Firewall question

Discussion in 'UK VOIP' started by Dave Saville, Mar 7, 2006.

  1. Dave Saville

    Dave Saville Guest

    I have been reading up on VOIP and firewalls - Seems they don't mix too well
    :)

    Now if one does not have a VOIP/SIP aware firewall then the only option is to
    open up to UDP traffic. This comes, quite rightly, with all sorts of dire
    warnings. But *if* the specific IP address being used was dedicated to phone
    hardware rather than a computer I can't think of any problems it could cause.

    Am I missing something?

    --

    Regards

    Dave Saville

    NB Remove -nospam for good email address
     
    Dave Saville, Mar 7, 2006
    #1
    1. Advertising

  2. "Dave Saville" <> wrote in message
    news:...
    >I have been reading up on VOIP and firewalls - Seems they don't mix too
    >well
    > :)
    >
    > Now if one does not have a VOIP/SIP aware firewall then the only option is
    > to
    > open up to UDP traffic. This comes, quite rightly, with all sorts of dire
    > warnings. But *if* the specific IP address being used was dedicated to
    > phone
    > hardware rather than a computer I can't think of any problems it could
    > cause.
    >
    > Am I missing something?


    Not really, in terms of the security side of things. You can actually tie
    things down a bit tighter than allowing any UDP through.

    Most half decent ATAs/phones will allow you to specify the range of RTP
    ports used.

    For example my Sipura SPA-3000 is set to use RTP ports 16384-16482.

    So a working lockdown configuration for this unit would be:

    Allow incoming TCP to Sipura port 5060
    [SIP on TCP is in the spec, though I've never actually seen it in practice]
    Allow incoming UDP to Sipura port 5060
    [incoming SIP]
    Allow incoming UDP to Sipura port 16384-16482
    [incoming RTP]
    Allow outgoing UDP from Sipura to any external port

    [of course if someone finds a buffer overflow exploit in the SIP or RTP
    handling code of your VOIP hardware then all bets are off!]

    If your system is doing NAT as well as firewalling there are all sorts of
    other problems though...
    --
    Thomas Sandford
     
    Thomas Sandford, Mar 7, 2006
    #2
    1. Advertising

  3. Dave Saville

    techpro Guest

    My SMC Barricade 7404 router/firewall managed to mess up Voip even when
    the firewall was completely disabled. Foolishly, thinking that SMC made
    good stuff, I replaced it with a 7908VoWBRA (or something like that)
    with built in SIP support. After a firmware upgrade, the built in SIP
    client works (though I can't access Sipgate voicemail because it
    doesn't do DTMF out of band. But it still won't work with a soft phone
    client.

    SMC tech support never came back with a solution. They don't seem
    interested in fixing their firmware. If you're using an SMC firewall,
    just give up!
    --
    Julian Moss
    The PC Guru: www.the-pc-guru.com
     
    techpro, Mar 7, 2006
    #3
  4. Dave Saville

    Joe Harrison Guest

    I don't tell my firewall anything about my SIP and STUN setup (apart from
    QoS.) There are no forwarded ports, no nothing it just works.

    Joe
     
    Joe Harrison, Mar 7, 2006
    #4
  5. Dave Saville

    Jono Guest

    on 07/03/2006, Joe Harrison supposed :
    > I don't tell my firewall anything about my SIP and STUN setup (apart from
    > QoS.) There are no forwarded ports, no nothing it just works.
    >
    > Joe


    .....and the make is?
     
    Jono, Mar 7, 2006
    #5
  6. Dave Saville

    Chris Guest

    In message <>, Jono
    <> writes
    >on 07/03/2006, Joe Harrison supposed :
    >> I don't tell my firewall anything about my SIP and STUN setup (apart from
    >> QoS.) There are no forwarded ports, no nothing it just works.
    >>
    >> Joe

    >
    >....and the make is?
    >


    Can't comment on OP but i have no problems with my linksys WRT54G and
    PAP2, possibly because they both support uPnP.
    --
    Chris
     
    Chris, Mar 7, 2006
    #6
  7. Dave Saville

    Jono Guest

    Chris submitted this idea :
    > In message <>, Jono
    > <> writes
    >>on 07/03/2006, Joe Harrison supposed :
    >>> I don't tell my firewall anything about my SIP and STUN setup (apart from
    >>> QoS.) There are no forwarded ports, no nothing it just works.
    >>>
    >>> Joe

    >>
    >>....and the make is?
    >>

    >
    > Can't comment on OP but i have no problems with my linksys WRT54G and PAP2,
    > possibly because they both support uPnP.


    Yes, I have the same router, however, I'm running the DD-WRT(Voip)
    firmware. Excellent.
     
