General Guidelines
It's crucial that you separate trusted from un-trusted networks:
| ■ | Separate un-trusted networks from trusted networks, by using different SRDs, IP Groups, SIP Interfaces, and SIP Media Realms (with limited port range). |
| ■ | Similarly, separate un-trusted networks from one another. In particular, far-end users must be separated from the ITSP SIP trunk, using a different SRD, IP Group, SIP interface, and Media Realms. This separation helps in preventing attacks targeted on far-end user ports from affecting other users. |
| ■ | For un-trusted networks, use strict classification rules over vague rules. For example, if the ITSP's proxy IP address, port and host name are known, then use them in the classification rules. This ensures that all other potentially malicious SIP traffic is rejected. |
| ■ | Unclassified packets must be discarded (rejected). |