[cisco-voip] SBC/CUBE placement Question

Rik Koenig mahgri at gmail.com
Thu Mar 8 22:13:38 EST 2012 

Thanks to all for the help. Once I get the equipment, I will have some
quantifying to do!


On Thu, Mar 1, 2012 at 10:48 AM, Haas, Neal <nhaas at co.fresno.ca.us> wrote:

>  Just a quick note, SBC SIP trunk is not filtered internet! Place your
> cube behind a firewall.****
>
> SBC does not have set instructions for ports and such, they change per
> installation, We found this out while installing.****
>
> ** **
>
> Neal ****
>
> ** **
>
> *From:* cisco-voip-bounces at puck.nether.net [mailto:
> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Bob Zanett (AM)
> *Sent:* Thursday, March 01, 2012 7:44 AM
> *To:* Rik Koenig
>
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] SBC/CUBE placement Question****
>
>  ** **
>
> Rik,****
>
> Exactly.  The firewall will simply help shield the SBC.  Can the SBC
> handle it?  It depends on many factors from what type of features does the
> SBC have to what resourcing stresses does adding firewall features to the
> SBC have, etc.  ** **
>
> ** **
>
> By allowing the firewall deal with all the other traffic, allows resources
> on the SBC to be redirected to its core functions.   And of course, this
> comment can be argued over – do you separate functions by physical device
> or not?   What it boils down to, does the device mitigate the identified
> risks to your standards and handle the defined requirements for throughput,
> delay, etc?  ****
>
> ** **
>
> As for the firewall, what are concerns?****
>
> **1.       **How does it prioritize voice/video traffic?****
>
> **2.       **Depending on how many calls and devices pass through the
> firewall, how does it handle a lot of small voice packets?   Does this
> impact the throughput of the firewall?****
>
> **3.       **How is the firewall handling inspection of the packets?  Is
> it adding significant delay?****
>
> ** **
>
> Off the top of my head, these are just a few of the items to think about
> and validate.  There are lots more and I am sure there are many on the list
> that can add their experiences.****
>
> ** **
>
> What would I do?  If your firewall can efficiently handle and without
> impacting voice, I would place the SBC behind the firewall.****
>
> ** **
>
> Kind Regards,****
>
> Bob Zanett****
>
> Technical Services Architect****
>
> Dimension Data Americas****
>
> *From:* Rik Koenig [mailto:mahgri at gmail.com]
> *Sent:* Thursday, March 01, 2012 1:04 AM
> *To:* Bob Zanett (AM)
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] SBC/CUBE placement Question****
>
> ** **
>
> Bob,
>
> Thanks for the reply.
> In this case, the CUBE-SBC connection is over the internet. There is
> authentication running between the SP SBC and the CUBE, and of course, SIP
> communication to the device is limited to the expected IP addresses. I was
> curious if the firewall would add any headaches or would become a hindrance
> on the performance of the media streams, or even if it would provide any
> meaningful extra security. The indication here seems to be that it's likely
> worth having the CUBE completely on the inside.
>
> Thanks,
>
> Rik
>
> On Tue, Feb 28, 2012 at 9:23 AM, Bob Zanett (AM) <
> bob.zanett at dimensiondata.com> wrote:****
>
> Rik,****
>
>  ****
>
> A couple of clarifying questions:****
>
> 1.       Does your SIP (assuming it is SIP) pipe connect over a regular
> internet connection or an internal MPLS network?****
>
> 2.       What security do you have for your SIP connection?****
>
>  ****
>
> Security as you seem to indicate below is multiple steps/layers.   I have
> seen various setups at customers and it is always a balance between
> security and risk.   The more risk mitigation, the more costly the security
> measures – typically.   ****
>
>  ****
>
> For instance, if your SBC is connecting to your internal MPLS cloud and
> that is how the SIP trunk is being delivered – how likely is it that an
> external influence can impact that pipe?   This is always a good question
> for the telco, by the way.  If you do not have a firewall on every MPLS
> link, why add one for a SIP trunk running on that same link?  The answer
> will usually depend on the telco’s answer.   Many times in this situation,
> the SBC acts not only for a security step but also a demarcation point
> between the telco and your company.****
>
>  ****
>
> If your SIP trunk is coming in over the internet – I would always lean to
> having a firewall in front of the SBC.  I have seen companies simply stick
> with just an SBC but why not make use of a device that you already have
> deployed on such pipes?****
>
>  ****
>
> The next layer is security on your MPLS or Internet connection.   How is
> that being handled?  Secure handshake, simple password, IP addressing only,
> etc.****
>
>  ****
>
> Next look at the SIP trunk.  Security for the SIP trunk can range from
> simple static IP addressing for endpoints to some type of handshake.   This
> again is what to question your telco on.****
>
>  ****
>
> Many times, security can be drastically increased with simple measures:***
> *
>
> 1.       Making use of already deployed infrastucture – firewalls on
> internet pipes, etc.****
>
> 2.       SBC security features****
>
> 3.       Increase security on connections – instead of simply using IP
> addresses – add a secure handshake, etc.****
>
> 4.       Talk to your telco as they see many types and most likely may
> have some recommendations.****
>
>  ****
>
> Cheers -****
>
> Bob Zanett****
>
> Technical Services Architect****
>
>  ****
>
> *From:* cisco-voip-bounces at puck.nether.net [mailto:
> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Rik Koenig
> *Sent:* Monday, February 27, 2012 11:44 PM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] SBC/CUBE placement Question****
>
>  ****
>
>
>
> I have a question regarding placement of a CUBE. Given that the CUCM and
> phones are on the inside of the FW, and that the SP SBC is on the outside,
> is it better to
> 1: place the CUBE completely behind a firewall, and let the PSTN trunk go
> through the firewall
> 2: place the CUBE on the outside of the FW, or on a DMZ
> 3: Place one interface on the outside, one on the inside, and lock down
> the router with ACLs, so that the only connections allowed to it are from
> the service provider SBC and internal UC devices?
>
> 2 seems like it's a bad choice, you'd bog down the FW with dynamically
> opening up for all the RTP between the CUBE and phones. 3 would work, but
> you really have to trust that the ACLs aren't letting anything in... 1 does
> seem like the way to go, but I'm interested in what better and wiser heads
> say.
>
> If this is well-answered in documentation, please point me to it. I looked
> in the SRND, but it seemed to say that it can be done a lot of different
> ways. If there are other ways, I'm open
>
> Thanks,
>
> Rik****
>
> itevomcid ****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120308/2bd83071/attachment.html>

More information about the cisco-voip mailing list