manualshive.com logo in svg

Grandstream Networks UCM6100 Series, Manual Manual

Share
Download
Grandstream Networks UCM6100 Series Manual Manual Download Page 21

 

 

UCM6100 Security Manual                                                              Page 20 of 23 

 

Figure 15: SSH Connection Blocked by UCM6100 

 

 

DYNAMIC DEFENSE 

 

Dynamic defense 

is supported on UCM6102 and UCM6510 when LAN mode is set to “Route”. It can be 

configured  from  Web  UI->Settings->Firewall->Dynamic  Defense.  Once  enabled,  it  will  try  to  blacklist 

massive connection attempts or brute force attacks made by individual host. 

 

The UCM6100 Dynamic Defense model also allows users to customize the connection threshold and time 

interval, meaning users can manually set the period for the max connection made by individual IP address. 

In addition, whitelist is supported so that certain hosts will not be blocked by Dynamic Defense. 

 

For more configuration details, please refer to 

UCM6100 User Manual

 

 

FAIL2BAN 

 

Fail2Ban  is mainly  designed to detect and prevent intrusion for authentication errors in  SIP REGISTER, 

INVITE and SUBSCRIBE method. It can be configured from Web UI->Settings->Firewall->Fail2ban. Users 

can customize the maximum retry times  that  one host can attempt in  a period of time. If a host  initiates 

attempts which exceed maximum retry times, it will be banned by UCM6100 for a certain amount of time. 

User can also add a whitelist for the host that will not be punished by this defensive mechanism.     

   

Fail2Ban  can  be  enabled  in  the  UCM61xx  web  UI->Firewall->Fail2Ban.  By  default  Fail2Ban  is  disabled 

Summary of Contents for UCM6100 Series

Page 1: ...Grandstream Networks Inc UCM6100 Security Manual ...

Page 2: ...X PASSWORD 7 STRATEGY OF IP ACCESS CONTROL 7 EXAMPLE LOCAL SUBNET ONLY 7 SRTP 10 TRUNK SECURITY 11 OUTBOUND RULE PERMISSIONS 11 PRIVILEGE LEVEL 11 SOURCE CALLER ID FILTER 12 IVR DIAL TRUNK 12 ALLOW GUEST CALLS 13 TLS 14 FIREWALL 16 STATIC DEFENSE 16 STATIC DEFENSE EXAMPLE BLOCKING TCP CONNECTION FROM A SPECIFIC HOST 17 STATIC DEFENSE EXAMPLE BLOCKING SSH CONNECTION TO UCM6100 18 DYNAMIC DEFENSE 20...

Page 3: ...68 40 142 Using TCP Connection 17 Figure 11 Host blocked by UCM6100 18 Figure 12 UCM6100 SSH Access 18 Figure 13 Block SSH Connection 19 Figure 14 Putty Setup for SSH Connection 19 Figure 15 SSH Connection Blocked by UCM6100 20 Figure 16 Fail2Ban Default Configuration 21 Figure 17 Asterisk Service Fail2Ban setting 22 This document is subject to change without notice The latest electronic version o...

Page 4: ...reated by the default super administrator Extension security This includes SIP IAX password for authentication IP access control and SRTP Trunk security Trunk security is achieved mainly by setting the privilege level configuring source caller ID filter to filter out outbound call requests from unwanted source TLS This is to secure the SIP signaling Firewall mechanism Three types of firewall mecha...

Page 5: ...ng the UCM6100 on public network could expose the domain name IP address of the UCM6100 and pose serious security concerns PROTOCOL TYPE HTTP and HTTPS default are supported to access the UCM6100 web UI It can be configured under web UI Settings HTTP Server The protocol type is also the protocol used for zero config when the endpoint device downloads the config file from the UCM6100 Therefore it s...

Page 6: ...rmation could be exposed and changed intentionally or unintentionally UCM6100 provides protection from such vulnerability using login timeout After the user logs in the UCM6100 web UI the user will be automatically logged out after certain timeout This timeout value can be specified under UCM100 web GUI Settings Login Timeout Settings page In the case that the user doesn t make any operation on we...

Page 7: ...r could create edit and delete new user accounts with lower privilege Admin Super Admin also has the authority to view operations done by all the users in web GUI Settings User Management Operation Log where normal users with lower privilege level Admin don t have access If there are more than one PBX administrator required to manage the UCM6100 in your enterprise it s highly recommended for the s...

Page 8: ... that the password being guessed or cracked out STRATEGY OF IP ACCESS CONTROL The UCM6100 administrator could control what IP address s is allowed to register to a certain extension by editing strategy option under extension configuration dialog Media tag Make sure to configure the strategy option to the smallest set to block registration attempts from anyone that doesn t need to register to the a...

Page 9: ...Only for Strategy option and 192 168 40 0 for Local Subnet Figure 2 Strategy Local Subnet Only 3 Save and Apply changes Now if the SIP end device is in subnet other than 192 168 40 x e g 172 18 31 x subnet the UCM6100 will not allow registration using this extension The following figure shows the SIP device IP address is 172 18 31 17 The UCM6100 on IP 192 168 40 171 replies 404 Not Found for the r...

