Coral Sheldon-Hess coral@sheldon-hess sheldon-hess/coral @web_librarian
Coral IPx & UCx - Microsoft...2. By default, when adding a SIP phone to the Coral / UCx system it is...
Transcript of Coral IPx & UCx - Microsoft...2. By default, when adding a SIP phone to the Coral / UCx system it is...
Coral IPx & UCx
Application Note AN1406-006 Best Practices guide to enhance
Security of Coral IPx and UCx systems
Document Edition 1.2
The information contained in this document is proprietary and is subject to all relevant
copyright, patent and other laws protecting intellectual property, as well as any specific
agreement protecting TADIRAN TELECOM® (TTL) L.P. 's (herein
referred to as the “Manufacturer") rights in the aforesaid information .Neither this
document nor the information contained herein may be published ,reproduced or disclosed
to third parties ,in whole or in part ,without the express ,prior ,written permission of the
Manufacturer .In addition ,any use of this document or the information contained
herein for any purposes other than those for which it was disclosed is strictly
forbidden.
The Manufacturer reserves the right, without prior notice or liability, to make changes in
equipment design or specifications.
Information supplied by the Manufacturer is believed to be accurate and reliable.
However, no responsibility is assumed by the Manufacturer neither for the use thereof
nor for the rights of third parties which may be affected in any way by the use thereof.
Any representation(s) in this document concerning performance of the Manufacturer's
product(s) are for informational purposes only and are not warranties of future
performance either express or implied. The Manufacturer's standard limited warranty,
stated in its sales contract or order confirmation form, is the only warranty offered by
the Manufacturer in relation thereto.
This document may contain flaws, omissions or typesetting errors; no warranty is granted
nor liability assumed in relation thereto unless specifically undertaken in the
Manufacturer's sales contract or order confirmation. Information contained herein is
periodically updated and changes will be incorporated into subsequent editions. If you
have encountered an error, please notify the Manufacturer. All specifications are subject
to change without prior notice.
© Copyright by TADIRAN TELECOM® (TTL) L.P., 2014.
All rights reserved worldwide.
All trademarks contained herein are the property of their respective holders.
Table of Contents
1 Purpose ....................................................................................1
2 Terminology ..............................................................................1
3 Basics First ...............................................................................2
3.1 Installation and Configuration ............................................2
3.2 Password Policy ................................................................3
4 Operating System Hardening ...................................................4
5 Application Hardening ..............................................................5
5.1 SIP Phone Configuration ...................................................5
5.2 Connectivity Features Access Hardening ..........................6
5.3 Trunks Configuration Hardening ........................................7
5.4 SIP Trunk ...........................................................................8
5.5 IP Zones ............................................................................8
6 Administration Access ..............................................................9
7 Add-on Applications Hardening ................................................10
7.1 Voicemail ...........................................................................10
7.2 Aeonix Contact Center (ACC for Windows) .......................12
7.3 Billing .................................................................................13
7.4 Aeonix Logger ....................................................................13
8 Desk Phones Hardening ...........................................................14
8.1 Tadiran SIP Phones - T4x, T32x ........................................14
8.2 Certified 3rd Party SIP Phones ...........................................18
8.3 MGCP Phones ...................................................................19
9 VoIP Gateways .........................................................................19
9.1 SIP Gateways ....................................................................19
9.2 MGCP Gateways ...............................................................19
10 Network ....................................................................................20
10.1 Topology ........................................................................20
10.2 Firewall ..........................................................................21
10.3 SBC ...............................................................................22
11 Distributed Deployment ............................................................23
11.1 Remote Office Branch Office (ROBO) ...........................23
11.2 Home Worker ................................................................23
11.3 Road Warrior .................................................................23
1
1 Purpose
Coral IPx is an IP-Enabled PABX system that supports legacy phones and trunks as
well as VoIP phones and trunks.
The system supports multiple Ethernet connection and its internal architecture is
based on TDM switching. These two capabilities allow the Coral IPx to be
configured as a physical LAN isolator.
