SBC session border controllers
35
3
GENERAL SWITCH OPERATION GUIDELINES
The easiest way to configure and monitor a device is to use the web configurator, so we recommend you to
use it for these purposes.
In order to prevent an unauthorized access to the device, we recommend changing the password for Telnet,
SSH and console access (default username:
admin
, password:
rootpasswd
) and administrator password for web
configurator access. For setting a password for access through Telnet and console, see Section 4.2. We recommend
to write down and store defined passwords in a safe place, inaccessible by intruders. We also strongly recommend
not to open access to the device via Telnet, SSH and web from a public network.
On a local network, it is better to use an HTTPS connection to access the web configurator instead of an HTTP
connection (configuration process is described in Section SSL/TLS configuration). It is better to use SSH instead of
Telnet to access the CLI. Access protocols are selected in the network interface settings (described in Section
4.1.4.3). It is also recommended to allocate a separate interface on SBC for management in a dedicated VLAN. To
restrict access to SBC administration from individual nodes, you can also use a whitelist of addresses from which
SBC can be managed (more details in Section 4.1.8.6).
In order to prevent device configuration data loss, e.g. after reset to factory settings, we recommend making
configuration backup copies and storing them on a PC each time significant changes are made.
It is recommended to use trusted and protected DNS and NTP servers on the network. It is better to place
the equipment behind a firewall with ingress filtering configured on it.
3.1
Ensuring call security
SBC has several mechanisms for call security:
–
A built-in firewall that provides the following functions (more details in section 4.1.8.5 Static firewall):
Filtering by IP address, port and protocol;
Filtering of users by geographical area (GeoIP);
Filtering by strings contained in messages.
–
Call restrictions in Rule Set rules (see Section 4.1.3.5):
The "reject" action prevents passing of calls under conditions covered by the rule. For example, you
can use a rule to forbid international calls "Name from To header" with the name mask
"^\+*[78]10.+";
Action "send to..." using filters. For example, you can set a restriction on calls to Russia only, using
the rule «Name from To header» as a mask «^7[3489].{9}$»;
A time limit on the validity of the rule. In this way, it is possible to limit the validity of the
communication service or communication restrictions by combining the validity time limit and the
"reject" and "send to..." rules.
–
DoS attacks prevention (see Section 4.1.8.7):
ICMP flood protection. In this mode SBC will not respond to ICMP type 8 and type 13 requests;
Port scan detection. SBC will analyze access attempts and, if port scanning is detected, will block the
intruder;
List of forbidden client applications. SBC will block SIP requests by detecting specified patterns in the
User-Agent, which correspond to popular SIP scanners and utilities to carry out various attacks;
SIP flood protection. SBC analyses both network hosts and individual subscribers for activities
considered as flooding or attempts at password brute-forcing. SBC is also starting to replace 404
responses with 403 to make it more difficult to scan number allocation.
