On 1/9/07, Andrew Kohlsmith <[EMAIL PROTECTED]> wrote:
Off the top of my head, the following recommendations seem both straightforward and prudent: ...
Nice job. Those are some really good 'best practice' type measures to take. I remember talking to a vendor one time about firewalls that are specifically built for VOIP. They understand the semantics of SIP call setup and only allow traffic to flow according to the progress of the call and other rules. I can't remember the specifics, but for instance, we often open certain TCP and UDP ranges for both SIP and RTP. This firewall might prevent a client from talking on your RTP port until it's properly authenticated through SIP and may also help enforce those absolute maximums that you're discussing to prevent DOS attacks. I think it also limited the data rate per session. That way, you couldn't get someone opening up a SIP session and sending a huge flood of RTP data. You might establish a rule that any given RTP session could only transmit at 150kbps, which should allow for most codecs and keep a malicious or malfunctioning session from overwhelming your systems. The name escapes me right now but I remember that we could get a unit for around $500 that would service a medium sized business. In the scope of the whole VOIP investment, it would be some nice peace of mind. Dave
