Action Src Interface Src Network Dest Interface Dest Network
OutboundFrom
Proxy&Clients
Allow lan lannet
(ip_proxy)
wan all-nets
InboundTo
Proxy&Clients
Allow wan all-nets lan lannet
(ip_proxy)
If Record-Route is enabled then the networks in the above can be further restricted by using
"(ip_proxy)", as indicated.
Scenario 3
Protecting proxy and local clients - Proxy on the DMZ interface
This scenario is similar to the previous but the major difference is the location of the local SIP
proxy server. The server is placed on a separate interface and network to the local clients. This
setup adds an extra layer of security since the initial SIP traffic is never exchanged directly
between a remote endpoint and the local, protected clients.
The complexity is increased in this scenario since SIP messages flow across three interfaces: the
receiving interface from the call initiator, the DMZ interface towards the proxy and the
destination interface towards the call terminator. The initial messages exchanges that take place
when a call is setup in this scenario are illustrated below:
Chapter 6: Security Mechanisms
475
To Next Page
Loading...
