[SR-Users] SIP Security Architectural Question to Use RTP/Media Proxy or Not?

[Jr Richardson]

Hi All,

Background:
We are a service provider offering VoIP/Data services to business
customers.  All hosted VoIP systems and Customers are mostly on-net,
VoIP systems not exposed to the Internet, but all hosted PBX's do have
public IP address.  I do have some Customers with off-net phones/users
so I basically white list their IP's so the phones can register back
to their hosted PBX.  This works well and keeps SIP attack vectors to
a minimum.  I've been working on a single point of registration
Kamailio server to backend PBX's so I can further control public
Internet access to hosted PBX's.  I've got this working in the lab but
have some concerns about RTP streams.

I know I can use a RTP/Media Proxy to also have a single point of
entry for media streams to the the backend PBX's but don't believe
this to be the best method.  Researching SBC's and what I know about
SIP and RTP Streams, it's best to have media controlled via the B2BUA
(Asterisk in this case) and since all my hosted PBX's have public IP's
there would be no compelling reason to proxy RTP adding another hop,
latency and point of failure other than for security.  I'm not
transcoding media or doing anything outside of the capability of the
B2BUA as far as media goes.

Question:
Would it be prudent to open UDP media ports from Internet to PBX's on
a case-by-case basis, basically white listing media streams or is
there any attack vulnerability with UDP in the media port range or
should I open up media port range to all PBX's and not worry about
attacks.  Are there any UDP Media exploits that I should be concerned
with, or UDP flood attacks that could DOS my hosted PBX's?

Thanks for any feedback.

JR
-- 
JR Richardson
Engineering for the Masses