Learning Hub

Blogs

Recent Blogs

3CX V20 Upgrade department Requirements

3CX V20 Upgrade department Requirements

3CX
Hosted
3CX V20 Upgrade department Requirements In the evolving world of business communication, staying ahead means leveraging the best tools and support available. That's where Voxtelesys comes in, offering unparalleled 3CX hosting and support services. With the release of 3CX V20, navigating the complexities of inbound call management, office hours configuration, and the transition to departments requires a reliable partner. Voxtelesys ensures your transition is seamless and maximizes your system's efficiency and compliance. Learn More
 CCC EXPO - Save the date

CCC EXPO - Save the date

CCaaS
Call Center
3CX
CCC EXPO - Save the dateWe’re excited to announce that Voxtelesys will participate in the upcoming Call and Contact Center Expo, set to take place at the iconic Las Vegas Convention Center on April 24th and 25th, 2024! This premier event is a must-attend for call and contact center professionals, offering unparalleled opportunities to network, learn about the latest trends and technologies, and gain insights from industry leaders. Learn More
Host Your 3CX with Voxtelesys

Host Your 3CX with Voxtelesys

Business Solutions
Call Center
Hosted
Host Your 3CX with VoxtelesysEffective communication is the cornerstone of success in today's fast-paced business environment. As organizations strive to enhance their telecommunication infrastructure, 3CX emerges as a leading CCaaS solution, offering flexibility, scalability, and powerful features. Partnering with Voxtelesys, a renowned name in telecommunications, provides premium hosting and support for your 3CX setup, ensuring seamless, secure, and superior business communication. Why Choose 3CX? 3CX is an open-platform, software-based PBX system that delivers voice calls, video conferencing, live chat, and SMS. It's designed for businesses of all sizes, helping to reduce communication costs, improve customer experience, and boost productivity. The Voxtelesys Advantage offers unmatched reliability, optimized performance, enhanced security, scalable solutions, and expert support, ensuring your 3CX system effectively addresses voice communications' unique demands effectively. With Voxtelesys, transitioning to or upgrading your 3CX system is seamless, providing a robust, reliable, and efficient communication system that is essential in the digital age. Hosting your 3CX with Voxtelesys gives your business a competitive edge, transforming how your organization connects, collaborates, and thrives. Learn More

Popular Blogs

 CCC EXPO - Save the date

CCC EXPO - Save the date

CCaaS
Call Center
3CX
CCC EXPO - Save the dateWe’re excited to announce that Voxtelesys will participate in the upcoming Call and Contact Center Expo, set to take place at the iconic Las Vegas Convention Center on April 24th and 25th, 2024! This premier event is a must-attend for call and contact center professionals, offering unparalleled opportunities to network, learn about the latest trends and technologies, and gain insights from industry leaders. Learn More
2023: Year in Review

2023: Year in Review

3CX
Call Center
Business Solutions
2023: Year in ReviewAs we transition into the new year, Voxtelesys is proud to share some of this past year’s accomplishments that helped define our path toward continued innovation. We look to carry the same level of growth, innovation, and advancement into 2024. Let’s dive into some of this past year’s exciting developments that have shaped Voxtelesys’ commitment to providing cutting-edge solutions. Learn More
3CX Version 20

3CX Version 20

Call Center
SMB
PBX
3CX Version 20Take advantage of our offer: No setup fees will be charged for upgrading to 3CX V20 with Hosting by Voxtelesys until March 2024! - 2 Core, 2 GB All 3CX's hosted by Voxtelesys come standard with a minimum of 2vCore and 4GB's of memory, so no worries here. - Sufficient Disk Space needed. Ensure a minimum of 5 GB of free disk space - The source list must remain unaltered for a successful upgrade; any modifications will result in failure Remove any additional source lists. If you are utilizing Microsoft Azure, verify by checking "cat /etc/apt/sources.list.d/microsoft-prod.list." Learn More
Learning Hub / Blogs / Security Check: SIP Firewall Security FAQs
Security Check: SIP Firewall Security
Ask the Experts
SIP/VoIP
Explain It

When you’re looking at network security, have you given much thought to SIP firewall security? When small and midsized business owners consider making a move to SIP, they often focus on the wrong adjectives, such as fast, cheap, and easy.  Some providers intentionally attempt to cast a spell on their customers to accelerate the sales process, by creating the impression that SIP trunks can be installed and maintained without worrying about the general security risks associated with the internet.  They refuse to shoot straight when it comes to security.

Many SIP providers will tell you how SIP can be encrypted, and that each SIP message can be subjected to authentication requests. But encryption and authentication are only part of the SIP trunk security story.  Network security is of the utmost importance not only to businesses but to all Internet users. Encryption and authentication may be great, but what if the security threat is closer to home?

One of the core components of your net security detail is your firewall.  If you don’t know if your business has a firewall, or assume that it does but know little about it, it’s time for a security check.

Fortifying your Defenses

With packets of data continuously flooding into and out of your business, the modern firewall shares characteristics with your front door.  The door’s primary responsibility is to allow or block entry, with a lock on the handle and a deadbolt to keep unsavory intruders at bay.  It may also have a spy hole or security camera installed, so you can monitor who is on the doorstep, or even a chain so you can open it partway and have a conversation with a salesperson.  There may be a mail slot so the postman can drop off your bills, or even a pet door to allow your dog or cat to pass in and out of the house freely.  Each accessory acts as a port, allowing safe passage for designated items into and out of the home.

Firewalls play a similarly significant role in SIP trunk security since they can block unwelcome traffic and keep malicious hackers at bay while allowing SIP calls to flow through specified channels. But they’ve grown more complex over time in response to advances in technology and the sophistication of the attacks they are designed to ward off.

Types of Firewalls

Firewalls are often mistakenly lumped into the same category as anti-virus programs, but a firewall can be a hardware appliance or a software application.  The hardware devices are hooked up to the network and filter the incoming and outgoing data packets, based on the preferences of the administrator.  Firewall software is installed on the operating system of the computer, sifting and sorting the packets as they come in. However, along with protecting the network and keeping it free of unwanted packets, we need to perform a specialized type of translation that can be tricky with SIP firewall security.

Firewalls and Network Address Translation (NAT)

As we’ve discussed in previous articles, SIP calls are three distinct network connections:
  • The SIP connection which provides signaling
  • The incoming audio stream from the caller
  • The outgoing audio stream to the caller
If you have employees within your network, they will often have private IP addresses—which can’t be accessed directly by the internet—while sharing a single public IP address.  Network Address Translation, or NAT, is a method of remapping one IP address into another by changing the network address information. By replacing the caller’s private address with a public address, the call can be delivered to its destination.  When the response comes, a translation table is accessed to find the return address of the caller ensuring that the incoming stream can traverse the firewall and flow to the right device.

The incoming and outgoing audio streams use RTP, or Real-time Transport Protocol, to deliver the packets in those streams.  If there is a firewall between you and another caller, and the firewall doesn’t recognize the incoming stream, it will block it, producing one-way audio.  This means you won’t be able to hear them, though they may still hear you.

So, you must ensure that the firewall you have—or the firewall you’re considering—is SIP aware.  It’s equally crucial that the firewall is configured correctly because along with the issue of one-way audio, an incorrect configuration can cause low-quality calls and calls that don’t connect.

When configuring SIP firewall security, a business must think like a security guard and understand what is being allowed in and out of your private network. Many firewalls will let everything out because they trust your internal network while placing intense scrutiny on incoming traffic. The configuration allows passage through specific IP addresses, ports, and protocols, which is known as port forwarding.

What is Port Forwarding?

Port forwarding is an application of NAT that redirects a request from one address/port to another. Port forwarding allows your phone system’s IP address to communicate with outside IP addresses/ports defined by your firewall. Essentially, you’re opening a hole in your firewall and directing a certain type of traffic through that hole. Port forwarding needs to be done carefully because while you want RTP/UDP traffic to reach your IP-PBX, you don’t want to allow non-SIP—and possibly malicious—traffic in.

What needs to be port forwarded? Your carrier’s IP's, ports, and media since they all play a vital role in secure call connections and transmitting media between parties.  As an example, if your business were working with us for outbound calling, we would instruct you to:

  • Allow our IP 216.147.191.156 into your firewall on port 5060, and
  • Set the RTP/UDP range to the number of lines you need to manage the volume of calls you expect to have at any given time (simultaneous calls).
  • Disable SIP ALG. SIP ALG can cause any number of call problems in configurations with more than two lines, such as failed calls, mixed RTP streams, poor call quality, etc.
There are some solutions for SIP firewall security that will monitor port 5060, which is the SIP signaling port. Through pre-set rules and policies, only SIP traffic will be forwarded while other RTP/UDP traffic will be refused.

The Problem with SIP ALG

An application layer gateway, or ALG, is a proxy service that works in a similar manner as a doorman. They decide what incoming packets from common protocols like FTP, RTSP, and SIP, are allowed through. With SIP, when a connection is requested, the ALG receives it first, inspects the incoming packets, and then hands them off to the destination inside your network. Sounds secure, right? It is. But there are problems. The two most important criteria for SIP firewall security are security and sending/receiving calls. Losing one for the other isn't an option.

While SIP ALG is meant to make your network easier to secure, it is often poorly designed and implemented. Because SIP ALG inspects the SIP packets before they are delivered to the client, it can sometimes modify packets. SIP, like HTTP, is a text-based protocol, so any alteration in its syntax can cause errors. Consider what would happen if you removed the colon from the address https://voxtelesys.com. The connection would fail. The same is true for SIP. Any alteration of the SIP header can corrupt the packets and make them unreadable, causing a failure in communication.

Many firewalls and routers come with SIP ALG already enabled (NOTE: Cisco calls this SIP Fix Up). It is recommended to disable SIP ALG for proper SIP firewall security and operation,

How to Disable SIP ALG

Before you proceed, all network changes should be approved by the network administrator. Settings for SIP ALG are generally found in a router’s admin panel. However, every router is different and it is recommended to check your device's manufacturer support documentation. We have put together a list of common routers with links and instructions, which you can download here. If a specific router is not included, check the manufacturer’s support documentation.

SIP Providers and SIP Firewall Security

While SIP trunking grows in popularity, finding a stable and reliable network security solution is still challenging for SMBs.  Due to the various firewalls and the many providers in the field, most SIP providers don’t support firewalls.  Essentially, a business is responsible for its own SIP firewall security, including all updates and changes.  If you are unsure about configuring your firewall or are worried about security, we recommend hiring a network expert. This issue is too important to learn as you go.

With the right SIP firewall security, you can be assured the virtual front door of your business isn’t left open. Better yet, you won't lose call volume or call quality.

If you’re looking for more information on finding the right SIP trunking or end-to-end IP PBX solution for your business, click here.

Connect with Voxtelesys on Facebook, Twitter, or LinkedIn.