5 Replies Latest reply on Jul 25, 2012 12:05 PM by matt

    Security on NV7100

    dcorrea Visitor

      Hello Guys,

       

      Good morning, I'm writing you because a security topic on the NV7100.

       

      I'm using the NV7100 for allow SIP registrations over my WAN link for my company softphones, the situation is that my NV7100 has been scanned looking for valid SIP extensions. So, according to the security recommendations one of the main points indicates that the SIP traffic should be only allowed between the unit and the ITSP, I would love to do that but I can't because if I do that the softphones won't get registered.

       

      I was thinking in ACLs but I can't use them too because all my remote softphones have DSL Servcices so they receive the WAN IP Dynamically. VPN's could be another option  but as you may know the NV7100 supports only 5 VPN's, and I have 15 remote users.

       

      Based on that is there another solution that we can have for connect my remote softphones over the WAN IP!?.

       

      Thanks in advance,

        • Re: Security on NV7100
          Employee

          dcorrea,

           

          You are correct that it is recommended to restrict SIP traffic to the provider’s IP addresses. This is noted in our NetVanta 7000 Series Security Guide.

           

          The best solution is for the softphones to connect over a VPN but as you noted the 7100 only supports 5 tunnels.  The 5 tunnel limit only applies to concurrent tunnels, so this may be an option for you unless more than 5 remote clients will connect at one time.

           

          Another solution may be to use DynDNS at the remote sites and then you can just specify hostnames in your ACL that restricts SIP traffic.  A caveat to this approach is the DNS entries on the 7100 are only updated every 10 minutes.  This could potentially cause a remote phone to not connect if the 7100 has not received the new IP address of a recently updated DynDNS entry, but would likely be resolved in the next DNS update from the 7100 10 minutes later.  If the remote sites have stable connections resulting in the IP addresses not changing often this may not be an issue at all, but I wanted to mention it as a possible situation.

           

          Just as a side note, I wanted to mention that with AOS R.10.2 Simple Remote Phone support was added. This allows remote phones to connect without a VPN or a remote SIP aware firewall.

           

          Thanks,
          Matt

           

          Message was edited by: matt - corrected DNS update time

          1 of 1 people found this helpful
            • Re: Security on NV7100
              dcorrea Visitor

              Dear Matt,

               

              Thank you so much for your valuable help on this issue. Following your suggestions I would try to use the Simple Remote Phone. the question here is: assuming that the DSL for my clients receives Dynamic IP addresses, is it possible to configure the ACL for the SIP using the name of a DynDNS!?. If its possible this could be the best solution because the DSL's of my clients aren't SIP Aware devices.

               

              Thanks again,

            • Re: Security on NV7100
              Employee

              I wanted to add a quick addendum:

               

              1 - I discovered the DNS entries are actually updated every 10 minutes in AOS, so I corrected that in my post above.

              2 - If you are going to use host names in an ACL you must also have DNS servers specified in the configuration with the ip name-server command.

               

              Thanks,
              Matt