Grandstream Networks WP810 - Security Guidelines for Wp810 Deployment

To Next Page

To Previous Page

P a g e | 16

WP810 Security Guide

SECURITY GUIDELINES FOR WP810 DEPLOYMENT

Often times the WP810 are deployed behind NAT. The network administrator can consider following security

guidelines for the WP810 to work properly and securely.

• Turn off SIP ALG on the router

On the customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG

is common in many routers intending to prevent some problems caused by router firewalls by inspecting

VoIP packets and modifying it if necessary. Even though SIP ALG intends to prevent issues for VoIP

devices, it can be implemented imperfectly causing problems, especially in some cases SIP ALG

modifies SIP packets improperly which might cause VoIP devices fail to register or establish calls.

• Use TLS and SRTP for SIP calls

On the WP810, it’s recommended to use TLS for SIP transport with “sips” in SIP URL scheme for SIP

signaling encryption and use SRTP for media encryption.

Below the SIP ports and RTPs port used on the WP810 if the network administrator needs to create

firewall rules.

➢ Under web UI → Account x → SIP Settings → Basic Settings, the feature “Local SIP Port”

defines the local SIP port used to listen and transmit. The default value when using SIP transport

protocol UDP/TCP is 5060 for Account 1, 5062 for Account 2, … The valid range is from 1024 to

65400.

➢ Under web UI → Settings → General Settings, the feature “Local RTP Port” defines the local RTP

port used to listen and transmit. Local RTP port ranges from 1024 to 65400 and must be even. It is

the base RTP port for channel 0. When configured channel 0 will use this port_value for RTP, and

port_value+1 for RTCP. Channel 1 will use port_value+2 for RTP and so on, until reaching the limit

and then it will be reset to first port_value. The default value is 5004 for RTP and 5005 for RTCP.

Note: On the customer’s firewall, it’s recommended to ensure SIP port is opened for the SIP accounts

on the WP810. It’s not necessary to use the default port 5060/5062/… on the firewall. Instead, the

network administrator can consider mapping a different port on the firewall for WP810 SIP port 5060

for security purpose.

• Use HTTPS for web UI access

WP810 Web UI access should be equipped with strong administrator password in additional to using

Other manuals for Grandstream Networks WP810