manualshive.com logo in svg

Elastix SIP Firewall, User Manual, Page: 25 / 42

Share
Download
Elastix SIP Firewall User Manual Download Page 25

 

23

 

 

Category 

Description 

User Configurable 

options 

SIP 
Reconnaissance 
Attacks 

The  intruder  is  trying  to  detect  what 
version  of  Asterisk  you  are  running. 
With  that  info,  he  will  start  exploiting 
the  numerous  vulnerabilities  of  that 
version.  The  SIP  Firewall  will  not 
respond to his query. 

N/A 

SIP 

Devices 

Scanning 

The intruder will scan the PBX ports to 
see  what  devices  are  connected  to  it. 
With that info, he can exploit 3rd party 
vulnerabilities. The SIP Firewall will not 
respond to his query. 

N/A 

SIP 

Extensions 

Discovery 

The  intruder  will  ask  the  PBX  to 
divulge  the  range  of  the  extension 
numbers.  With  that  info,  he  can  try 
different  passwords  to  take  control  of 
these extensions. The SIP Firewall will 
not respond to that query. 

Invalid SIP User 

Registration 

Attempts/Duration 

Multiple 
Authentication 
Failures/Brute  force 
password Attempt 

The  intruder  will  try  to  log  in  with 
different  user  names  and  passwords 
multiple  times.  Once  he  succeeds,  he 
will have control of that extension. The 
SIP Firewall can block, log or blacklist 
the IP for a period of time if it exceeds 
the authorized number of trials/second. 

Failed Authentication 

Attempts/Duration 

Ghost calls Attempt 

The  intruder  will  generate  calls  to  an 
extension  and  it  will  look  like  the  calls 
come  from  that  same  extension.  His 
goal  is  to  crash  the  PBX  resulting  in 
disrupted  communication.  The  SIP 
Firewall  can  block,  log  or  blacklist  the 
IP for a period of time if it exceeds the 
authorized number of trials/second. 

No of Anonymous 

Invite 

Responses/Duration 

SIP Dos Attacks 

Flooding  attempts  using  various  SIP 
messages. 

No of SIP Request 

Messages/Duration 

SIP DDos Attacks 

Distributed  flooding  attempts  using 
various SIP messages. 

No of SIP Response 

Messages/Duration 

SIP 

Anomaly 

attacks 

The  intruder  will  send  abnormal  SIP 
packets  to  the  PBX.  His  goal  is  to 
crash  the  PBX  resulting  in  disrupted 

N/A 

Summary of Contents for SIP Firewall

Page 1: ......

Page 2: ...Elastix SIP Firewall User Manual ...

Page 3: ...is Confidential to Elastix and is legally privileged The information and this document are intended solely for the addressee Use of this document by anyone else for any other purpose is unauthorized If you are not the intended recipient any disclosure copying or distribution of this information is prohibited and unlawful Disclaimer Information in this document is subject to change without notice a...

Page 4: ...in a specific category Additionally this document has different strategies to draw User attention to certain pieces of information In order of how critical the information is to your system these items are marked as a note tip important caution or warning Icon Purpose Note Tip Best Practice Important Caution Warning Bold indicates the name of the menu items options dialog boxes windows and functio...

Page 5: ...3 1 2 Support Information Every effort has been made to ensure the accuracy of the document If you have comments questions or ideas regarding the document contact sales elastix com ...

Page 6: ...nfiguration 11 2 2 Accessing the WebUI 11 2 4 WebUI Session timeout 14 2 5 WebUI Settings 14 2 4 Dashboard 15 3 Device Configuration 16 3 1 General Settings 17 3 2 Time Settings 18 3 3 Management Access 18 3 4 Signature Update 20 3 5 Logging 20 4 Configuring the SIP Security Policies 22 4 1 SIP Attacks Detection Policies 22 4 2 SIP Protocol Compliance 24 4 3 Firewall Rules 26 4 4 Firewall Settings...

Page 7: ...s 33 6 1 Administration 33 6 2 Diagnostics 34 6 3 Ping 35 6 4 Trace route 35 6 5 Troubleshooting 36 6 6 Firmware Upgrade 37 6 7 Logs Archive 38 7 Appendix A Using Console Access 39 8 Appendix B Configuring SIP Firewall IP Address via Console 40 ...

Page 8: ...enumeration Password Cracking Attempt Dos DDos Attacks Cross Site Scripting based attacks Buffer overflow attacks SIP Anomaly based attacks 3rd Party vendor vulnerabilities Toll Fraud detection and prevention Protection against VOIP Spam War Dialing Attack response includes the option for quietly dropping malicious SIP packets to help prevent continued attacks Dynamic Blacklist Update service for ...

Page 9: ...cations Functional Mode Transparent Firewall with SIP Deep Packet Engine SIP Intrusion Prevention 400 SIP Attack Signatures Support Throughput 10Mbps No of concurrent calls supports Up to 50 concurrent calls Logging Local Security Event Console Remote Syslog Device Management Web GUI via Https SSH CLI Hardware MIPS based 32bit Processor Single core 300MHz Primary Storage 16 MB Flash RAM 64MB Secon...

