Potential New SIP Providers - Thoughts?
-
@art_of_shred said:
@NetworkNerd said:
@Minion-Queen said:
That's awesome! That will make things much easier.
They can do ip authentication (tie the trunk to a specific public ip) or the standard registration string (whichever you prefer).
I know Vitelity offers that now, too. When you authenticate via IP, it utilizes load balancing on their servers. If you just do registry string, once you lock to a server, it's final for the duration of that connection.
Some providers will even let you register multiple PBXs at once with their registration string (NexVortex).
-
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
-
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
Well, by the time I knew the port range I had no choice but to make it work because the port orders were in place, LOAs submitted, and contract with the losing provider was almost up (i.e. almost roped into auto-renew). But I understand what you mean about that port range being excessive.
-
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
At that point, why not just completely make it unsecured and put in an any/any rule.
I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.
-
@PSX_Defector said:
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
At that point, why not just completely make it unsecured and put in an any/any rule.
I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.
If it's limited only to the IP of the SIP provider, what are you worried about? Don't get me wrong, we should of course limit the ports when possible, but really 1 port versus 64K ports - does it make you more vulnerable when you've locked the ports to a single incoming IP?
-
@Dashrender said:
@PSX_Defector said:
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
At that point, why not just completely make it unsecured and put in an any/any rule.
I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.
If it's limited only to the IP of the SIP provider, what are you worried about? Don't get me wrong, we should of course limit the ports when possible, but really 1 port versus 64K ports - does it make you more vulnerable when you've locked the ports to a single incoming IP?
My response to that is how can I trust them to keep their stuff secure when they cannot even configure a proper set of ports for RTP?
-
@JaredBusch said:
@Dashrender said:
@PSX_Defector said:
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
At that point, why not just completely make it unsecured and put in an any/any rule.
I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.
If it's limited only to the IP of the SIP provider, what are you worried about? Don't get me wrong, we should of course limit the ports when possible, but really 1 port versus 64K ports - does it make you more vulnerable when you've locked the ports to a single incoming IP?
My response to that is how can I trust them to keep their stuff secure when they cannot even configure a proper set of ports for RTP?
You have a completely valid point.
Setting that aside - does the rest of my point remain valid?
-
@Dashrender said:
@JaredBusch said:
@Dashrender said:
@PSX_Defector said:
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
At that point, why not just completely make it unsecured and put in an any/any rule.
I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.
If it's limited only to the IP of the SIP provider, what are you worried about? Don't get me wrong, we should of course limit the ports when possible, but really 1 port versus 64K ports - does it make you more vulnerable when you've locked the ports to a single incoming IP?
My response to that is how can I trust them to keep their stuff secure when they cannot even configure a proper set of ports for RTP?
You have a completely valid point.
Setting that aside - does the rest of my point remain valid?
Yes, as long as you have properly restricted it to the provider, you have less to worry about.
-
@JaredBusch said:
@Dashrender said:
@JaredBusch said:
@Dashrender said:
@PSX_Defector said:
@JaredBusch said:
@NetworkNerd said:
They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.
No, stating 1024-65535 is NOT specifics. It is a cop out.
At that point, why not just completely make it unsecured and put in an any/any rule.
I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.
If it's limited only to the IP of the SIP provider, what are you worried about? Don't get me wrong, we should of course limit the ports when possible, but really 1 port versus 64K ports - does it make you more vulnerable when you've locked the ports to a single incoming IP?
My response to that is how can I trust them to keep their stuff secure when they cannot even configure a proper set of ports for RTP?
You have a completely valid point.
Setting that aside - does the rest of my point remain valid?
Yes, as long as you have properly restricted it to the provider, you have less to worry about.
I've restricted SIP and RTP traffic to the Intelepeer ips as @Dashrender mentions.