The Coral IPx Office and UCx have only one LAN connection but can still be
configured in a mode that assures logical isolation between LAN segments using the
TDM switch as a decoupling means.
Security is an ongoing challenge and it is impossible to guarantee full proof
protection. However, by using the measures described in this document, a significant
share of the risks can be mitigated and contained.
The main Cyber Security threats on VoIP systems include:
Snooping – Identity theft that can be used to launch a service theft or Denial of
Service attack
Eavesdropping – Listening to signaling and media stream to obtain data
Theft of Service – Using the system to generate calls to premium numbers or as
a means of providing toll service for hackers
Denial of Service – Full or partial mitigation of system to perform its tasks by
blocking various elements and resources (such as CPU or bandwidth)
This application note lays out the best practices recommendations required to protect
the Coral IPx and UCx systems and their adjunct components from Cyber security
threats.
2 Terminology
MANDATORY, MUST, SHOULD – Indicates instructions that must be followed
SHOULD NOT, MUST NOT – Indicates actions that must not be taken
RECOMMENDED – Indicate good practices recommended by Tadiran
OPTIONAL, MAY – Indicates options that are left to the discretion of the administrator
N/A – Not Applicable
N/R – Not Required
2
3 Basics First
3.1 Installation and Configuration
Many security as well as other issues can be avoided by using up to date software
and firmware versions. Before anything else, make sure all components use up to
date versions.
Table 1 – Component Version List
Subject Item Minumum Recommended
Version
Platform Coral IPx 16.06.06
UCx 2.8.2
Clients and applications
Bria Bria 3 v3.5 build 69247
FlexIP Soft Phone 3.06.011
SeamBeam 1.5.20.2
SeaMail PUGW-2G – 10.5.4.27 Server – 10.5.4.27 UCx – 10.5.4.27
CCP 4.4.12
Aeonix Contact Center Version 1.03.18 Servers: 2008, 2012 32 or 64 bit machine. Clients: XP, Vista, Windows 7/8/8.1
Best Practice:
1. It is MANDATORY to use up to date versions for all elements of
the solution as specified in table 1 below.
2. It is MANDATORY to use certified components as published by
Tadiran. These components are sold directly by Tadiran or certified
by Tadiran.
3. It is RECOMMENDED to check for updates on the Tadiran web
site or with Tadiran support.
4. It is RECOMMENDED to avoid combinations that have not been
tested. Some features require combined support by various
components.
5. It is MANDATORY to have installation and configuration of any
component done by a certified engineer. Special attention should be
paid to installation and configuration of complex elements like
Firewall and SBC.
6.
3
Subject Item Minumum Recommended
Version
Navigator Server 2.0.39.1 Client 3.0.0.17
Phones FlexSet-IP 280S 3.26
T207M 4.82
T208M 4.82
T320 9.71.19.5
T320P 9.71.19.5
T322 7.71.19.5
T328 2.71.19.5
VP-530 23.70.0.40
T42G 29.71.19.8
T46G 28.71.19.8
Gateways KSW 8000-kirk PC12C
KSW 6000-kirk 13
Sentinel for MGCP phones
6.78
AudioCodes MP118 6.6
AudioCodes MP124 6.6
For beta installations, the version list should be provided as part of the beta
installation by Tadiran support. In case it was not provided, please ask for it.
3.2 Password Policy
Best Practice:
1. It is MANDATORY to use strong passwords where passwords are
required.
Strong passwords must:
a. Contain both upper and lower case letters
b. Include one or more digits
c. Include special characters such as $, &, !
d. Be longer than 6 characters. Recommended 12 or more.
e. Not include the name of the company or any individual
2. It is RECOMMENDED that passwords be changed periodically.
4
4 Operating System Hardening
The Coral IPx is an embedded appliance with a unique Operating System. The
system cannot be affected by viruses or other types of malware and requires no
additional hardening in the field.
The UCx is a hardened appliance that runs manufacturer applications only and
requires no additional hardening in the field.