Page 10: ... Alert Status Power ON OFF LED 3 DPI Status Button LED 2 Interface Status Power LED LED 1 System Status Indicator Figure 1 Front Panel LED Notifications The SIP Firewall package includes 1 SIP Firewall Appliance 1 USB Power Adapter 1 Serial Console Cable 2 Ethernet Cables ...

Page 11: ...anomalies Thus it is recommended to deploy the SIP Firewall along with the PBX Gateway deployment as given in the following scenarios based on what is applicable in the user s setup Deployment Scenario 1 Figure 1 Scenario 1 Some of the PBX Gateway devices may have an exclusive LAN Mgmt Interface for device management purpose other than the Data Interface also referred as WAN Public Interface In su...

Page 12: ...rom the Public Cloud penetrated the Non SIP aware Corporate Firewall Figure 2 Scenario 2 Deployment Scenario 3 In the case of multiple IPPBX VOIP Gateways are deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall Figure 3 Sce...

Page 13: ...ce operates as a transparent bridging firewall with Deep Packet Inspection enabled on the SIP traffic By default the appliance has been configured with static IP of 10 0 0 1 Net mask 255 255 255 0 The device has been made to be fully functional with the default configuration However if the user needs to tune the device settings the DPI policies user can tune the configuration via the Device WebUI ...

Page 14: ...e recommended browser for accessing SIP Firewall WebUI is Mozilla Firefox The UI allows the administrator to configure the management Vlan IP addresses In case if the user has changed the management Vlan IP address he needs to assign the corresponding network address to his PC for the management access subsequently On launching the SIP Firewall WebUI the web application will prompt to enter the ad...

Page 15: ...an click the hyperlink named as login appearing on the information page to visit the login page again Figure 5 Timeout message If somebody is already logged in to SIP Firewall WebUI session the subsequent attempts to login will notify the details previous login session as illustrated below and will prompt the user to override the previous session and continue OR to discard the attempt the login ...

Page 16: ...ated and browser will be redirected to login page again 2 5 WebUI Settings To change the WebUI settings click the settings icon that appears top right corner below the Apply Changes button The WebUI settings dialog will be displayed in the browser and allow the administrator to configure WebUI session timeout WebUI login password To configure the WebUI login password the user needs to enter the pr...

Page 17: ...fresh icon and Setting icon On clicking the page refresh button the main content area in the current page will be refreshed On clicking the settings icon the pop menu which contains menu options logout WebUI settings will be shown System Status Panel shows Device up time Memory Usage Flash Usage CPU Usage Sig Update Version Panel shows the SIP Firewall Signature version and Release State Network S...

Page 18: ...ngs will be saved in a temporary buffer location on the device On saving the configuration changes the Apply Changes button that appears in the right top corner will be enabled the Ignore Changes button will appear next Figure 9 Device Configuration The number of configuration changes will appear on the immediate left to the Apply Changes button To view the details of the configuration changes the...

Page 19: ...on that appears next to each configuration element will provide the details on the error On clicking the help icon that appears next to the configuration title the help section corresponds the current configuration page will be launched 3 1 General Settings The General settings page will allow configuring the host network settings of the SIP Firewall appliance The device that has been made to work...

Page 20: ...vice to the correct timestamp to appear on the SIP security alerts generated by the device Figure 11 Date Time Settings 3 3 Management Access The access the SIP Firewall Device management SSH CLI WebUI Access can be restricted with the management access filters By default the access has been allowed to any global address and management VLAN network configurations on the device The administrator ca...

Page 21: ...P Addresses from with management access to the device should be allowed in the management access filter rule The IP Type ANY indicates global networks Any network IP address The search option in the management access filters table will help in selectively viewing the management access filter rules whose name address values that match with the search criteria ...

Page 22: ...l help in protecting against the SIP based attacks known as of date However if the user wants to ensure their SIP deployments get the protection against the newest attack vectors it is recommended to enable the signature update on the device Please check with an Elastix s Sales representative about getting the details of purchasing the SIP Firewall signature subscription key 3 5 Logging The admini...

Page 23: ...21 Figure 15 Logging ...

Page 24: ...cks matching the rules in the categories The possible actions that the SIP Firewall can execute are logging the alert block the packets containing the attack vector and blacklist the attacker IP for the given duration The blocking duration of how long the attacker up needs to be blocked is also configured per category level Figure 16 SIP Attacks Detection The table given below lists the SIP Deep p...

Page 25: ...ord Attempt The intruder will try to log in with different user names and passwords multiple times Once he succeeds he will have control of that extension The SIP Firewall can block log or blacklist the IP for a period of time if it exceeds the authorized number of trials second Failed Authentication Attempts Duration Ghost calls Attempt The intruder will generate calls to an extension and it will...