Page 10: ...n Once moving this device to 192 168 40 x subnet registration will be successful The following figure shows the IP address for the same SIP end device is 192 168 40 190 The UCM6100 on IP address 192 168 40 171 replies 200 OK for the registration request Figure 4 Registration Successful From Allowed Subnet ...

Page 11: ... SRTP is supported on UCM6100 to secure RTP during the call By default it s disabled To use it please configure under extension configuration dialog Media tag when creating editing an extension If SRTP is enabled RTP data flow will be encrypted ...

Page 12: ... with international call capability OUTBOUND RULE PERMISSIONS Two methods are supported on UCM6100 to control outbound rule permissions and users can apply one of them to the outbound rule 1 Privilege Level 2 Enable Filter on Source Caller ID Please make sure to configure it to allow only the desired group of users to call from this route Figure 5 Outbound Rule Permissions PRIVILEGE LEVEL On the U...

Page 13: ...so that only the desired users can dial out from this outbound route For detailed configuration instructions please refer to MANAGING OUTBOUND ROUTE section in white paper How to manage inbound outbound route on UCM6510 6100 IVR DIAL TRUNK When creating editing an IVR the administrator could decide whether to allow the calls entering the IVR to make outbound calls through trunks by configuring Dia...

Page 14: ...ION section in white paper How to manage inbound outbound route on UCM6510 6100 ALLOW GUEST CALLS Allow Guest Calls option can be found on web GUI PBX SIP Settings General page We highly recommend NOT to turn on this option for any deployments Enabling Allow Guest Calls will stop the PBX from authenticating incoming calls from unknown or anonymous callers In that case hackers get the chance to sen...

Page 15: ...an be configured under UCM6100 web GUI PBX SIP Settings TCP TLS page Figure 8 PBX SIP Settings TCP TLS 1 Set TLS Enable as Yes to enable TLS on UCM6100 2 Configure TLS Do Not Verify TLS Self Signed CA and TLS Cert properly to achieve basic TLS authentication and encryption TLS Self Signed CA This is used when UCM6100 acts as a client to authenticate the server If the server the UCM6100 connecting ...

Page 16: ...on on the UCM6100 client fails and the TLS connection cannot get established TLS Do Not Verify This is effective when UCM6100 acts as a client If set to Yes the server s certificate sent to the client during TLS Handshake won t be verified Considering if two UCM6100s are peered since the default certificate built in UCM6100 at the factory has common name equaling localhost which is not a valid IP ...

Page 17: ...ptions to configure static defense rule are as follows Rule Name Created by user to identify this rule Action Accept Reject or Drop depending on how the user would like the rule to perform Type In out indicates the traffic direction Interface Select network interface where the traffic will go through Service Users can select the pre defined service FTP SSH Telnet TFTP HTTP LDAP or Custom which all...

Page 18: ...e 192 168 40 142 is the host IP address and 192 168 40 131 is the UCM6100 s IP address Port 8089 on UCM6100 is used for HTTP server web UI access This setting will block host on 192 168 40 131 to access UCM6100 port 8089 using TCP connection Figure 9 Firewall Rule Custom Configuration Figure 10 Static Defense Blocking Host 192 168 40 142 Using TCP Connection After saving and applying the change ho...

Page 19: ... TO UCM6100 The UCM6100 can be accessed via SSH connection by default The SSH access provides device status information reboot reset and limited configuration capabilities It is recommended to disable it once the UCM6100 is deployed for security purpose This can be done using static defense Figure 12 UCM6100 SSH Access ...

Page 20: ...e 2 In the prompt window configure the following parameters Rule Name Configure a name to identify this rule Action Reject Type IN Interface WAN for UCM6102 Service SSH Figure 13 Block SSH Connection 3 Save and apply changes Now SSH connection to the UCM6100 will not be allowed anymore from any host Figure 14 Putty Setup for SSH Connection ...

Page 21: ...In addition whitelist is supported so that certain hosts will not be blocked by Dynamic Defense For more configuration details please refer to UCM6100 User Manual FAIL2BAN Fail2Ban is mainly designed to detect and prevent intrusion for authentication errors in SIP REGISTER INVITE and SUBSCRIBE method It can be configured from Web UI Settings Firewall Fail2ban Users can customize the maximum retry ...

Page 22: ...6100 If in this period the host connection exceeds the maximum connection limit it will be banned for the Banned Duration By default it is set to 10 mins 600s Max Retry This speficies the amount of times a host can try to connect to the UCM6100 during Max Retry Duration If the host connection exceeds this limit within Max Retry Duration it will be banned for the Banned Duration By default it is se...

Page 23: ...ervice under Local Settings in order for it to take effect Currently only 5060 UCP Port is supported for Protocol Users can then define the value for MaxRetry which will override the MaxRetry value under Global Settings Max Retry specifies the number of authentication failures during Max Retry Duration before the host is banned and the default value is 5 ...

Page 24: ...le AMI on the UCM6100 if it is placed on a public or untrusted network unless you have taken steps to protect the device from unauthorized access It is crucial to understand that AMI access can allow AMI user to originate calls and the data exchanged via AMI is often very sensitive and private for your UCM6100 system Please be cautious when enabling AMI access on the UCM6100 and restrict the permi...

Reviews:

No comments

Brands by name

Popular brands

Load more brands