Table of Contents
Advertisement
located on the same local network as well as clients on the external, unprotected side.
Communication can take place across the public Internet or between clients on the local
network.
•
Scenario 3
Protecting proxy and local clients - Proxy on a DMZ interface
The SIP session is between a client on the local, protected side of the NetDefend Firewall and
a client which is on the external, unprotected side. The SIP proxy is located on the DMZ
interface and is physically separated from the local client network as well as the remote client
network and proxy network.
All the above scenarios will also deal with the situation where two clients in a session reside on
the same network.
These scenarios will now be examined in detail.
Scenario 1
Protecting local clients - Proxy located on the Internet
The scenario assumed is an office with VoIP users on a private internal network where the
network's topology will be hidden using NAT. This is illustrated below.
The SIP proxy in the above diagram could alternatively be located remotely across the Internet.
The proxy should be configured with the Record-Route feature enabled to ensure all SIP traffic
to and from the office clients will be sent through the SIP Proxy. This is recommended since the
attack surface is minimized by allowing only SIP signaling from the SIP Proxy to enter the local
network.
This scenario can be implemented in two ways:
•
Using NAT to hide the network topology.
•
Without NAT so the network topology is exposed.
Note: NAT traversal should not be configured
SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal in any
setup. For instance the Simple Traversal of UDP through NATs (STUN) technique
468
Chapter 6: Security Mechanisms
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