5
5 Application Hardening
5.1 SIP Phone Configuration
A common hacking in the SIP world is done by trying to register a rogue SIP device
to the system and initiate outbound calls.
1. By default, all SIP terminals are required to authenticate their credentials using
username and password.
This definition can be seen in:
IP Ports SIP AUTHENTICATION_REQUIRED(Y/N) – Y
The ability to disable terminal authentication is for special terminals that do not
support authentication.
2. By default, when adding a SIP phone to the Coral / UCx system it is assigned
the system default password. This password is defined in:
IP General AUTHENTICATION PASSWORD (maximum 20 chars) –
123456.
This is a weak password and should be changed.
3. It is recommended to change this password and use a unique password per
phone.
IP IP_PORTS SIP_TERMINAL PASSWORD
Best Practice:
1. It is MANDATORY to avoid the definition of a SIP phone without
authentication.
2. It is MANDATORY to change the system SIP Authentication
password.
3. It is RECOMMENDED to use a unique password per user and not
stay with the system default.
4. It is MANDATORY to use complex passwords as defined in the
password policy section.
6
5.2 Connectivity Features Access Hardening
1. Executive Privileges.
Using executive privileges allows a user to use any phone in the system with
their level of service.
This feature can be enabled or disabled in the COS menu.
Activation is protected by a PIN code that is set in the KEY and SLT menus.
2. IRSS (Freedom)
This feature allows an incoming call to place an outbound call from a system
trunk. The system can be enabled/disabled in the COS menu.
Activation can require using a PIN code. PIN code is set in the COS menu
(PASSCODE).
3. Verified Forced Account Code (VFAC)
This feature forces the user to enter an account passcode in order to get access to
trunks for placing outbound calls.
Setup of VFAC is done via the ADMINISTRATION ACCOUNT menu.
Best Practice:
1. It is MANDATORY to define PASSCODE for all phones and not
leave the value as NONE.
2. It is RECOMMENDED to block executive privileges for all class of
services.
3. When using IRSS it is MANDATORY to use either a predefined
ANI or PIN code as a means of authentication.
4. It is RECOMMENDED to use the VFAC.
5. When using VFAC it is RECOMMENDED to use an account code
per extension rather than a common one.
7
5.3 Trunks Configuration Hardening
1. Guest Trunk Group
Upon an incoming SIP call, if the source IP Address is not found in any Dial
Service (PROXY_NAME/ADDRESS or one of the five IP Addresses in
PROVIDER_IP_LIST), the call may be processed by the Coral/UCx as
originating from a Guest Trunk group.
The Guest Trunk group number is defined in IP Zone
SIP_GUEST_TRUNK_GROUP
The call is processed as being part of the 1st zone on the PUGW.
This capability allows processing incoming calls from a SIP guest (phone or trunk)
but should be used with great precaution to limit its capabilities from initiating
outbound calls.
The PI shows the following warning for this parameter:
“** Warning! Verify that parameters associated with
"SIP_GUEST_TRUNK_GROUP" are defined to prevent toll fraud **”
2. Direct Inward System Access (DISA)
Similar to IRSS. This feature enables an incoming trunk call to gain access to an
outbound trunk.
3. TRK – TRK
System Feature accessed via the SFE menu.
This feature allows or denies trunk to trunk connections.
When disabled, this feature can be overridden on a specific trunk by using
TK_TK_CONNECT_OVERRIDE in Trunk Group Definition (TGDEF).
To override the trunk to trunk prohibition on specific stations, use TK_TK_
XFER_OVERRIDE in COS.
4. Toll Barrier.
This feature allows blocking and manipulation of outbound calls based on dialed
number.
Best Practice:
1. It is RECOMMENDED not to use the SIP_GUEST_TRUNK_GROUP
capability and verify it is left blank for all zones.
2. When Guest Trunk group is in use it is MANDATORY to use a dedicated trunk
group for Guest mode.
3. When Guest Trunk group is in use it is RECOMMENDED to disable the Trunk
– Trunk option for the Guest Trunk group.
