The purpose of this bulletin is to set forth a set of best practices when preparing a site to utilize SIP trunks.
The root cause of hacked calls is an attack on the system by hackers; individuals or groups using sophisticated scanning and assault tools constantly monitoring the internet to find systems open to attack. The goal of these attacks is to either find access to a system or crash it. When attempting to break into a PBX these attacks usually come in the form of unexpected SIP INVITE messages. If the PBX responds, even with a call rejection, the hacker then knows that the system is capable of interpreting SIP messages and the attacks escalate. The unfortunate effect of these attacks is that the system becomes consumed trying to process these fake calls, resulting in calls with no Caller ID, calls that can’t be answered, and other such presentations of a non-existent call. These calls are not a failure of the PBX, but rather an unfortunate side effect of the hacker’s attempts to get access to the PBX.
The best method of dealing with hackers is prevention; ensuring that the PBX is protected from incoming attacks and that any exposed connectivity is exposed only to authorized personnel. The best method to implement such protection is to configure a proper system firewall either in a dedicated firewall system or, more commonly, in the main internet router. The best practices for firewall configuration for ESI SIP services users as well as ESI PBX systems using ESI SIP services are discussed below.
ESI SIP services use the following IP addresses to send traffic to your PBX:
- ESI SIP trunks (Los Angeles, lasas.vintalk.com) — 64.94.105.128 through 64.94.105.255, netmask 255.255.255.128
- hosts 64.94.105.129 - 64.94.105.254
- ESI SIP trunks (New York, nysas.vintalk.com) — 75.98.35.128 through 75.98.35.255, netmask 255.255.255.128
- hosts 75.98.35.129 - 75.98.35.254
- ESI SIP trunks (New York, nysas.vintalk.com) — 75.98.65.0 through 75.98.65.255, netmask 255.255.255.0
- hosts 75.98.65.1 - 75.98.65.254
Additionally, the following address is used to connect to your ESI PBX, ESI Voice Router, or other supported equipment during troubleshooting:
- ESI Technical Support — 209.163.177.128, netmask 255.255.255.224
- hosts 209.163.177.129 - 209.163.177.158
- ESI Technical Support — 192.64.95.0, netmask 255.255.255.0
- hosts 192.64.95.1 - 192.64.95.254
- hosts 72.172.86.35 and 64.250.180.42
These addresses should be opened for the following ESI SIP services:
- Allow ICMP from both NY and LA ranges and the Technical Support IP
- Allow UDP and TCP on port 5060 for both NY and LA ranges
- Allow UDP on port range 10000 to 11000 for both NY and LA
- Allow TCP on ports 22, 80, 443, 2222, 8080, 8443, 59002 for both NY and LA ranges and the Support Center IP
- Please note that ports 2222, 8080 and 8443 are alternate ports for 22, 80 and 443.
The following services must be forwarded for ESI SIP services to function:
- Port 5060 must be forwarded to PBX’s SIP IP address both for inbound and outbound
- Ports 10000 to 11000 must be forwarded to the PBX’s Media (RTP) IP address
- Port 22 should forward to the ASC or SIP card for Technical Support access (ESI PBX systems only)
- Port 443 should forward to the NSP for Technical Support access (ESI IP Server 900 systems only)
These URL’s should be opened for Fax to Fax and Virtual Fax using ports 443 and 8090:
- https://nsps02.faxsipit.com
- https://ata1.pangea-comm.com
- https://faxata.com
Finally, the following global rules must be observed in the firewall:
- SIP ALG must be disabled
- NAT Transversal must be enabled in the PBX if the system is used behind the firewall
This kind of functionality requires a business-grade router; however, there are some limited ways in which lower-end routers
can still allow some measure of security against attacks; it is possible to shift SIP services to a different UDP port from the standard 5060, such as moving to port 5065. This is only a limited protection, however, as there are many port scanners that will eventually locate and allow the hacker to target the router. In situations where the customer is using a low-end router ESI highly recommends installing an ESI Voice Router. For more information on the ESI Voice Router contact your ESI sales representative.