<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Do not put an SBC behind a firewall. That will cause you a lot of problems. It is easy to securely configure CUBE or another SBC such as Acme Packet with one public facing and one private facing IP. They are intended to be on the edge.<div><br></div><div><br><div><div>On Mar 8, 2012, at 8:13 PM, Rik Koenig wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Thanks to all for the help. Once I get the equipment, I will have some quantifying to do!<br><br><br><div class="gmail_quote">On Thu, Mar 1, 2012 at 10:48 AM, Haas, Neal <span dir="ltr"><<a href="mailto:nhaas@co.fresno.ca.us">nhaas@co.fresno.ca.us</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Just a quick note, SBC SIP trunk is not filtered internet! Place your cube behind a firewall.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">SBC does not have set instructions for ports and such, they change per installation, We found this out while installing.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Neal
<u></u><u></u></span></p>
</div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Bob Zanett (AM)<br>
<b>Sent:</b> Thursday, March 01, 2012 7:44 AM<br>
<b>To:</b> Rik Koenig</span></p><div><div class="h5"><br>
<b>Cc:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] SBC/CUBE placement Question<u></u><u></u></div></div><div><br class="webkit-block-placeholder"></div>
</div>
</div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Rik,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Exactly. The firewall will simply help shield the SBC. Can the SBC handle it? It depends on many factors from what type of features does the SBC have to
what resourcing stresses does adding firewall features to the SBC have, etc. <u></u>
<u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">By allowing the firewall deal with all the other traffic, allows resources on the SBC to be redirected to its core functions. And of course, this comment
can be argued over do you separate functions by physical device or not? What it boils down to, does the device mitigate the identified risks to your standards and handle the defined requirements for throughput, delay, etc?
<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As for the firewall, what are concerns?<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">How does it prioritize voice/video traffic?<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Depending on how many calls and devices pass through the firewall, how does it handle a lot of small voice packets? Does this impact the throughput
of the firewall?<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">How is the firewall handling inspection of the packets? Is it adding significant delay?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Off the top of my head, these are just a few of the items to think about and validate. There are lots more and I am sure there are many on the list that can
add their experiences.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What would I do? If your firewall can efficiently handle and without impacting voice, I would place the SBC behind the firewall.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Kind Regards,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Bob Zanett<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Technical Services Architect<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dimension Data Americas<u></u><u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Rik Koenig
<a href="mailto:[mailto:mahgri@gmail.com]" target="_blank">[mailto:mahgri@gmail.com]</a> <br>
<b>Sent:</b> Thursday, March 01, 2012 1:04 AM<br>
<b>To:</b> Bob Zanett (AM)<br>
<b>Cc:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] SBC/CUBE placement Question<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p>
<div><p class="MsoNormal">Bob,<br>
<br>
Thanks for the reply. <br>
In this case, the CUBE-SBC connection is over the internet. There is authentication running between the SP SBC and the CUBE, and of course, SIP communication to the device is limited to the expected IP addresses. I was curious if the firewall would add any
headaches or would become a hindrance on the performance of the media streams, or even if it would provide any meaningful extra security. The indication here seems to be that it's likely worth having the CUBE completely on the inside.
<br>
<br>
Thanks,<br>
<br>
Rik<br>
<br>
On Tue, Feb 28, 2012 at 9:23 AM, Bob Zanett (AM) <<a href="mailto:bob.zanett@dimensiondata.com" target="_blank">bob.zanett@dimensiondata.com</a>> wrote:<u></u><u></u></p>
<div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Rik,</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">A couple of clarifying questions:</span><u></u><u></u></p><p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">1.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Does your SIP (assuming it is SIP) pipe connect over a regular internet connection or an internal MPLS network?</span><u></u><u></u></p><p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What security do you have for your SIP connection?</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Security as you seem to indicate below is multiple steps/layers. I have seen various setups at
customers and it is always a balance between security and risk. The more risk mitigation, the more costly the security measures typically.
</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For instance, if your SBC is connecting to your internal MPLS cloud and that is how the SIP trunk
is being delivered how likely is it that an external influence can impact that pipe? This is always a good question for the telco, by the way. If you do not have a firewall on every MPLS link, why add one for a SIP trunk running on that same link? The
answer will usually depend on the telcos answer. Many times in this situation, the SBC acts not only for a security step but also a demarcation point between the telco and your company.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If your SIP trunk is coming in over the internet I would always lean to having a firewall in front
of the SBC. I have seen companies simply stick with just an SBC but why not make use of a device that you already have deployed on such pipes?</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The next layer is security on your MPLS or Internet connection. How is that being handled? Secure
handshake, simple password, IP addressing only, etc.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Next look at the SIP trunk. Security for the SIP trunk can range from simple static IP addressing
for endpoints to some type of handshake. This again is what to question your telco on.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Many times, security can be drastically increased with simple measures:</span><u></u><u></u></p><p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">1.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Making use of already deployed infrastucture firewalls on internet pipes, etc.</span><u></u><u></u></p><p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">SBC security features</span><u></u><u></u></p><p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">3.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Increase security on connections instead of simply using IP addresses add a secure handshake, etc.</span><u></u><u></u></p><p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">4.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Talk to your telco as they see many types and most likely may have some recommendations.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Cheers -</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Bob Zanett</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Technical Services Architect</span><u></u><u></u></p>
</div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Rik Koenig<br>
<b>Sent:</b> Monday, February 27, 2012 11:44 PM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> [cisco-voip] SBC/CUBE placement Question</span><u></u><u></u></p>
</div>
</div><p class="MsoNormal"> <u></u><u></u></p>
<div>
<div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
I have a question regarding placement of a CUBE. Given that the CUCM and phones are on the inside of the FW, and that the SP SBC is on the outside, is it better to
<br>
1: place the CUBE completely behind a firewall, and let the PSTN trunk go through the firewall<br>
2: place the CUBE on the outside of the FW, or on a DMZ<br>
3: Place one interface on the outside, one on the inside, and lock down the router with ACLs, so that the only connections allowed to it are from the service provider SBC and internal UC devices?<br>
<br>
2 seems like it's a bad choice, you'd bog down the FW with dynamically opening up for all the RTP between the CUBE and phones. 3 would work, but you really have to trust that the ACLs aren't letting anything in... 1 does seem like the way to go, but I'm interested
in what better and wiser heads say. <br>
<br>
If this is well-answered in documentation, please point me to it. I looked in the SRND, but it seemed to say that it can be done a lot of different ways. If there are other ways, I'm open<br>
<br>
Thanks,<br>
<br>
Rik<u></u><u></u></p>
</div>
</div><p class="MsoNormal"><span style="color:white">itevomcid</span> <u></u><u></u></p>
</div>
</div>
</div><p class="MsoNormal"><u></u> <u></u></p>
</div></div></div>
</div>
</blockquote></div><br>
_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>https://puck.nether.net/mailman/listinfo/cisco-voip<br></blockquote></div><br></div></body></html>