4. When Guest Trunk group is in use it is RECOMMENDED to block the Guest
Trunk group from making outbound calls.
5. It is RECOMMENDED to disable DISA for all trunks.
6. It is MANDATORY to disable the trunk to trunk system feature. If required, it
should be opened per COS.
7. It is RECOMMENDED to set Block in Toll Barrier as default for all Trunk
Groups and program them as strictly as possible.
8
5.4 SIP Trunk
SIP Trunks are more susceptible to security breaches as they usually are connected
to the public internet.
1. Registered trunks are less vulnerable for spoofing than unregistered trunks.
Unfortunately, not all SIP Providers support trunk registration.
2. When working with a provider, specifying its IP address reduces the risk
of spoofing.
5.5 IP Zones
The Coral/UCx are IP enabled hybrid solutions. It is possible to route VOIP calls via
the internal TDM switch and thereby let the system act as an IP separator between
the peers. This diminishes the ability to inject malware and viruses to the receiving
endpoint and minimize Denial of Service attacks on the receiving endpoint.
IP Zones are programmed at:
IPZONE
It is important to program the Inter Zone connection to be PCM for IP separation.
Best Practice:
1. It is MANDATORY to use ITSPs that support registered SIP trunk
mode when connecting to a SIP provider over the public internet.
2. It is RECOMMENDED to specify the IP addresses of the SIP
provider in the DIAL SERVICE.
3. It is MANDATORY to use strong passwords as specified in section
3.2.
4. It is RECOMMENDED to connect to ITSPs via SBC and not
directly.
Best Practice:
1. Use IP Zones to separate internal and external VoIP connections.
2. When using IP Zones it is RECOMMENDED to use PCM for inter
zone connection.
9
6 Administration Access
Coral administration uses ALI / Menu driven method. Access is protected by
password.
UCx administration uses both ALI method and WEB GUI access.
Admin supports 4 levels of access control being set by the password used.
Best Practice:
1. It is RECOMMENDED to limit the number of users with administrative
permissions.
2. Admin passwords MUST be kept confidential. Administrators MUST NOT
share their passwords with other users.
3. Admin passwords SHOULD BE strong, as defined in the password section.
4. It is RECOMMENDED to change the passwords periodically.
5. It is RECOMMENDED that access to the UCx administration via WEB
GUI utilizes HTTPS and not HTTP.
10
7 Add-on Applications Hardening
7.1 Voicemail
SeaMail is a powerful unified messaging and voicemail application that can initiate
outbound calls and should therefore be protected. SeaMail has built-in security
enhancement mechanisms, as follows:
1. Password Strength enforcement. When set to 1 the voicemail will accept only
strong passwords by the user.
If the password entered by the user does not meet the requirements, the system
will notify the user. The requirements for a strong password are defined in
Registry => Security and include the following:
a. Cannot repeat digit more than once (e.g.1111is not valid)
b. Cannot use fixed delta between digits (e.g.1357 is not valid)
c. Cannot use mailbox number as a password (e.g. mailbox 5001cannot use
5001 as a password)
d. Cannot use any Black-listed password (see Password Black list below)
2. Days to Keep password history – the number of days to keep password history.
If a strong password is required, voicemail will not allow the user to enter a
password in the password history.
3. Max password days – the number of days before the system will require the user
to change password. If this parameter is active (checked), password will expire
at the end of the period. This functionality is independent of the Strong
Password requirement.
4. Max Login attempts – number of failed attempts in one call before the mailbox
is locked. An email will be sent to the user (if an email address is available for
the mailbox) to notify the user that the mailbox is locked. In addition, a prompt
will be played to the user when during login notifying that the mailbox is locked.
5. Notify Administrator – If the mailbox becomes locked and this field is set to 1,
the administrator (defined in the Registry>Alerts) and the user will receive an
email notifying them that the mailbox is locked. If this parameter is not selected,
neither the administrator nor the user will receive an email notification.
6. Default Password – Used whenever a new mailbox is created using the
WebController. Set the field to any numeric value (up to 9 digits) you want the
default password to be.
