SCCP-Based VoIP

Introduction to SCCP Security and Connectivity

SCCP (Skinny Client Control Protocol) controls telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers).

Connectivity and network level security for SCCP-based VoIP communication is supported. All SCCP traffic is inspected and legitimate traffic is allowed. Attacks are blocked. Other firewall gateway capabilities are supported, such as anti- spoofing and protection against denial of service attacks.

The validity of SCCP message states is verified for all SCCP messages. For a number of key messages, the existence and validity of the message parameters is also verified.

Encrypted Protocol Support

The gateway enables secure connectivity for mixed secure and non-secure SCCP (Skinny) environments. In these environments, phones communicate using encrypted or clear text signaling protocols.

Encrypted protocols prevent traditional firewalls from identifying the secure phones or understanding the encrypted signaling stream. Ports must be kept permanently open for all phones. The gateway guarantees secure connectivity by:

Dynamically identifying the secure phones
Opening ports only for required phones
Closing ports when the call completes

Non-secure SCCP uses TCP port 2000. Secure SCCP uses TCP port 2443. For more on encrypted protocol support, see the section on securing encrypted SCCP.

SCCP Supported Deployments

These SCCP deployments supported:

Call Manager in internal network
Call Manager in the DMZ
Call Manager in external network

Important - NAT on SCCP devices is not supported.

Call Manager in the Internal Network

The IP Phones use the services of a Call Manager in an internal network

Call Manager in an External Network

The IP Phones use the services of a Call Manager on the external side of the gateway. This topology enables using the services of a Call Manager that is maintained by another organization.

Call Manager in the DMZ

The same Call Manager controls both endpoint domains. This topology makes it possible to provide Call Manager services to other organizations.

Configuring SCCP Connectivity and Security

This section explains how to configure security rules that allow SCCP calls through the gateway. After the Rule Base is configured, all SCCP communication is fully secured by IPS.

General Guidelines for SCCP Security Rule Configuration

SCCP has a centralized call-control architecture. The CallManager manages SCCP clients (VoIP endpoints), which can be IP Phones or Cisco ATA analog phone adapters. The CallManager controls all the features of the endpoints. The CallManager requests data (such as station capabilities) and sends data (such as the button template and the date/time) to the VoIP endpoints.

The CallManagers are defined in SmartDashboard, usually as Host objects. The networks containing directly-managed IP Phones are also defined in SmartDashboard. Usually it is not necessary to define network objects for individual phones. Cisco ATA devices that are managed by a CallManager must be defined in SmartDashboard, but the connected analog phones are not defined.

SCCP-Specific services

These predefined SCCP services are available:

Service	Purpose
TCP:SCCP	Used for SCCP over TCP
TCP:Secure_SCCP	Used for encrypted SCCP over TCP
Other:high_udp_for_secure_SCCP	Used for media from Secure SCCP phones

Securing Encrypted SCCP

To secure encrypted SCCP, use these services in the Security Rule Base:

TCP:Secure_SCCP
You must create this service in SmartDashboard by:
1. Opening Manage > Services > New > TCP.
  The Advanced TCP Service Properties window opens.
2. Setting the Name to: Secure_SCCP.
3. Setting the port to: 2443.
4. Clicking Advanced.
  The Advanced TCP Service Properties window opens.
5. Setting the Protocol Type to: Secure_SCCP_Proto.
Other:high_udp_for_secure_SCCP

When an SCCP phone is turned on and identified as Secure SCCP, the phone's IP address is added to the database of secure SCCP phones.

When RTP traffic arrives at the gateway, it is allowed only if the source or destination is in the database of secure SCCP phones.

Configuring the Rule Base for SCCP

To allow VoIP calls, you must create rules that let VoIP control signals pass through the gateway. It is not necessary to define a media rule that specifies which ports to open and which endpoints can talk. The gateway derives this information from the signaling. For a given VoIP signaling rule, the gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream.

Important - Before configuring security rules for SCCP, makes sure that anti-spoofing is configured on the gateway interfaces.

To configure the Rule Base for secure SCCP-based VoIP:

Define Network objects (Nodes or Networks) for SCCP endpoints (Cisco ATA devices or IP Phones) controlled by the CallManagers.
Define a host object for the CallManager.
Define the SCCP security rules.
Define other rules for SCCP and the other VoIP protocols. (SCCP interoperates with other VoIP protocols.)
This rule let all phones in Net_A and Net_B make calls to each other:

Source

Destination

Service

Action

Comment

Net_A

Net_B

Call_Manager

Net_A

Net_B

Call_Manager

SCCP

Incoming and Outgoing calls

Net_A is the internal IP phone network
Net_B is the external IP phone network
The CallManager (Call_Manager) can be in:
- The internal or external network
- A DMZ connected to a different interface of the gateway.

To secure encrypted SCCP over TCP connections:
1. Create an identical rule
2. In the Service cell, add only:
  - TCP:Secure_SCCP
  - Other:high_udp_for_secure_SCCP.
Install the policy.

Top of Page

Download Complete PDF

Send Feedback