUBE. Given that the CUCM and phones are on the inside of the FW, and that the SP SBC is on the outside, is it better to
1: place the CUBE completely behind a firewall, and let the PSTN trunk go through the firewall
2: place the CUBE on the outside of the FW, or on a DMZ
3: Place one interface on the outside, one on the inside, and lock down the router with ACLs, so that the only connections allowed to it are from the service provider SBC and internal UC devices?

2 seems like it's a bad choice, you'd bog down the FW with dynamically opening up for all the RTP between the CUBE and phones. 3 would work, but you really have to trust that the ACLs aren't letting anything in... 1 does seem like the way to go, but I'm interested in what better and wiser heads say.

If this is well-answered in documentation, please point me to it. I looked in the SRND, but it seemed to say that it can be done a lot of different ways. If there are other ways, I'm open

Thanks,

Rik

itevomcid

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120301/c0f38897/attachment.html>


More information about the cisco-voip mailing list