Security best practices for Internet facing SIP trunks


Use the following PureCloud best practices to provide security for Internet-facing SIP trunks.

Prerequisites

  • Telephony Admin role


 

When possible, configure internal network addresses on the network interfaces of your SIP trunks. 

  1. Obtain the internal network IP address of the server.

  2. Click Admin.
  3. Under Telephony, click Trunks.
  4. Click the External Trunks tab.
  5. Find and click the wanted trunk.
  6. In the Outbound SIP Servers or Proxies section, in the Hostname or IP Address field, enter the IP address for your SIP server or intermediate proxy. 
    Note: The inbound listen port is used by default. If you want use another port number, enter that port number in the Port field.
  7. Click the plus button.
    Note: IP addresses added to the Outbound SIP Servers or Proxies section are automatically placed on the SIP Access Control Allow list.
    sip_security_1
  8. Click the Save External Trunk button.


Do not use the common default port of 5060 for your SIP trunk. Configure an alternate port. Confirm with your provider that the alternate port is available.

  1. Click Admin.
  2. Under Telephony, click Trunks.
  3. Click the External Trunks tab.
  4. Find and click the wanted trunk.
  5. In the Listen Port field, enter a port number equal to or greater than 1024.sip-security-2
  6. At the bottom of the page, click the Save External Trunk button.

Note: The SIP Access Control List (ACL) applies to inbound SIP trunk calls only.

  1. Click Admin.
  2. Under Telephony, click Trunks.
  3. Click the External Trunks tab.
  4. Find and click the wanted trunk.
  5. Click the Use Source Address enable toggle to Yes.
  6. Under SIP Access Control, to add an address, enter the address in the Add an IP or CIDR address field under Allow the Following Addresses.
  7. Click the plus button to add the permitted address to the Allow ACL.
  8. To deny an address, enter the address in the Add an IP or CIDR address field under Always Deny the Following Addresses.
  9. Click the plus button to add the denied address to the Deny ACL.sip-security-3
  10. At the bottom of the page, click the Save External Trunk button.