SIP security best practices advisory, Technical update 334
Posted by Bob Russo on 21 June 2018 09:11 AM

The purpose of this bulletin is to set forth a set of best practices when preparing a site to utilize SIP trunks.


The root cause of hacked calls is an attack on the system by hackers; individuals or groups using sophisticated scanning and assault tools constantly monitoring the Internet to find systems open to attack. The goal of these attacks is to either find access to a system or crash it. When attempting to break into a PBX, these attacks usually come in the form of unexpected SIP INVITE messages. If the PBX responds, even with a call rejection, the hacker then knows that the system is capable of interpreting SIP messages and the attacks escalate. The unfortunate effect of these attacks is that the system becomes consumed trying to process these fake calls, resulting in calls with no Caller ID, calls that can’t be answered, and other such presentations of a non-existent call. These calls are not a failure of the PBX, but rather an unfortunate side effect of the hacker’s attempts to gain access to the PBX.


The best method of dealing with hackers is prevention; ensuring that the PBX is protected from incoming attacks and that any exposed connectivity is exposed only to authorized personnel. The best method to implement such protection is to configure a proper system firewall either in a dedicated firewall system or, more commonly, in the main Internet router. The best practices for firewall configuration for ESI SIP Services users as well as ESI PBX systems using ESI SIP Services are discussed below.


ESI SIP Services use the following IP addresses to send traffic to your PBX:

  • ESI SIP trunks (LosAngeles,, - network address,netmask
    • Hosts - 94.105.254
  • ESI SIP trunks (New York,, — network address,netmask
    • Hosts - 98.35.254
  • ESI SIP Service (New York,, — network address,netmask
    • hosts -
  • ESI SIP trunks (Plano,, — network address,netmask
    • Hosts -

Additionally, the following addresses are used to connect to the ESI PBX or other supported equipment during troubleshooting:

  • ESI Technical Support 1 — network address,netmask 255.255.0
    • Hosts - 64.95.254

The following external (public side) ports should be allowed through the firewall for ESI SIP Services:

  • Allow ICMP from the NY, LA, Plano and Technical Support networks
  • Allow UDP and TCP on port 5060 from both NY,LA and Plano networks
  • Allow UDP on port range 10000 to 11000 from both NY,LA and Plano networks
  • Allow TCP on ports 22, 443 and 59002 from Technical Support


Note: If ports 22 and 443 are already in use, alternate external port numbers can be used, however they should be mapped to the internal (private side) ports 22 and 443 of the ESI PBX

The following services must be forwarded for ESI SIP Services to function:

  • UDP port 5060 must be forwarded to PBX’s SIP IP address both for inbound and outbound
  • UDP ports 10000 to 11000 must be forwarded to the PBX’s Media (RTP) IP address
  • TCP port 22 or its alternate number must be forwarded to the ASC or SIP card IP address for Technical Support access (ESI PBX systems only)
  • If using the alternate external port number, it must map to port number 22 of the ESI PBX
  • TCP port 443 or its alternate number should forward to the local PBX IP for Technical Support access  (ESI IP Server 900 systems only)
  • If using the alternate external port number, it must map to port number 443 of the PBX


These URL’s should be opened for Fax to Fax and Virtual Fax using ports 443 and 8090:



For modem, firewall and switch configuration, the following settings are necessary for optimum performance of the SIP trunks:

  • The modem is configured to be in bridge mode. This ensures the modem just passes the traffic straight through to the firewall or router from the Internet Service Provider (ISP) without performing any other actions on the packets.  This way the firewall or router performs traffic management, Quality of Service (QoS) and other actions on the traffic, not the modem.
  • The firewall or router has bandwidth management (BWM) enabled on the Wide Area Network (WAN) interface upload/uplink to limit total upload bandwidth to the upload speed recorded after four or five consistency/streaming speed tests are performed to get a baseline of the actual consistent service bandwidth. This is important as QoS uses the interface bandwidth value to determine its prioritization of traffic.  If the bandwidth value is set too high and the upstream ISP link (especially on cable networks) is less due to usage congestion, QoS can send the prioritized traffic faster than the ISP can receive and it is dropped by the ISP network.  Therefore, a bit of a buffer is necessary to keep this from happening due to actual bandwidth fluctuations.  When conducting speed tests, use a site that uses a consistency, or streaming, speed test.  A good one to use is using the manual test with the 100 MB size - this gives a longer duration test that lasts over the burst time that a provider may allow.
  • The firewall or router has voice traffic outbound to ESI servers prioritized using either the network address, IP address range, by Differentiated Services Code Point (DSCP) values (24 and 46) or by protocol type - Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). If using ESI network ranges to base the prioritization of traffic, both network ranges should be configured in the firewall to ensure service continuity in case of failover.
  • The firewall or router feature SIP Application Layer Gateway (ALG) is disabled or turned off. This can also be called SIP Helper, SIP Inspect, SIP NAT Helper, SIP Passthrough or SIP Transformation depending on the manufacturer of the firewall or router.
  • The firewall or router User Datagram Protocol (UDP) session timeout is set to 300 seconds. This is the time the firewall waits to sense no traffic activity before closing a particular UDP port.  Some modem, firewall and router manufacturers set this timer to 10 seconds or less by default.
  • The firewall or router Domain Name System (DNS) servers are set to Google ( or some other public servers not run by the ISP. In some cases, timing issues such as phone registration, Busy Lamp Function (BLF) or call setup lag time can be improved by using well known public servers such as Google (  Using a local DNS server or one provided by the ISP may not provide a fast enough lookup.  While this does not affect every call, it can contribute to registration and audio quality issues if the network latency is borderline.
  • The switch is a managed switch. Managed switches are preferable to unmanaged switches for the reason of QoS functionality and troubleshooting.
  • The managed switch is configured to enable the DSCP to Class of Service (CoS) mapping function. The mapping is configured to put DSCP values 24 and 46 into the CoS 5 category if they are not so by default.
  • The managed switch is configured to trust the DSCP value on the ports to which ESI equipment is connected.
  • The ESI PBX must have NAT Traversal enabled if the system is behind the firewall.


This kind of functionality requires a business-grade firewall/router. However, there are some limited ways in which lower-end routers can still allow some measure of security against attacks. It is possible to shift SIP services to a different UDP port from the standard 5060, such as moving to port 5065.  This is only a limited protection, however, as there are many port scanners that will eventually locate and allow the hacker to target the router.  In situations where the customer is using a low-end router, ESI highly recommends installing a SimpleWan firewall.  For more information on the SimpleWan firewall contact your ESI sales representative.



 tech_334_revF.pdf (58.40 KB)
(5 votes)
This article was helpful
This article was not helpful

Comments (0)
Help Desk Software by Kayako