Building firewalls that work with SIP trunking

Posted on October 22, 2014

Bad people want access to your VoIP account. And if they get it, they can crank your phone bill up into the hundreds of thousands of dollars range in no time at all. To protect your business, you need to lock down your phone system in a number of ways. The first line of defense is a firewall, but a firewall can get in the way of audio transmissions, resulting in poor voice quality. Here’s how to be secure and still sound good.

Installing-Firewalls-and-other-security-must-haves-for-VoIP

Here’s how toll-fraud works:

To the network, fraudulent calls look just like any other. There are two major types of toll-fraud. The most common is when fraudsters gain access to your account and sell traffic routed through your system to people looking for a bargain. The second way is when fraudsters become carriers in poorly regulated jurisdictions. It’s remarkably easy to legitimately become a carrier in many countries that lack a federally regulated telephone network. These bad-intentioned carriers then set their own toll rates, and (not surprisingly) they set them high. When they get into your account, they place calls a whole lot of calls to these high-rate numbers which are configured to play endless music to keep the calls alive indefinitely.

If access to your account isn’t secure, you’re at risk of getting hit with a very large phone bill.

Because your VoIP system sits on your network, it’s critical to secure your network using a firewall to keep out intruders. There are many firewall options to choose from and the needs of your network may differ, so you should do your research on what will work best for your system. We guide customers to avoid firewalls that feature a SIP Application Layer Gateway (or ALG) which can often cause problems with one-way audio or dropped calls. We also see frequent call quality issues associated with Sonicwall and pfSense firewalls.

Once your network is locked up tight, there is still more you can do.

On the account level:

We highly recommend that our customers set up the account level fraud controls provided on the Flowroute Account Manager interface. To protect against the above mentioned fraud tactics, one of the best defenses you can set up is a maximum rate limit. This prevents any calls being placed to those high cost destinations, even if attackers get through your firewall. We also recommend our customers build destination whitelists to allow a only very specific list of call destinations.

Another layer of security which can be added is the use of IP-based authentication of your outbound calls, and disabling your SIP credentials on the fraud control settings within your account. With that level of protection, you can establish a secure list of allowable IP addresses on your SIP trunking or VoIP account. This also takes a bit of simple setup on your phone system, but once it is set up, no one outside of your organization’s static IPs will be able to place outbound calls through your account.

Letting calls in:

Firewalls only follow the rules they’re given. Like any good bouncer, they’ll block everyone that’s not on the guest list. If your provider isn’t on the list, you will most likely experience call quality issues like one-way or garbled audio, dropped calls, or more likely, calls that just never show up. With a firewall in place, you’ll have to put your provider on the guest list. For systems that reside directly on the internet without a hardware firewall, iptables is the most common way to lock access down to approved IP addresses and services. This guide walks you through the steps to grant Flowroute permission to deliver calls into your PBX using iptables.

Any system exposed to the public internet is a potential risk. There are ways you can thwart attackers by making your systems more elusive.

  • Don’t use easy to guess extension names and passwords.
  • Use non-standard SIP ports, i.e. not 5060.
  • If you can use IP-based authentication, remove your credentials from your PBX altogether.
  • Install a service like Fail2ban that blocks IP addresses with more than a configurable number of login failures.

For more detail on how to secure your phone system, particularly Asterisk systems, give this Asterisk Lockdown post a read.

You don’t need to trade quality for security:

It is possible to be secure and still sound good. By taking these steps, you’ll be able to configure your system to protect your account balance and avoid the major issues typically associated with firewalls and VoIP. If you do run into problems, call us here at Flowroute (1-855-356-9768), we’d love to help.

We have updated our Privacy Policy found here. By continuing to use our website, you agree that you understand these policies.

Got it!