<div class="gmail_quote">Bob,<br><br>Thanks for the reply. <br>In this case, the CUBE-SBC connection is over the internet. There is authentication running between the SP SBC and the CUBE, and of course, SIP communication to the device is limited to the expected IP addresses. I was curious if the firewall would add any headaches or would become a hindrance on the performance of the media streams, or even if it would provide any meaningful extra security. The indication here seems to be that it's likely worth having the CUBE completely on the inside. <br>
<br>Thanks,<br><br>Rik<br><br>On Tue, Feb 28, 2012 at 9:23 AM, Bob Zanett (AM) <span dir="ltr"><<a href="mailto:bob.zanett@dimensiondata.com">bob.zanett@dimensiondata.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Rik,<u></u><u></u></span></p><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">A couple of clarifying questions:<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>1.<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Does your SIP (assuming it is SIP) pipe connect over a regular internet connection or an internal MPLS network?<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>2.<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What security do you have for your SIP connection?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Security as you seem to indicate below is multiple steps/layers. I have seen various setups at customers and it is always a balance between security and risk. The more risk mitigation, the more costly the security measures – typically. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For instance, if your SBC is connecting to your internal MPLS cloud and that is how the SIP trunk is being delivered – how likely is it that an external influence can impact that pipe? This is always a good question for the telco, by the way. If you do not have a firewall on every MPLS link, why add one for a SIP trunk running on that same link? The answer will usually depend on the telco’s answer. Many times in this situation, the SBC acts not only for a security step but also a demarcation point between the telco and your company.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If your SIP trunk is coming in over the internet – I would always lean to having a firewall in front of the SBC. I have seen companies simply stick with just an SBC but why not make use of a device that you already have deployed on such pipes?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The next layer is security on your MPLS or Internet connection. How is that being handled? Secure handshake, simple password, IP addressing only, etc.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Next look at the SIP trunk. Security for the SIP trunk can range from simple static IP addressing for endpoints to some type of handshake. This again is what to question your telco on.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Many times, security can be drastically increased with simple measures:<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>1.<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Making use of already deployed infrastucture – firewalls on internet pipes, etc.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>2.<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">SBC security features<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>3.<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Increase security on connections – instead of simply using IP addresses – add a secure handshake, etc.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>4.<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Talk to your telco as they see many types and most likely may have some recommendations.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Cheers -<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Bob Zanett<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Technical Services Architect<u></u><u></u></span></p>
</div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Rik Koenig<br>
<b>Sent:</b> Monday, February 27, 2012 11:44 PM<br><b>To:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><b>Subject:</b> [cisco-voip] SBC/CUBE placement Question<u></u><u></u></span></p>
</div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"></p><div><div class="h5"><br><br>I have a question regarding placement of a CUBE. Given that the CUCM and phones are on the inside of the FW, and that the SP SBC is on the outside, is it better to <br>
1: place the CUBE completely behind a firewall, and let the PSTN trunk go through the firewall<br>2: place the CUBE on the outside of the FW, or on a DMZ<br>3: Place one interface on the outside, one on the inside, and lock down the router with ACLs, so that the only connections allowed to it are from the service provider SBC and internal UC devices?<br>
<br>2 seems like it's a bad choice, you'd bog down the FW with dynamically opening up for all the RTP between the CUBE and phones. 3 would work, but you really have to trust that the ACLs aren't letting anything in... 1 does seem like the way to go, but I'm interested in what better and wiser heads say. <br>
<br>If this is well-answered in documentation, please point me to it. I looked in the SRND, but it seemed to say that it can be done a lot of different ways. If there are other ways, I'm open<br><br>Thanks,<br><br>Rik<br>
<br><br></div></div><span style="color:white">itevomcid</span> <u></u><u></u><p></p></div></div></blockquote></div><br>