manualshive.com logo in svg

Grandstream Networks UCM6202, Security Manual

Introducing the Grandstream Networks UCM6202 - a powerful communication solution for businesses. Enhance your security with the Security Manual, available for free download at manualshive.com. This comprehensive manual offers valuable insights and instructions to maximize the potential of your UCM6202, ensuring seamless communication within your organization.

Share
Download
background image

 

P a g e

 |

 

11

 

 

UCM Security Manual 

EXTENSION SECURITY

 

SIP/IAX Password

 

 
When creating a new SIP/IAX extension, the UCM administrator is required to configure “SIP/IAX Password” 
which will be used for account registration authentication. 

 
If  “Enable  Random  Password”  (on  web  GUI

PBX  Settings

General  Settings)  is  enabled,  “SIP/IAX 

Password” is automatically filled with a randomly generated secure password when creating the extension 
on the UCM.   

 
If “Enable Strong Password” (on web GUI

 PBX Settings

General Settings

) is enabled, the password 

must be alphanumeric which should contain numeric digit and at least one lower case alphabet or upper-
case alphabet, or special character. 

 

It is recommended to use random password and strong password to reduce the chance that the password 
being guessed or cracked out. 

 

Strategy of IP Access Control

 

 
The UCM administrator could control what IP address(s) is allowed to register to a certain extension by 
editing  “strategy”  option  under  extension  configuration  dialog

“Media”  tag. 

Make  sure  to  configure  the 

“strategy” option to the smallest set to block registration attempts from anyone that doesn’t need to register 
to the account.

 

 
The strategy options are: 

 

“Local Subnet Only”: allows register requests from local IPs only. By default, the local subnet where the 
UCM  is  location  is  allowed.  User  could  also  add  more  local  subnets  where  devices  are  allowed  to 
register to this extension. 

 

“A Specific IP Address”: allows register requests from one user specified IP only. 

 

“Allow All”: the registration address is the entire Internet which is least recommended. 

 

Example: Local Subnet Only

 

1. 

Assuming there are multiple subnets within the office and the devices in all subnets can reach each 
other. The network administrator would like to allow only devices in 192.168.40.x network to register to 
this UCM. 

 

2. 

Under  UCM  web  UI  extension  dialog,  configure  “Local  Subnet  Only”  for  “Strategy”  option  and 
192.168.40.0 for “Local Subnet”. 

Summary of Contents for UCM6202

Page 1: ...Grandstream Networks Inc UCM series IP PBX Security Manual ...

Page 2: ...tegy of IP Access Control 11 Example Local Subnet Only 11 SRTP 14 TRUNK SECURITY 15 Outbound Rule Permissions 15 Privilege Level 15 Source Caller ID Filter 16 Password protection 16 PIN Groups 17 IVR Dial Trunk 19 Allow Guest Calls 20 TLS 21 FIREWALL 23 Static Defense 23 Static Defense Example Blocking TCP Connection from a Specific Host 24 Static Defense Example Blocking SSH Connection to UCM 25 ...

Page 3: ...P a g e 2 UCM Security Manual Fail2ban 28 AMI 31 ...

Page 4: ... Figure 10 Source Caller ID Filter 16 Figure 11 Password Protection 17 Figure 12 Adding PIN Groups 17 Figure 13 Outbound route with PIN group 18 Figure 15 IVR Dial Trunk 19 Figure 16 PBX Settings SIP Settings TCP TLS 21 Figure 17 Firewall Rule Custom Configuration 24 Figure 18 Static Defense Blocking Host 192 168 40 142 Using TCP Connection 24 Figure 19 Host blocked by UCM 25 Figure 20 UCM SSH Acc...

Page 5: ... the privilege level configuring source caller ID filter to filter out outbound call requests from unwanted source TLS This is to secure the SIP signaling Firewall mechanism Three types of firewall mechanism can be configured to protect UCM against malicious attacks Static Defense Dynamic Defense UCM6510 and UCM6102 UCM6202 UCM6204 UCM6208 only and Fail2ban AMI Using AMI feature comes with securit...

Page 6: ... to access the UCM web UI It can be configured under web UI Settings HTTP Server The protocol type is also the protocol used for zero config when the endpoint device downloads the config file from the UCM Therefore it s recommended to use HTTPS instead of HTTP to secure the transactions and prevent unauthorized access Note also that by default we are using HTTP HTTPS ports that are different from ...

Page 7: ...cess is restricted by user login Username and password are required when logging in to web UI Figure 1 UCM6202 Web UI Login The factory default value of Username is admin while the default random password can be found on the sticker at the back of the unit ...

Page 8: ... go to web GUI Settings Change Password page The new password has to be at least 4 characters The maximum length of the password is 30 characters The minimum requirement for the login password is as below if Enable Strong Password on web GUI PBX Internal Options General is turned on Must contain numeric digit Must contain at least one lowercase alphabet uppercase alphabet or special character Stro...

