background image

 

 

 
 
 

  

P a g e    16 

SECURITY GUIDELINES FOR FAP DEPLOYMENT 

 

Often the FAP are deployed behind NAT. The network administrator can consider following security 

guidelines for the FAP to work properly and securely. 

 

 

Turn off SIP ALG on the router 

On the 

customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG 

is  common  in  many  routers  intending  to  prevent  some  problems  caused  by  router  firewalls  by 

inspecting  VoIP  packets  and  modifying  it  if  necessary.  Even  though  SIP  ALG  intends  to  prevent 

issues  for  VoIP devices,  it  can  be  implemented  imperfectly  causing  problems,  especially  in  some 

cases SIP ALG modifies SIP packets improperly which might cause  VoIP devices fail to register or 

establish calls. 

 

 

Use TLS and SRTP for SIP calls 

On the FAP

, it’s recommended to use TLS for SIP transport with “sips” in SIP URL scheme for SIP 

signaling encryption and use SRTP for media encryption. 

Below  the  SIP  ports  and  RTPs  port  used  on  the  FAP  if  the  network  administrator  needs  to  create 

firewall rules. 

 

  Under web UI 

 

Account x 

 

SIP Settings 

 

Basic Settings, 

the feature “Local SIP Port” defines the 

local SIP port used to listen and transmit. The default value when using SIP transport protocol UDP/TCP 

is 5060 for Account 1, 5062 for Account 2, 5064 for Account 3, 5066 for 

Account 4… When using TLS as 

SIP transport protocol the default value is 5061 for Account 1, 5063 for Account 2, 5065 for Account 3, 

… The valid range is from 1 to 65535. 

 

  Under web UI 

 

Settings 

 

General Settings

, the feature 

“Local RTP Port” defines the local RTP port 

used to listen and transmit. Local RTP port ranges from 1024 to 65400 and must be even. It is the base 

RTP port for channel 0. When configured channel 0 will use this port_value for  RTP, and por1 

for RTCP. Channel 1 will use por2 for RTP and so on, until reaching the limit and then it will be 

reset to first port_value. The default value is 5004 for RTP and 5005 for RTCP. 

 

For the FAP26XX phones, it is possible to select a range for the Local RTP port from 48 to 10000. 

Default setting is 200. 

 

Note

: On the customer’s firewall, it’s recommended to ensure SIP port is 

opened for the SIP accounts on the FAP. 

It’s

 

not necessary to use the default port 

5060/5062/…

 on the firewall. Instead, the network administrator can consider 

mapping a different port on the firewall for FAP SIP port 5060 for security purpose. 

 

 

Summary of Contents for FAP26 Series

Page 1: ...FIBERME Communications LLC FAP26xx Series Security Manual...

Page 2: ...tocols 4 Admin Login 5 User Management Levels 6 SECURITY FOR SIP ACCOUNTS AND CALLS 8 Protocols and Ports 8 Anonymous Unsolicited Calls Protection 9 SRTP 11 SNMP 11 SECURITY FOR FAP SERVICES 12 Firmwa...

Page 3: ...nge User Level password 7 Figure 6 Configure TLS as SIP Transport 8 Figure 7 SIP TLS Settings 8 Figure 8 Additional SIPTLS Settings 9 Figure 9 Anonymous Call Rejection 9 Figure 10 Settings to Block An...

Page 4: ...or signaling and media stream transmission It also offers configurable options to block anonymous calls and unsolicited calls Security for FAP Services FAP supports service such as HTTP HTTPS TFTP FTP...

Page 5: ...rted to access the FAP s web UI and can be configured under web UI Maintenance Security settings Security To secure transactions and prevent unauthorized access it is highly recommended to 1 Use HTTPS...

Page 6: ...he default password is a random password available on the sticker at the back of the unit Changing the default password at first time login is highly recommended When accessing the FAP phones for the...

Page 7: ...Pages Allowed User Level user 123 Only Status and Basic Settings Administrator Level admin Random password available on the sticker at the back of the unit All pages NOTES It is recommended to keep ad...

Page 8: ...P a g e 7 Figure 5 Change User Level password...

Page 9: ...rect IP Call to Yes SIP transport protocol The FAP supports SIP transport protocol UDP TCP and TLS By default it s set to UDP It s recommended to use TLS so the SIP signaling is encrypted SIP transpor...

Page 10: ...or Account 2 Local SIP port when using TLS The SIP TLS port is the UDP SIP port plus 1 For example if Account 1 SIP port is 5060 its TLS port would be 5061 Anonymous Unsolicited Calls Protection If th...

Page 11: ...essages Set Yes to Validate incoming messages by checking caller ID and CSeq headers If the message does not include the headers it will be rejected Check SIP User ID for Incoming INVITE Set Yes to en...

Page 12: ...ured under Web GUI Account X Audio Settings Figure 11 SRTP Settings Selects SRTP mode to choose No Enabled but not forced Enabled and forced or Optional Default is No It uses SDP Security Description...

Page 13: ...ware Upgrade and Provisioning The FAP IP Phones support downloading configuration file via TFTP HTTP HTTPS FTP FTPS Below figure shows the related options under Web GUI Maintenance Upgrade and Provisi...

Page 14: ...eld so it can decrypt XML configuration file after downloading it Then the configuration can be applied Please note this feature is supported on XML config file instead of the binary config file There...

Page 15: ...P a g e 14 CPE SSL Private Key Specifies the Cert Key for the ATA to connect to the ACS viaSSL Figure 14 TR 069 Connection Settings...

Page 16: ...s sending Syslog to a remote syslog server By default it s sent via UDP and we recommend changing it to SSL TLS so the syslog messages containing device information will be sent securely over TLS conn...

Page 17: ...Local SIP Port defines the local SIP port used to listen and transmit The default value when using SIP transport protocol UDP TCP is 5060 for Account 1 5062 for Account 2 5064 for Account 3 5066 for...

Page 18: ...ic network for normal usage Use HTTPS for firmware downloading and config file downloading Use HTTPS for firmware downloading and provisioning Besides that set up username and password for the HTTP HT...

Reviews: