Securing SIP Gateways
Your SIP gateway, as part of your IP network, should conform to your company security policy. Deployment of basic items, such as user control and authentication, access-control lists, and physical security, should be standard. The SIP network, like most of your user devices, should be on a LAN using private IP addresses, with strong perimeter security.
Because SIP messages contain IP addresses in several different locations, it is important to use a firewall that supports SIP. Cisco IOS firewalls, PIX firewalls, and Adaptive Security Appliance (ASA) devices are all able to inspect the SIP application data and maintain call flow information.
SIP supports some authentication, authorization, and accounting (AAA) mechanisms to help authenticate communications between UAs, servers, and gateways. You can use RADIUS to preauthenticate calls. The gateway forwards incoming call information to a RADIUS server, which must authenticate it before connecting the call. To enable AAA for SIP calls, you must use the normal AAA configuration on the gateway and the RADIUS server. In addition, at global configuration mode, issue the aaa preauth command to enter AAA preauthentication configuration mode. Specify the RADIUS server with the command group {radius | groupname}.
You can also use HTTP Authentication Digest. UAs, proxy servers, and redirect servers can request authentication before they process a SIP message. Gateways can respond to authentication challenges and can respond on behalf of non-SIP phones that they have registered to a SIP server. SIP defines authentication and authorization fields that can be present in the message header. A server that receives a message—such as an INVITE—without authentication credentials issues a challenge. The response includes an authorization field with an MD5 hash and other credentials. To configure a gateway to use HTTP Authentication Digest, give the following command in each dial peer or SIP-UA configuration mode: authentication username username password password [realm realm]. Username is the name of the user that will be authenticating, password is the shared password, and realm is an optional entry that lets you configure multiple username/password combinations. The realm is included in the challenge, so the response will include credentials for that specific realm.
To provide a more secure, encrypted transport mechanism for SIP messages, Cisco IPT devices have added support for the TLS protocol.