Port Forwarding for SIP

Port Forwarding for SIP

Port forwarding is a hole in your firewall.

In an attempt to overcome NAT issues, many IP-PBX and ITSP vendors will recommend to “port forward” all UDP and TCP traffic on port 5060 (SIP signaling port) and a range of thousands of media ports on the NAT firewall to the IP-PBX. This is not a good idea at all, as it opens the network to security risks. Port forwarding is a hole in your firewall, now forwarding ALL UDP or TCP traffic to the IP-PBX. This UDP/TCP traffic does not have to be SIP protocol specific; it can be traffic from any malicious hacker attempting to gain access to your network.

Better products monitor the SIP signaling port (5060) and apply routing rules and process policies to only the SIP protocol traffic, where all other UDP/TCP traffic will be discarded and not forwarded to the IP-PBX. In addition, these special firewalls will dynamically open and close media ports based on the negotiated SIP traffic, by carefully monitoring the media ports negotiated and responding and routing media accordingly.

These firewalls can also fix far-end NAT devices. If there is a SIP device behind a remote NAT device, the Ingate (with its Remote SIP Connectivity software module) can correct all of the SIP signaling traffic from the remote SIP device, and ensure ports remain open for future SIP signaling and media.

It’s a cost-effective solution, as this removes the requirement of having SIP-aware firewalls at each remote location, while also allowing traveling SIP users (or remote workers, or satellite offices) access to the main office no matter where they are. Want more information