7. Password Black-list – Enter all numbers that should not be used as passwords
(for example – your organization’s street number). This list is active as part of
the Strong Password feature.
11
8. Limit mailbox numbers – do not define mailbox numbers in the voicemail with
the same leading digits as any trunk groups defined in the Coral IPX or UCx.
Best Practice:
1. It is MANDATORY to use Strong Password Enforcement mode.
2. It is RECOMMENDED to request the users to change their Mailbox
password periodically (every few months).
3. It is RECOMMENDED to keep history of passwords for a time of at least a
year (365 days).
4. It is MANDATORY to set “max login attempts” to 3.
5. It is MANDATORY to use the “Notify Administrator” option.
6. It is RECOMMENDED to use a 9 digit password as default.
7. It is RECOMMENDED to use the black list and not allow the passwords to
contain the company street number or current year number (e.g., 2014).
8. It is RECOMMENDED to avoid mailbox numbers with the same leading
digits as any trunk groups defined in the Coral IPX or UCx.
12
7.2 Aeonix Contact Center (ACC for Windows)
1. Define the SIP UAC in the ACC admin.
2. Define the ACC SIP phones in the Coral.
ACC uses SIP phone connection towards the Coral for IVR announcers.
Best Practice:
1. It is MANDATORY to define the connection between ACC and Coral as
SIP phones with password authentication.
2. It is MANDATORY to use a strong password as defined in the password
policy section 3.2.
13
7.3 Billing
CDR and billing records are confidential and must be protected from data leak. The
link between Coral and the CDR logging machine is done over TCP/IP.
7.4 Aeonix Logger
Aeonix Logger is a Tadiran OEM call logging application that uses passive
recording method to record calls. Media streams are either unencrypted or travel
through VPN tunnels. The recordings are kept on the recorder disk or on a NAS and
can be encrypted.
Best Practice:
1. It is RECOMMENDED to locate the CDR/Billing logger at the same
physical protected location as the Coral (Server room for example).
2. In case the CDR logging machine has to be located remotely, it is
MANDATORY to establish a VPN L3 tunnel between the Coral
MAP/CUGW and the CDR logging machine.
Best Practice:
1. It is RECOMMENDED to use media encryption for storage of the recordings.
2. It is RECOMMENDED to prefer usage of thick client (CQC) over thin client
(Aeonix Web Replay) for listening to encrypted recording as it decrypts the
recordings at the client.
3. When using IMP, it is MANDATORY to harden the password policy as
follows:
a. Max Login attempts = 3
b. Password History = 12M or less
c. Password Expiry = 12M or less
d. Password complexity – use mix of characters and numbers;
minimum length = 6
14
8 Desk Phones Hardening
Coral supports both digital and VoIP phones while UCx only supports VoIP phones.
Digital phones cannot be hardened and it is hard to eavesdrop on them.
VoIP phones supported are:
Tadiran SIP phones
3rd
party SIP phones
Tadiran MGCP phones
8.1 Tadiran SIP Phones - T4x, T32x
1. Network Access:
a. 802.1x enables L2 access for authorized devices only and is
recommended. It can be set from the Phone Network-> Advanced page.
b. If a PC is not connected to the phone, the PC port should be disabled.
c. Disable the Bluetooth adaptor on T46 phones if not in use.
15
d. By default, the phone uses “cn.pool.ntp.org” NTP Server. Change the
NTP according to company policy.
2. Local Management:
a. Enable only HTTPS access to the phone.
Setting is on the Network -> Advanced page
16
b. By default, the phone uses Admin/Admin credentials for administration
access and User/User for user access. Change them both and use a
strong and hidden password.
3. Use SRTP to encrypt media.
This will encrypt calls between SIP entities that support SRTP.
Make sure to enable Optional when selecting SRTP to allow calls to units that do
not support SRTP.
Note: Encryption key exchhange between the peers is not encrypted.
4. Using phone lock is a good habit. This will disable outbound calls from the
phone when the user leaves the office. It is highly recommended to enable
emergency calls.
