Add some security and you won't regret it
Deployment of session initiation protocol (SIP) is way up. Companies have increased deployment by 58% from 20008 to 2009, growing from 12% to 19%. Why? Primarily, cost savings: SIP trunks are much less expensive than TDM. But there’s a catch: Security. Only 21% of organizations are implementing any kind of firewall for SIP, VoIP or UC.
That’s a mistake. As with all internet protocols, SIP and its peer protocol real-time transport protocol (RTP) are vulnerable to attack. Attacks can be significant and costly, ranging from PBX toll fraud to sophisticated denial of service (DoS) attacks and violation of compliance with privacy regulations, such as the Payment Card Industry Digital Security Standard and Gramm-Leach-Bliley Act.
And general-purpose firewalls won’t necessarily do the trick when it comes to ensuring SIP security, for a couple of reasons. First, general-purpose firewalls aren’t programmed to specifically look for SIP vulnerability exploits and attacks. And, second, network address translation (NAT)– a standard firewall function – is a challenge for SIP and more specifically, for RTP. The reason for this is SIP and RTP traverse different ports with RTP port selection being random. There are ways to get around this.
The best way to address these issues is a SIP firewall or gateway, either on-premise or in the cloud. In the on-premise scenario, a SIP firewall installs just inside the perimeter firewall, in the DMZ. In the cloud, the SIP trunk provider routes VoIP/UC traffic over a secure connection from the corporate premise. The provider’s SIP firewall/gateway is at the connection point (at the provider point of presence) to the public Internet. The SIP firewall/gateway becomes the demarcation point for all SIP and RTP traffic. The SIP firewall functionality protects the organization from SIP and UC attacks and the SIP gateway functionality supports NAT traversal.
The bottom line: Add some security to that SIP. You won’t regret it.




