Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security



Similar documents
Vega 100G and Vega 200G Gamma Config Guide

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

SIP Trunking Configuration with

nexvortex Setup Guide

ThinkTel ITSP with Registration Setup Quick Start Guide

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

nexvortex Setup Template

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

EarthLink Business SIP Trunking. Switchvox SMB 5.5 & Adtran SIP Proxy Implementation Guide

nexvortex Setup Guide

Application Note - Using Tenor behind a Firewall/NAT

Setup Reference guide for PBX to SBC interconnection

BroadCloud PBX Customer Minimum Requirements

Microsoft Lync Server 2013 with Patton SmartNode PSTN Gateway

Voice Over IP and Firewalls

SIP Trunking with Microsoft Office Communication Server 2007 R2

Configuring a LAN SIParator. Lisa Hallingström Paul Donald Bogdan Musat Adnan Khalid Per Johnsson Rickard Nilsson

How to Configure the Toshiba Strata CIX for use with Integra Telecom SIP Solutions

DLink-655 Router Configuration Guide for VoIP

Copyright ZYCOO All Rights Reserved 1 / 8

Optimum Business SIP Trunk Set-up Guide

Guideline for SIP Trunk Setup

Fonality. Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V p13 Configuration Guide

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Ingate Firewall/SIParator SIP Security for the Enterprise

SECURITY ADVISORY FROM PATTON ELECTRONICS

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

IP Office Technical Tip

Copyright and Trademark Statement

Visocall IP PBX Connection

Best Practices for Securing IP Telephony

OpenScape Business V2

TLS and SRTP for Skype Connect. Technical Datasheet

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

How to Configure the NEC SV8100 for use with Integra Telecom SIP Solutions

EarthLink Business SIP Trunking. ININ IC3 IP PBX Customer Configuration Guide

Setup Reference Guide for KX-NS1000 to SBC SIP Trunking

Ecessa Proxy VoIP Manual

6.40A AudioCodes Mediant 800 MSBG

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Configuration Guide for connecting the Eircom Advantage 4800/1500/1200 PBXs to the Eircom SIP Voice platform.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

THINKTEL COMMUNICATIONS DIGIUM G100/G200 PRI OVER IP SIP TRUNKING

Firewall Defaults and Some Basic Rules

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Author: Seth Scardefield 1/8/2013

Introduction to VoIP Technology

Setup Reference Guide for KX-TDE/NCP to SBC SIP Trunking

IP Ports and Protocols used by H.323 Devices

Optional VBP-E at the Headquarters Location

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

Recommended IP Telephony Architecture

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Application Note. SIP Domain Management

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Hands on VoIP. Content. Tel +44 (0) Introduction

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

EarthLink Business SIP Trunking. Toshiba IPedge Customer Configuration Guide

SIP Security Controllers. Product Overview

Wave SIP Trunk Configuration Guide FOR BROADVOX

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

Avaya IP Office 8.1 Configuration Guide

Thank you for purchasing a Panasonic Pure IP-PBX. Please read this manual carefully before using this product and save this manual for future use.

Enabling Users for Lync services

How to Configure the Cisco UC500 for use with Integra Telecom SIP Solutions

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

SIP Trunk Configuration Guide. using

OpenScape Business V1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

EarthLink Business SIP Trunking. NEC SV8300 IP PBX Customer Configuration Guide

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

Understand SIP trunk and registration in DWG gateway Version: 1.0 Dinstar Technologies Co., Ltd. Date:

VoIP Application Note:

Setup Reference Guide for KX-NS1000 to SBC interconnection

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Application Note. Onsight TeamLink And Firewall Detect v6.3

EarthLink Business SIP Trunking. NEC SV8100 IP PBX Customer Configuration Guide

DSX. DSX SIP Setup. April 22, 2011 Issue NEC Corporation of America 4 Forest Parkway, Shelton, CT 06484

SIPSTATION User Guide. Schmooze Com Inc.

Cisco Unified Communications 500 Series

Using the NetVanta 7100 Series

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Time Warner ITSP Setup Guide

Integrating Citrix EasyCall Gateway with SwyxWare

UX5000 with CommPartners SIP Trunks

Session Border Controller

FREQUENTLY ASKED QUESTIONS

2N OfficeRoute. 2N OfficeRoute & Siemens HiPath (series 3000) connected via SIP trunk. Quick guide. Version 1.00

Panasonic KX-NCP500 KXNCP500 KX NCP500 KX-NCP1000 KXNCP1000 KX NCP1000

ICE 008 IP PBX. 1. Product Information New Mini PBX Features System Features

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

FreePBX R14. SIP Trunk Provisioning Guide

ΕΠΛ 674: Εργαστήριο 5 Firewalls

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Configuring NEC UNIVERGE 3C for Time Warner Cable Business Class SIP Trunk V 2.0

Transcription:

Patton Electronics Co. www.patton.com 7622 Rickenbacker Drive, Gaithersburg, MD 20879, USA tel: +1 301-975-10001000 fax: +1 301-869-9293 Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security Document version 2.0 Date of creation 25.01.2012 Contact Patton Support http://patton.com/support support@patton.com 2012 Inalp Networks AG, Niederwangen, Switzerland All Rights Reserved. Copying of this document or parts of it is prohibited.