17
Best Practice:
1. Network Access:
a. 802.1x usage is RECOMMENDED.
b. If the PC LAN port is not in use, it is RECOMMENDED to disable
it.
c. If the Bluetooth adapter is not in use, it is RECOMMENDED to
disable it.
d. It is MANDATORY to change the default setting of the NTP server
according to organization policy.
e. It is RECOMMENDED to use the organizational internal NTP
server instead of a public NTP.
2. Local Management:
a. It is RECOMMENDED to allow only HTTPS access to the phone
web management.
b. It is RECOMMENDED to change the default password of the phone
and use a strong password as specified in section 3.2.
c. It is RECOMMENDED that all access to phone web management be
done by the system manager and the password is not shared with the
end user.
3. It is RECOMMENDED to use SRTP voice encryption.
4. It is RECOMMENDED to use phone lock based on inactivity detection.
18
8.2 Certified 3rd
Party SIP Phones
In installations where security should be provided, it is strongly recommended not to
use 3rd
party IP phones and softphones.
If for any reason 3rd
party phones are in use, it is MANDATORY to use certified
SIP phones only.
Read carefully the IP-phone manufacturer’s installation and maintenance
instructions, as well as the security guide if provided.
Best practices applied here are similar to Tadiran SIP phones.
Best Practice:
1. It is RECOMMENDED to avoid using 3rd
party SIP phones.
2. If required, it is MANDATORY to use certified 3rd
Party SIP phones only.
3. Network Access:
a. It is RECOMMENDED to disable any external Ethernet ports
available on the IP phone that are not in use.
b. It is RECOMMENDED to disable services not in use such as LLDP,
CDP, etc.
c. It is RECOMMENDED to use the organizational internal NTP server
instead of a public NTP.
4. Local Management:
a. It is RECOMMENDED to restrict access to the phone’s
configuration with a user account and a password.
b. It is RECOMMENDED to use a secure protocol such as HTTPS to
access the phone’s configuration menus.
c. It is RECOMMENDED to change the default passwords of the
phone.
d. It is MANDATORY to use strong passwords as specified in section
3.2.
19
8.3 MGCP Phones
MGCP phones use the MAC address as device ID and UDP as transport layer.
MGCP phones do not support media encryption.
9 VoIP Gateways
9.1 SIP Gateways
9.2 MGCP Gateways
MGCP gateways have been removed from the Coral price list as they are not
supported by standard SBCs.
Best Practice:
1. It is MANDATORY to use certified gateways only as they appear on the
Xross Coral price list.
2. It is MANDATORY to use a Strong Password as specified is the password
policy section.
3. It is RECOMMENDED to use the white list to allow access from authorized
PCs only for HTTP and Telnet operations.
4. It is recommended to disable the Telnet service.
5. It is RECOMMENDED to change the HTTP port.
6. It is RECOMMENED to use an encrypted Config file when executing
Config export.
Best Practice:
1. It is RECOMMENDED to use MGCP Gateways on the internal LAN only.
2. For remote deployment it is MANDATORY to use SIP gateways.
Best Practice:
1. It is RECOMMENDED to use MGCP phones for internal deployment only
(on the LAN).
2. When using a remote connection such as between sites or home users it is
MANDATORY to set up a L3 VPN tunnel.
20
10 Network
10.1 Topology
Best Practice:
1. Coral IPx / UCx MUST reside on the internal LAN with no direct access
enabled from the public internet.
2. The access from the public internet to the organization MUST be protected
by a Firewall and SBC.
3. It is RECOMMENDED to separate the Coral IPx / UCx from the users with
IP segmentation by separating IP segments for IP phones and IP PBX.
4. It is RECOMMENDED that Layer 3 routing between different segments (or
VLANs) be done using an internal LAN firewall rather than a core switch.
5. It is RECOMMENDED that Edge switches have a Network Access and
Admission Control (NAC) enabled on them to ensure all devices connected
to them are authenticated and secured in Layer 2 (802.1x).
