Your SIP gateway, as part of your IP network, should conform to your company security policy. Deployment of basic items, such as user control and authentication, access-control lists, and physical security, should be standard. The SIP network, like most of your user devices, should be on a LAN using private IP addresses, with strong perimeter security.
Because SIP messages contain IP addresses in several different locations, it is important to use a firewall that supports SIP. Cisco IOS firewalls, PIX firewalls, and Adaptive Security Appliance (ASA) devices are all able to inspect the SIP application data and maintain call flow information.
SIP supports some authentication, authorization, and accounting (AAA) mechanisms to help authenticate communications between UAs, servers, and gateways. You can use RADIUS to preauthenticate calls. The gateway forwards incoming call information to a RADIUS server, which must authenticate it before connecting the call. To enable AAA for SIP calls, you must use the normal AAA configuration on the gateway and the RADIUS server. In addition, at global configuration mode, issue the aaa preauth command to enter AAA preauthentication configuration mode. Specify the RADIUS server with the command group {radius | groupname}.
You can also use HTTP Authentication Digest. UAs, proxy servers, and redirect servers can request authentication before they process a SIP message. Gateways can respond to authentication challenges and can respond on behalf of non-SIP phones that they have registered to a SIP server. SIP defines authentication and authorization fields that can be present in the message header. A server that receives a messagesuch as an INVITEwithout authentication credentials issues a challenge. The response includes an authorization field with an MD5 hash and other credentials. To configure a gateway to use HTTP Authentication Digest, give the following command in each dial peer or SIP-UA configuration mode: authentication username username password password [realm realm]. Username is the name of the user that will be authenticating, password is the shared password, and realm is an optional entry that lets you configure multiple username/password combinations. The realm is included in the challenge, so the response will include credentials for that specific realm.
To provide a more secure, encrypted transport mechanism for SIP messages, Cisco IPT devices have added support for the TLS protocol.
Allowing H 323 to SIP Connections |
Part I: Voice Gateways and Gatekeepers
Gateways and Gatekeepers
Part II: Gateways
Media Gateway Control Protocol
H.323
Session Initiation Protocol
Circuit Options
Connecting to the PSTN
Connecting to PBXs
Connecting to an IP WAN
Dial Plans
Digit Manipulation
Influencing Path Selection
Configuring Class of Restrictions
SRST and MGCP Gateway Fallback
DSP Resources
Using Tcl Scripts and VoiceXML
Part III: Gatekeepers
Deploying Gatekeepers
Gatekeeper Configuration
Part IV: IP-to-IP Gateways
Cisco Multiservice IP-to-IP Gateway
Appendix A. Answers to Chapter-Ending Review Questions
Index