Table of contents 1 Introduction...... 3 2 Network... 3 3 Solution... 4 4 Conclusion... 4 5 Configuration... 5 5.1 CheckPoint Firewall... 5 5.1.1 Firewall Panel... 5 5.1.2 NAT panel... 6 5.2 Patton SmartNode... 6 Document revisions Date 25.01.2012 19.06.2012 Name Content MM Document creation MZ Revision to document V2.0 2/6

1 Introduction Security is in the today communication systems a key element required to have a stable and reliable IT service. This includes not only data security however also written and mutual communication. Open VoIP networks are attackable using different methods such as brute-force search. force search. VoIP attacks leads often in fast growing costs; therefore, VoIP networks must be protected such as data networks. Using the Patton SmartNode ESBR as Session-Boarder- -Controller, SBC, together with a firewall covers the customer s requirements concerning multimedia network security. One of the firewall products is provided by Checkpoint. The document provides you information, how a SmartNode can be used as SBC in a small/medium size installation in combination with a Checkpoint Firewall. 2 Network The data network infrastructure is often split into three main networks, WAN, LAN and DMZ. The three networks are in our example physically connected through a CheckPoint firewall. Introducing VoIP several components and entities can be added to all three network segments: DMZ Network SmartNode Session-Boarder-Controller UCS / IP-PBX LAN Network Local VoIP users WAN Network SIP Trunk / SIP Provider Remote / Home Office Nomadic users WAN LAN CheckPoint Firewall SIP Trunk Service Provider Remote and Home office SIP Nomadic SIP clients Local SIP DMZ SmartNode SBC UCS IP-PBX Figure 1: Network diagram Optional, instead of using the SmartNode as SBC in combination with an UCS/IP-PBX PBX system it may be used as VoIP to TDM/Analogue gateway towards a legacy telephony system. 3/6

3 Solution In a probable solution the CheckPoint firewall is used as TCP/IP filter to limit in a first step the range of entities accessing the VoIP network based on TCP and IP addresses. Therefore, the following Layer4 ports need to be opened to setup a SIP call from, to a defined range of IP addresses: - UDP Port 5060, SIP default signaling port - TCP Port 5060, required depending on the UCS - UDP Port for RTP traffic, depending on the used equipment (SmartNode: 4864-5119 except 5060`) In a second step the SmartNode used as SBC takes over the VoIP security of the SIP networks. Multiple filters, e.g. SIP domain, SIP from/to header, etc. allow limiting the access to the SIP Networks for authorized users and entities only. Optional inbound registration tion and authentication enhances the security of the VoIP network. The TransCoding functionality available in a selected range of SmartNode allows converting the RTP voice stream to the most efficient codec for each connection. E.G. G.711 for the SIP/RTP leg LAN PBX SN codec G./26 for the SIP/RTP call leg SN SIP-Provider. Provider. The diagram below show that all external SIP/RTP VoIP traffic path the SBC filter of the SmartNode. VoIP traffic between the save LAN and DMZ networks has direct access to the PBX. Legend Local SIP/RTP traffic Remote SIP/RTP traffic WAN LAN CheckPoint Firewall SIP Trunk Service Provider Remote and Home office SIP Nomadic SIP clients Local SIP DMZ SmartNode ESBR VLAN 120 217.11.220.224 /27 GW: 217.220.225 UCS IP-PBX 4 Conclusion Figure 2: Network Diagram including VoIP call flow With the proposed network configuration the communication system is protected for many different attacks on all OSI layers required for VoIP. The PBX is not direct reachable from the WAN, the barrier for misuse of the system gets higher. Due to the higher security the reliability of the communication network increases. 4/6

5 Configuration 5.1 CheckPoint Firewall Different settings needs to be covered that the CheckPoint Firewall is open for SIP signaling and RTP traffic. These settings must be made for all SIP userss or networks, which are allowed to access the protected VoIP system. That s includes as well as traffic from the local VoIP network installed in LAN toward the UCS/IP-PBX server. The below configuration guide line helps you configuring the CheckPoint Firewall for voice service. 5.1.1 Firewall Panel For each entity that access the VoIP system, a separate rule for incoming and a separate rule for outgoing traffic is required. To follow to the proposed solution the target of the SIP/RTP stream coming from the WAN is the IP address of the SmartNode. The target of the SIP/RTP stream coming from the LAN will be the NAME SOURCE DESTINATION SERVICE ACTION <name> <range or ip> <range or ip> sip_any-tcp udp_rtp accept log TRACK 5/6

5.1.2 NAT panel To avoid one way voice communication the CheckPoint firewall must keep the original UDP port address for the RTP stream. Therefore Port Address Translation needs to disabled for all authorized RTP traffic in the NAT panel. ORIGINAL PACKET TRANSLATED PACKET SOURCE DESTINATION SERVICE SOURCE DESTINATION SERVICE <range or ip> <range or ip> udp-rtp Original Original Original 5.2 Patton SmartNode The SmartNode configuration depends on the connected endpoints. Each UCS/IP-PBX PBX system and each SIP service provider has its own SIP configuration that needs to be adapted into the SmartNode configuration. Patton provides many configuration examples for different VoIP system in the knowledge base. The Patton knowledge base is accessible on the Patton home page for free and around the clock. http://www.patton.com/support/kb.asp?cat=100ww.patton.com/support/kb.asp?cat=100 Figure 3: Patton Knowledge Base 6/6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information