21
10.2 Firewall
The firewall Functionality is to:
a. Protect the internal network from Denial of Service (and Distributed Denial of
Service) attacks.
b. Break the attack vector by disabling direct connection between the internal LAN
and public internet. This is done by using the SBC as a mediation device in the
DMZ, protected by the firewall.
c. Establish static VPN tunnels to remote sites in a distributed deployment.
Deployment Notes:
1. Firewalls are not provided by Tadiran and need to be purchased from the
vendor.
2. Setup and configuration of the firewall is beyond the scope of this document.
Best Practice:
1. Firewalls used are the installer’s responsibility.
2. It is RECOMMENDED that the firewall be “voice aware” with VPN tunnel
support.
3. The firewall SHOULD be configured to block all direct access from the
public internet to the Coral IPx/UCx. All VoIP traffic MUST be directed via
the SBC in the DMZ.
22
10.3 SBC
The SBC functionality is to:
a. Protect the internal network from VoIP Denial of Service (and Distributed
Denial of Service) attacks. The SBC is a VoIP Firewall.
b. Encrypt VoIP traffic to remote phones, gateways and SIP Trunk Service
providers (both signaling and media).
c. Provide Certificates to remote SIP providers and authenticate their Certificates.
Deployment Notes:
1. SBCs are not provided by Tadiran and should be obtained and installed from the
vendor.
2. Setup and configuration of the SBC is beyond the scope of this document.
3. Sentinel Pro by Tadiran is a NAT traversal product that is not considered as an
SBC. It does not provide access control (CAC) or deep packet inspection (DPI)
capabilities.
Best Practice:
1. It is MANDATORY to use SBCs that are certified by Tadiran.
2. The SBC SHOULD BE located in the Demilitarized Zone (DMZ) of the
Firewall.
3. SIP Trunks to ITSPs over public internet SHOULD BE connected via
SBC.
4. Remote soft phones running either on PC or on smart phones SHOULD
BE connected via SBC.
5. It is RECOMMENDED to activate TLS capability of the SBC for signaling
encryption to remote devices and trunks.
Note: This is pending support of this capability by the remote device or SIP
trunk.
6. It is RECOMMENDED to activate SRTP capability of the SBC for media
encryption to remote devices and trunks.
Note: This is pending support of this capability by the remote device or SIP
trunk.
7. It is RECOMMENDED to use Authorized Certificate on both ends of the
connection (mutual TLS authentication).
8. It is RECOMMENDED to activate rules and reporting in the SBC to alert
administrators of excessive or unauthorized SIP trunk traffic.
23
11 Distributed Deployment
11.1 Remote Office Branch Office (ROBO)
A Branch office is defined as a remote office with a Coral IPx/UCx system.
Connection between the sites can use NetIP, SIP or QSIG over PRI trunks.
11.2 Home Worker
A home worker is defined as a remote site with a single SIP desk phone or softphone
connected to the main site over the public internet.
Functionality of a home worker is limited to basic telephony.
11.3 Road Warrior
A road warrior is a user of a SIP phone (usually a soft phone or SIP client on a smart
phone) that connects to the main site over the public internet.
Functionality of a road warrior is limited to basic telephony.
Best Practice:
1. When using either NetIP or SIP trunks to connect between sites it is
MANDATORY to set up a site-site VPN tunnel between the sites.
2. It is RECOMMENDED that every branch office be protected by a local
firewall.
Best Practice:
1. It is MANDATORY that a home worker be connected to the main site via
SBC or site to site VPN.
2. It is MANDATORY that a home worker desk phone be set to use TLS and
SRTP encryption.
3. It is RECOMMENDED that every home worker be protected by a local
firewall.
Best Practice:
It is MANDATORY that a road warrior be connected to the main site via SBC
or Client-Server SSLVPN.
1
Visit us at: www.tadirantele.com
Israel +972-3-9262000
USA +1-516-632-7200
Russia +7-495-7750855
China +86-10-58696418
India +91-11-25850446 / 25854212