cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Security on NV7100

Jump to solution

Hello Guys,

Good morning, I'm writing you because a security topic on the NV7100.

I'm using the NV7100 for allow SIP registrations over my WAN link for my company softphones, the situation is that my NV7100 has been scanned looking for valid SIP extensions. So, according to the security recommendations one of the main points indicates that the SIP traffic should be only allowed between the unit and the ITSP, I would love to do that but I can't because if I do that the softphones won't get registered.

I was thinking in ACLs but I can't use them too because all my remote softphones have DSL Servcices so they receive the WAN IP Dynamically. VPN's could be another option  but as you may know the NV7100 supports only 5 VPN's, and I have 15 remote users.

Based on that is there another solution that we can have for connect my remote softphones over the WAN IP!?.

Thanks in advance,

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Security on NV7100

Jump to solution

dcorrea,

That is correct, you should be able to use DynDNS hostnames in your ACL.  Here is an example:


!


ip access-list extended SIP


  permit udp hostname site1.dyndns.org  any eq 5060


  permit udp hostname site2.dyndns.org  any eq 5060


  permit udp hostname site3.dyndns.org  any eq 5060


!



Thanks,
Matt

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: Security on NV7100

Jump to solution

dcorrea,

You are correct that it is recommended to restrict SIP traffic to the provider’s IP addresses. This is noted in our NetVanta 7000 Series Security Guide.

The best solution is for the softphones to connect over a VPN but as you noted the 7100 only supports 5 tunnels.  The 5 tunnel limit only applies to concurrent tunnels, so this may be an option for you unless more than 5 remote clients will connect at one time.

Another solution may be to use DynDNS at the remote sites and then you can just specify hostnames in your ACL that restricts SIP traffic.  A caveat to this approach is the DNS entries on the 7100 are only updated every 10 minutes.  This could potentially cause a remote phone to not connect if the 7100 has not received the new IP address of a recently updated DynDNS entry, but would likely be resolved in the next DNS update from the 7100 10 minutes later.  If the remote sites have stable connections resulting in the IP addresses not changing often this may not be an issue at all, but I wanted to mention it as a possible situation.

Just as a side note, I wanted to mention that with AOS R.10.2 Simple Remote Phone support was added. This allows remote phones to connect without a VPN or a remote SIP aware firewall.

Thanks,
Matt

Message was edited by: matt - corrected DNS update time

Anonymous
Not applicable

Re: Security on NV7100

Jump to solution

Dear Matt,

Thank you so much for your valuable help on this issue. Following your suggestions I would try to use the Simple Remote Phone. the question here is: assuming that the DSL for my clients receives Dynamic IP addresses, is it possible to configure the ACL for the SIP using the name of a DynDNS!?. If its possible this could be the best solution because the DSL's of my clients aren't SIP Aware devices.

Thanks again,

Anonymous
Not applicable

Re: Security on NV7100

Jump to solution

dcorrea,

That is correct, you should be able to use DynDNS hostnames in your ACL.  Here is an example:


!


ip access-list extended SIP


  permit udp hostname site1.dyndns.org  any eq 5060


  permit udp hostname site2.dyndns.org  any eq 5060


  permit udp hostname site3.dyndns.org  any eq 5060


!



Thanks,
Matt

0 Kudos
Anonymous
Not applicable

Re: Security on NV7100

Jump to solution

Dear Matt,

Great, I will test that!!!

Best Regards,

Anonymous
Not applicable

Re: Security on NV7100

Jump to solution

I wanted to add a quick addendum:

1 - I discovered the DNS entries are actually updated every 10 minutes in AOS, so I corrected that in my post above.

2 - If you are going to use host names in an ACL you must also have DNS servers specified in the configuration with the ip name-server command.

Thanks,
Matt