Version 6.8 143 Mediant 2600 E-SBC
User's Manual 13. Security
Parameter
Firewall Rule
1 2 3 4 5
Byte Rate
0 0 40000 40000 0
Burst Bytes
0 0 50000 50000 0
Action Upon Match
Allow Allow Allow Allow Block
The firewall rules in the above configuration example do the following:
Rules 1 and 2: Typical firewall rules that allow packets ONLY from specified IP
addresses (e.g., proxy servers). Note that the prefix length is configured.
Rule 3: A more "advanced” firewall rule - bandwidth rule for ICMP, which allows a
maximum bandwidth of 40,000 bytes/sec with an additional allowance of 50,000 bytes.
If, for example, the actual traffic rate is 45,000 bytes/sec, then this allowance would be
consumed within 10 seconds, after which all traffic exceeding the allocated 40,000
bytes/sec is dropped. If the actual traffic rate then slowed to 30,000 bytes/sec, the
allowance would be replenished within 5 seconds.
Rule 4: Allows traffic from the LAN voice interface and limits bandwidth.
Rule 5: Blocks all other traffic.
13.2 Configuring General Security Settings
The device uses TLS over TCP to encrypt and optionally, authenticate SIP messages. This
is referred to as Secure SIP (SIPS). SIPS uses the X.509 certificate exchange process, as
described in 'Configuring SSL/TLS Certificates' on page 87, where you need to configure
certificates (TLS Context).
Notes:
• When a TLS connection with the device is initiated by a SIP client, the device also
responds using TLS, regardless of whether or not TLS was configured.
• For backward compatibility, the following parameters can be used:
√ SIPTransportType to enable TLS.
√ TLSLocalSIPPort to configure the device's port used for TLS traffic.
To configure SIPS:
1. Configure a TLS Context as required.
2. Assign the TLS Context to a Proxy Set or SIP Interface (see Configuring Proxy Sets
on page 269 and Configuring SIP Interfaces on page 256, respectively).
3. Configure a SIP Interface with a TLS port number.
4. Configure various SIPS parameters in the General Security Settings page
(Configuration tab > VoIP menu > Security > General Security Settings).
For a description of the TLS parameters, see TLS Parameters on page 572.
5. By default, the device initiates a TLS connection only for the next network hop. To
enable TLS all the way to the destination (over multiple hops), set the 'Enable SIPS'
(EnableSIPS) parameter to Enable in the SIP General Parameters page
(Configuration tab > VoIP menu > SIP Definitions > General Parameters).
To Next Page
Loading...
Need help?
General
