CHAPTER 14 Security
Mediant 4000 SBC | User's Manual
■
Limit traffic to a user-defined rate (blocking the excess)
■
Limit traffic to specific protocols and specific port ranges on the device
For each packet received on the network interface, the device searches the table from top to
bottom until the first matching rule is found. The matched rule can permit (
allow
) or deny (
block
) the
packet. Once a rule in the table is located, subsequent rules further down the table are ignored. If
the end of the table is reached without a match, the packet is accepted.
●
The rules configured by the Firewall table apply to a very low-level network layer
and overrides all other security-related configuration. Thus, if you have configured
higher-level security features (e.g., on the Application level), you must also
configure firewall rules to permit this necessary traffic. For example, if you have
configured IP addresses to access the device's Web and Telnet management
interfaces in the Access List table (see
Configuring Web and Telnet Access List
),
you must configure a firewall rule that permits traffic from these IP addresses.
●
Only users with Security Administrator or Master access levels can configure
firewall rules.
●
The device supports dynamic firewall pinholes for media (RTP/RTCP) traffic
negotiated in the SDP offer-answer of SIP calls. The pinhole allows the device to
ignore its firewall and accept the traffic on the negotiated port. The device
automatically closes the pinhole once the call terminates. Therefore, it is
unnecessary to configure specific firewall rules to allow traffic through specific
ports. For example, if you have configured a firewall rule to block all media traffic in
the port range 6000 to 7000 and a call is negotiated to use the local port 6010, the
device automatically opens port 6010 to allow the call.
●
Setting the 'Prefix Length' field to
0
means that the rule applies to
all
packets,
regardless of the defined IP address in the 'Source IP' field. Thus, it is highly
recommended to set the parameter to a value other than 0.
●
It is recommended to add a rule at the end of your table that blocks all traffic and to
add firewall rules above it that allow required traffic (with bandwidth limitations). To
block all traffic, use the following firewall rule:
✔
Source IP: 0.0.0.0
✔
Prefix Length: 0 (i.e., rule matches all IP addresses)
✔
Start Port - End Port: 0-65535
✔
Protocol:
Any
✔
Action Upon Match:
Block
●
If the device needs to communicate with AudioCodes OVOC, you must also add
rules to allow incoming traffic from OVOC. For more information, see
Firewall Rules to Allow Incoming OVOC Traffic
●
If you are using the High Availability feature and you have configured "block" rules,
ensure that you also add "allow" rules for HA traffic. For more information, see
Configuring Firewall Allowed Rules
.
The following procedure describes how to configure firewall rules through the Web interface. You
can also configure it through ini file [AccessList] or CLI (
configure network > access-
list
).
➢
To configure a firewall rule:
1.
Open the Firewall table (
Setup
menu >
IP Network
tab >
Security
folder>
Firewall
).
2.
Click
New
; the following dialog box appears:
- 138 -
Summary of Contents for Mediant 4000 SBC
Page 1: ...User s Manual AudioCodes Series of Session Border Controllers SBC Mediant 4000 SBC Version 7 2...
Page 40: ...Part I Getting Started with Initial Connectivity...
Page 48: ...Part II Management Tools...
Page 113: ...Part III General System Settings...
Page 118: ...Part IV General VoIP Configuration...
Page 525: ...Part V Session Border Controller Application...
Page 654: ...Part VI Cloud Resilience Package...
Page 663: ...Part VII High Availability System...
Page 685: ...Part VIII Maintenance...
Page 759: ...Part IX Status Performance Monitoring and Reporting...
Page 844: ...Part X Diagnostics...
Page 888: ...Part XI Appendix...