...
MPLS networks are usually considered a secure environment. The customer’s virtual routing and forwarding (VRF) instance logically separates separate the customer’s IP traffic traversing the 46 Labs MPLS network from all other network traffic. When value-added services such as 46 Labs SIP Trunking are added to the customer’s VRF, they are done so in a secure manner. Specific to 46 Labs SIP Trunking, the only IP traffic allowed in or out of the Peeredge Switches SBC is the SIP signaling to and from the configured customer’s SIP Trunking devices (i.e. SBCs/PBXs based on IP Address Authentication or SIP Registration) and the associated RTP media streams set up by the SIP signaling for the duration of the call.
...
If the firewall is not fully SIP-aware, it must be configured to allow inbound RTP traffic (UDP ports 5500 to 65000) from the Peeredge Switches SBC for SIP Trunking in the US.
...
If the SBC/PBX has a direct internet-facing interface with a dedicated publicly routable IP address, then typically, the SBC/PBX inherent firewall capabilities can provide sufficient protection by accepting only TLS encrypted SIP and Secure RTP media traffic from the Peeredge SwitchesSBC. In this approach, the SBC/PBX is logically in parallel with any customer firewall protecting their non-voice traffic. If the SBC/PBX does not have any inherent firewall capabilities, this deployment method is not recommended. 46 Labs supports but does not recommend TCP or UDP transport protocols when using Internet transport.
If the SBC/PBX is behind the customer firewall, then any SIP-aware functionality should be disabled, and a one-to-one NAT must be configured on the firewall to allow the TLS-encrypted SIP and Secure RTP media traffic to traverse the firewall. Also, the SBC/PBX must be able to support an application layer gateway (ALG) function. This means the SBC/PBX must be able to change any SBC/PBX IP address in the SIP messages with that of the Public IP address assigned to the SBC/PBX for all SIP messages sent to the Peeredge SwitchesSBC. For all inbound SIP messages from the Peeredge Switches SBC and outbound facing dial-peers to swap the SBC/PBX IP with public NAT IP in all relevant SIP Headers. Peeredge Switches only communicate The Peeredge SBC only communicates with the SBC/PBX via the public NAT IP or FQDN (which resolves to the public IP address).
...