SIP ALG - Security
I have been having issues where my VOIP ATA kept dropping connection, becoming "Not Registered" to fix this I have had to enable SIP ALG (Mor > Advanced > Nat Forwarding > SIP ALG).
My question is, I have read on the web that SIP ALG is not as secure as opening specific ports, is this correct?
Thoughts & comments welcome
Thanks
Stu
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@HelpFixDecoApp none of the information in the links, within the linked document answer my question, is the preceded "SIP ALG" as secure as opening/controlling ports for my VOIP service?
Regards
Stu
- Copy Link
- Report Inappropriate Content
Neither SIP ALG nor simple port forwarding are inherently "more secure" than the other; rather, both present different security considerations, and neither is a complete security solution for VoIP. The best security approach involves disabling SIP ALG and using a properly configured firewall or a session border controller (SBC).
SIP ALG Security Considerations
SIP ALG (Application Layer Gateway) was designed to help SIP traffic traverse firewalls and Network Address Translation (NAT), not primarily for security. In practice, poorly implemented SIP ALGs can introduce security risks:
- Opening vulnerabilities: Some buggy SIP ALG implementations can automatically open RTP (media) ports in the firewall, potentially creating unnecessary exposure to malicious traffic.
- Reduced transparency: By modifying packets, SIP ALG can obscure traffic patterns, making it harder to monitor and detect suspicious activity.
- Exposing information: Flawed implementations may not properly hide internal IP addresses, potentially exposing sensitive network information.
Port Forwarding Security Considerations
Port forwarding involves manually opening specific ports on your firewall and directing traffic on those ports to a specific internal device.
- Controlled access: When done correctly, port forwarding is a more controlled method than SIP ALG, as you explicitly define which ports are open and to which internal IP address, limiting the scope of exposure.
- Vulnerability of open ports: Any open port is a potential entry point for attackers. The risk depends entirely on the security of the device and service listening on that port. If the VoIP device has vulnerabilities, an open port could be exploited.
- Targeted attacks: Manually opening default SIP port 5060 can make your system a target for automated scanning and unwanted calls ("ghost calls").
Recommendation
Most VoIP service providers and network professionals recommend disabling SIP ALG because it often causes more connectivity and reliability issues (e.g., dropped calls, one-way audio) than it solves, and it is not a robust security feature.
For secure and reliable VoIP:
- Disable SIP ALG on your router.
- Use a managed firewall that can intelligently handle SIP traffic without using an unreliable ALG, or one where you can define specific, restricted port forwarding rules.
- Implement additional security measures like IP address restrictions (only allowing traffic from your VoIP provider's known IP addresses), strong authentication, and possibly a Session Border Controller (SBC), especially in business environments.
- Keep all VoIP equipment and software updated to mitigate vulnerabilities related to open ports.
- Copy Link
- Report Inappropriate Content
@HelpFixDecoApp Interesting, I'll have to see if i can create the rules as suggested by my provider, Andrews & Arnold. This is what I need to input to control the firewall, but can not see how as the only options for Port Forwarding in the Deco App, are 'Service type', 'Internal IP', 'internal Port', 'External Port' and 'Protocol (TCP/UDP), I can see no way to add Source IP address ranges.
If you are using public IP addresses:
Allowing appropriate SIP and RTP packets through a firewall is the key to reliable VoIP communication. It may be possible to achieve reliability using SIP Keep-Alive packets (every 120 seconds or so) and relying on phones using UDP hole punching for the audio channel, but firewall rules are more certain to work.
This is what we suggest firewall-wise for VoIP customers who have SIP devices (phones/PABXs etc) on public IP addresses.
Firewall Requirements on the AAISP VoIP Platform
Target Ports Source IPs (IPv6) Source IPs (legacy)
SIP UDP 5060 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48
81.187.30.110 - 81.187.30.119 90.155.3.0/24 90.155.103.0/24
RTP UDP 1024-65535 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48
81.187.30.110 - 81.187.30.119 90.155.3.0/24 90.155.103.0/24
Customers should add all IPs above to their firewall rules even if you don't see traffic from or to them. This is a fairly large number of addresses but it means we can expand our platform over time as well as accommodate hosting our equipment in diverse datacentres.
SIP is the call routing information that creates and manages calls. If incoming SIP packets are blocked, incoming calls will fail. In practice if you allow port 5060 from the outside world you'll see attacks and possibly receive spam phone calls. We do not recommend leaving 5060 open unless you really know what you are doing. Phones rarely use ports as low as 5060 for media.
RTP is the actual media (e.g., the audio). On our platform the RTP will come from the same call server IP address as the SIP control messages. On most phones you can configure which ports to listen on for RTP, so you can restrict this range further. Note that RTP actually uses 2 consecutive port numbers, you should specify an even number and RTP will also use that port number +1. For example, on a Snom Phone the default range for inbound RTP is 49152 to 65534, so the firewall needs to allow the destination port number range 49152 to 65535. As another example, Grandstream phones and ATAs tend to default to listen on 5004 as the RTP port, so you need to allow destination ports 5004-5005 through the firewall.
On routers which need one rule per IP address range you can halve the number of firewall rules needed as long as the source IP address ranges for SIP and RTP are the same and that the RTP port range you specify includes 5060.
In CIDR notation, the IPv4 range 81.187.30.110 - 81.187.30.119 needs two blocks: 81.187.30.110/31 81.187.30.112/29
- Copy Link
- Report Inappropriate Content
Hi, thank you very much for the feedback.
I'm afraid the NAT Forwarding configuration on the Deco App doesn't allow specifying the remote source IPs. In other words, any remote IP can talk to the VOIP ATA via the forwarded ports if they know the public IP address of the router.
Deco XE75_1.4.3 supports "Device Isolation". It is also suggested to enable "Device Isolation" for the VOIP ATA after port forwarding.
Thanks a lot.
Best regards.
- Copy Link
- Report Inappropriate Content
Thanks for the information, as stated in another post I'm away from home until next Saturday and will look into and probably implement the recommendations, and will get back to you if I have problems.
cheers
Stu
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 100
Replies: 6
Voters 0
No one has voted for it yet.