Page 26: ...ir vulnerabilities N A 4 2 SIP Protocol Compliance The SIP Deep packet inspection engine running the SIP Firewall appliance has been made to inspect the SIP traffic with the SIP Security Compliance rules in built into the SIP DPI engine The anomalies in the SIP Message headers can result to various erroneous conditions SIP parser failures malformed packets which will lead to SIP applications vulne...

Page 27: ... on what methods to check for SIP messages The Following are the SIP messages that SIP DPI Engine can identify 1 invite 2 cancel 3 ack 4 bye 5 register 6 options 7 refer 8 subscribe 9 update 10 join 11 info 12 message 13 notify 14 prack Max_uri_len The Uri identifies the user or service to which SIP request is being addressed Max_uri_len specifies the maximum Request URI field size The Default is ...

Page 28: ...t_len The Identifier used to contact that specific instance of the SIP client server for subsequent requests Max_contact_len specifies the maximum Contact field size The Default is set to 256 The allowed range for this option is 1 65535 Max_content_len Max_content_len specifies the maximum content length of the message body The Default is set to 1024 The allowed range for this option is 1 65535 4 ...

Page 29: ... 18 Create Firewall Rule 4 4 Firewall Settings Firewall Settings allows user to configure TCP Flood Rate TCP Flood Burst UDP Flood rate and UDP Flood Burst in Global firewall settings Figure 19 Firewall Settings ...

Page 30: ...e access to communicate with the protected SIP network will be allowed by the SIP Firewall This page will also allow configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant Figure 20 Create White list Rule Figure 21 White list IP Addresses ...

Page 31: ...h the access to communicate with the protected SIP network will be blocked by the SIP firewall This page will also allow configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant Figure 22 Create Blacklist Rule Figure 23 Blacklist IP Addresses ...

Page 32: ...llow the administrator to see the dynamic blacklist rules currently configured on the device at any instant In case if the administrator wants to override and allow the traffic from particular blacklisted IP he can delete the rule from the dynamic blacklist rules page Figure 24 Dynamic Blacklist IP Addresses 4 8 Geo IP Filter The administrator can choose to block the traffic originating from the s...

Page 33: ...31 Figure 25 Geo IP Filters ...

Page 34: ...ty alerts shown in this page in CSV format is available on the page Figure 26 Security Alerts Unless the user configures to forward the security alerts to remote SYSLOG server the security alerts are not persisted permanently on the device The logging buffer location will be flushed at the predefined interval not configurable will once the logging threshold criteria met However if the administrato...

Page 35: ... notification page on clicking the factory reset button and will be prompted login once the device comes up with the default configuration The SIP Firewall appliances support taking the configuration backup and restore the configuration later Figure 27 Administration The configuration backup will contain the lastly persisted configuration if there are any transient changes that are yet to be appli...

Page 36: ...e the administrator needs to click the Run diagnostics button The device will run the diagnostics task in the backend and display the results once the task is complete The administrator can download the reports by clicking the Get Report button and send the report to the Elastix s Support team Note You can send an email to support elastix com Figure 28 Diagnostics Click the above link to download ...

Page 37: ... will be displayed in the text area once the ping task is complete Figure 30 Ping Result 6 4 Trace route The administrator can troubleshoot the network connectivity issues with running a trace route from the SIP Firewall device The administrator needs to enter the IP address to which the route needs to be traced from the SIP Firewall appliance hop count and click the Trace route button to run the ...

Page 38: ...36 Figure 31 Trace route 6 5 Troubleshooting This page will allow disable enable the DPI on the SIP Firewall appliance for troubleshooting purposes Figure 32 Troubleshooting ...

Page 39: ... Firewall firmware update package from Elastix website and keep it your local system From the browser on your local system login to SIP Firewall WebUI and launch the SIP Firewall firmware upgrade page Click the Browse in the firmware page and select the SIP Firewall firmware update package file that you saved on your local system After selecting the file click the Upgrade button The device will ve...

Page 40: ...face page provides the option for running a factory reset on the device restarting the device device reboot device shutdown Configuration backup restore Running factory reset on the device requires reboot thus the administrator will be redirected wait notification page on clicking the factory reset button and will be prompted login once the device comes up with the default configuration The SIP Fi...

Page 41: ... SIP Firewall device 2 Use the following serial console settings to access the Elastix CLI i Speed 38400 ii Parity None iii Data 8 iv Stop bits 1 v Flow control No 3 The user should see the Elastix command prompt on the terminal 4 Type help to view the list of troubleshooting commands available ...

Page 42: ...p If you are not running the DHCP server in your deployment OR device fails to acquire the IP address set the IP address from the console CLI using the command line Elastix Set IP IP address mask gateway Verify the address using the show IP command Then use this IP address to access the WebUI SSH to configure the device for further configuration Any Technical assistance required Kindly contact the...

Reviews:

No comments