使用SIP中继作为外拨选项是否安全?

最近的一次思科发布的产品安全公告和一个克里斯·杰克逊的博客文章让我觉得，作为PSTN(公共交换电话网)接入方法，SIP集群似乎不够安全。事实上，如果您将您的通信管理器(或通信管理器Express)直接插入互联网或直接插入您的服务提供商的“私有”SIP云，您就有风险。但是，如果您采取我将在下面指定的最低安全措施，您应该不会有问题。风险分为三类:1。电话诈骗和过高的电话费。2.系统崩溃和手机工作效率问题。3.通过SIP中继对企业网络进行黑客攻击。如何保护自己不受它们的影响，以下是我的建议:永远不要将呼叫处理(呼叫管理器)设备直接连接到公共网络(互联网或SIP提供商云)。 Static NAT of port 5060 in your firewall is also very risky. Use a dedicated device for the outbound facing functions, a CUBE (Cisco Unified Border Element) in Cisco's world, or SBC (Session Border Controller) with other vendors. Place a SIP aware firewall between the CUBE and the internet to protect the CUBE from DOS/DDOS attacks and malformed SIP packets. The only port that should be allowed to this device is tcp/udp 5060. Treat your SIP provider's network as a public network, you don't control who is on it and attacks can be sourced from there. Have toll fraud prevention measures configured in your dial plan, in Communication Manager it will be: 1. Block trunk to trunk transfers. 2. Use FAC (Feature Authorization Code for high cost calls. 3. Don's allow high cost route patterns in the Gateway's inbound CSS. 4. Configure Call logging and reporting to allow forensics. With those in place, SIP should be safe enough and the advantages it provide will worth it. Comments?