What are the main issues and best practice security controls when exposing SIP and H.323 to the Internet?

Question

What are the main issues and recommended controls when exposing SIP and H.323 to the Internet (could be for voice, video, and instant messaging traffic or all three)?

Specifically I'm looking for best practices in firewall/DMZ architecture, and any additional recommended security controls, when deploying SIP and H.323 gateways.

Answer 1

Avaya's quick two-page checklist is broadly vendor neutral. Key first steps include:

• H.235.5 for H.323 signaling encryption
• SRTP* for H.323 / SIP media encryption (10 bytes overhead per packet)
  • Standalone AES encryption can also be used for H.323 media encryption
• TLS for SIP signaling encryption
• SRTP for voicemail interaction
• TLS for adjunct communications
• AES encryption for configuration back-up
• Note, network regions can be created to segment phones that don’t support encryption from phones that are capable of encryption

In order to set it up so that Security and QoS is maintained, you will need a firewall set which is H.323/SIP-aware. From this SANS paper:

Many of the protocols used with the H.323 suite use random ports causing problems securing through firewalls but may be able to be mitigated by using direct routed calls. Since the ports required for H.323 are not set, a filtering firewall would have to have all possibly needed ports left open. Therefore, the firewall would need to be H.323 aware allowing communication without opening up the firewall to other traffic. A stateful firewall and/or application firewall is required to ensure consistency of the characteristics of connections.

There aren't a huge number of firewalls which support SIP/H.323 well, but the usual stateful enterprise ones like Juniper, Cisco and Palo Alto seem to work.