    Jono, Mar 7, 2006
    #7
  8. Dave Saville

    Joe Harrison Guest

    "Jono" <> wrote in message
    news:...
    > on 07/03/2006, Joe Harrison supposed :
    > > I don't tell my firewall anything about my SIP and STUN setup (apart

    from
    > > QoS.) There are no forwarded ports, no nothing it just works.
    > >
    > > Joe

    >
    > ....and the make is?
    >
    >

    Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in case
    I had actually needed to do something for SIP and forgot... but no.
     
    Joe Harrison, Mar 8, 2006
    #8
  9. Dave Saville

    Jono Guest

    Joe Harrison pretended :
    > "Jono" <> wrote in message
    > news:...
    >> on 07/03/2006, Joe Harrison supposed :
    >>> I don't tell my firewall anything about my SIP and STUN setup (apart from
    >>> QoS.) There are no forwarded ports, no nothing it just works.
    >>>
    >>> Joe

    >>
    >> ....and the make is?
    >>
    >>

    > Oop sorry Linksys WRT54G with Alchemy reflash. Rechecked the config in case
    > I had actually needed to do something for SIP and forgot... but no.


    Cheers.

    I've the same router although went for the DD-WRT reflash. One thing I
    can't do with it is make a SIP=>SIP call internally (dialling out on
    one Sipgate "line" and back in on another)
     
    Jono, Mar 8, 2006
    #9
  10. Dave Saville

    stephen Guest

    "Dave Saville" <> wrote in message
    news:...
    > I have been reading up on VOIP and firewalls - Seems they don't mix too

    well
    > :)
    >
    > Now if one does not have a VOIP/SIP aware firewall then the only option is

    to
    > open up to UDP traffic. This comes, quite rightly, with all sorts of dire
    > warnings.


    maybe this is backwards and you need a router which is SIP / Voip aware for
    the protocol you are using?

    But *if* the specific IP address being used was dedicated to phone
    > hardware rather than a computer I can't think of any problems it could

    cause.

    A lot of the hardware in a phone or ATA or whatever may be more general
    purpose under the surface, so you should sort of assume it may be vulnerable
    to something and get attacked rather than expect that it is OK

    FWIW a fair number of IP phones use TFTP to grab code upgrades and config
    files. TFTP is not exactly secure.....
    >
    > Am I missing something?


    i know this isnt much help if you already have the router (although
    complaining about it to the manufacturer might help when they design the
    next model) - but a SIP aware router should be what you look for. Fixing up
    a compromise is only a fall back approach.
    >
    > --
    >
    > Regards
    >
    > Dave Saville
    >
    > NB Remove -nospam for good email address

    --
    Regards

    - replace xyz with ntl
     
    stephen, Mar 8, 2006
    #10
  11. Dave Saville

    alexd Guest

    stephen wrote:

    > maybe this is backwards and you need a router which is SIP / Voip aware
    > for the protocol you are using?


    What's a SIP/VoIP aware router?

    --
    <http://ale.cx/> (AIM:troffasky) ()
    20:29:04 up 1 day, 1:19, 1 user, load average: 0.01, 0.05, 0.01
    This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
     
    alexd, Mar 9, 2006
    #11
  12. Dave Saville

    stephen Guest

    "alexd" <> wrote in message news:...
    > stephen wrote:
    >
    > > maybe this is backwards and you need a router which is SIP / Voip aware
    > > for the protocol you are using?

    >
    > What's a SIP/VoIP aware router?


    some boxes know how to fix up the info in specific apps that otherwise dont
    like address translation, firewalls etc. Often this is because the app needs
    several connections to be used for 1 logical link, or allocates port numbers
    dynamically.

    get this kind of stuff at work sometimes (mainly on firewalls rather than
    routers) - the boxes designed of enterprise nets tend to have fixup routines
    for various protocols

    last one i played with was a PIX with H.323 voice.

    here is note on their web site for IOS firewall which is on some of the low
    end cisco routers that some use at home:
    http://www.cisco.com/en/US/products...lementation_design_guide09186a00800fd670.html

    it might be useful even if you dont have cisco, since it gives a fairly
    clear explanation about what is going on - search for "fixup"

    >
    > --
    > <http://ale.cx/> (AIM:troffasky) ()
    > 20:29:04 up 1 day, 1:19, 1 user, load average: 0.01, 0.05, 0.01
    > This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
    >

    --
    Regards

    - replace xyz with ntl
     
    stephen, Mar 9, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,140
    Walter Roberson
    Dec 11, 2004
  2. Replies:
    1
    Views:
    560
    Walter Roberson
    Jun 14, 2005
  3. Learning Cisco
    Replies:
    3
    Views:
    2,255
    Walter Roberson
    Oct 15, 2005
  4. Mark Wilson

    Firewall and Norton Firewall

    Mark Wilson, Nov 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    529
    Mark Wilson
    Nov 5, 2003
  5. Anonymous

    Windows XP Firewall/Internet Connection Firewall

    Anonymous, Dec 1, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    936
    Anonymous
    Dec 1, 2003
Loading...

Share This Page