Page 9: ...user doesn t make any operation on web GUI within the timeout period the user will be logged out automatically and the web UI will be redirected to the login page requiring password to access the web pages If the login timeout period is set to a short enough time the chances of an adversary gaining access to an unattended terminal are significantly reduced However the timeout period cannot be too ...

Page 10: ...ld create edit and delete new user accounts with lower privileges Admin Custom and Consumer Super Admin also has the authority to view operations done by all the users in web GUI Maintenance Operation Log where normal users with lower privilege level Admin don t have access If there are more than one PBX administrator required to manage the UCM in your enterprise it s highly recommended for the su...

Page 11: ...ure can be helpful by giving each person the level of access that they just need no more nor less The last user access level is the Consumer level this is the default assigned one for user portal access where each user can access the UCM portal using his her extension number and password in order to manage their own data and benefit from the value added feature This way normal users don t have acc...

Page 12: ...t IP address s is allowed to register to a certain extension by editing strategy option under extension configuration dialog Media tag Make sure to configure the strategy option to the smallest set to block registration attempts from anyone that doesn t need to register to the account The strategy options are Local Subnet Only allows register requests from local IPs only By default the local subne...

Page 13: ... Now if the SIP end device is in subnet other than 192 168 40 x e g 172 18 31 x subnet the UCM will not allow registration using this extension The following figure shows the SIP device IP address is 172 18 31 17 The UCM on IP 192 168 40 171 replies 404 Not Found for the registration request ...

Page 14: ... Once moving this device to 192 168 40 x subnet registration will be successful The following figure shows the IP address for the same SIP end device is 192 168 40 190 The UCM on IP address 192 168 40 171 replies 200 OK for the registration request Figure 7 Registration Successful from Allowed Subnet ...

Page 15: ...sion If SRTP is enabled RTP data flow will be encrypted Figure 8 Enabling SRTP As shown above users have two options while enabling SRTP under extension parameters Enabled and forced On this case the extension does support SRTP for secure audio and doesn t allow any calls without SRTP Enabled But Not Forced The extension does support SRTP but can allow negotiation to setup calls without SRTP in ca...

Page 16: ...sions Four methods are supported on UCM to control outbound rule permissions and users can apply one of them to the outbound rule 1 Privilege Level 2 Enable Filter on Source Caller ID 3 Password protection 4 PIN groups Please make sure to configure it to allow only the desired group of users to call from this route Figure 9 Outbound Rule Permissions Privilege Level On the UCM the supported 4 privi...

Page 17: ...bound call will either need to be an extension in the selected list or match the defined pattern Figure 10 Source Caller ID Filter Please specify the extension or the pattern here to the minimal set so that only the desired users can dial out from this outbound route For detailed configuration instructions please refer to MANAGING OUTBOUND ROUTE section in white paper How to manage inbound outboun...

Page 18: ...trator on this case can set the outbound rule protection mode to PIN groups where each user should enter his PIN code in order to be allowed to make outbound calls through trunks In order to set PIN group protection the admin should follow below steps 1 Navigate on the web UI under Extension Trunk Outbound Routes PIN Groups 2 Click Add to create a new PIN group and enter the user names and passwor...

Page 19: ...ly then on your outbound routes you can select the created group and each time one the PIN group members tries to make outbound call he she will be requested to enter their PIN code as a security protection Figure 13 Outbound route with PIN group ...

Page 20: ...s could possibly generate expected high charges especially if an IVR is configured as the destination of an inbound route of a PSTN trunk in which case anyone can call into the IVR and then dial out to long distance or international calls Figure 14 IVR Dial Trunk We recommend disabling Dial Trunk option unless the risk associated with it is clearly understood or the PBX administrator intentionally...

Page 21: ...ents Enabling Allow Guest Calls will stop the PBX from authenticating incoming calls from unknown or anonymous callers In that case hackers get the chance to send INVITE to UCM and the UCM will place the call without authentication This can result in high toll charges The administrator might also want to check CDR regularly to make sure there is no suspicious calls in the early stage of deployment...

Page 22: ...e servers and clients and then encrypt SIP messages between the authenticated parties TLS can be configured under UCM web GUI PBX Settings SIP Settings TCP TLS page Figure 15 PBX Settings SIP Settings TCP TLS 1 Set TLS Enable as Yes to enable TLS on UCM 2 Configure TLS Do Not Verify TLS Self Signed CA and TLS Cert properly to achieve basic TLS authentication and encryption ...

Page 23: ...ndard some clients do not have this requirement for server authentication If not matching authentication on the UCM client fails and the TLS connection cannot get established TLS Do Not Verify This is effective when UCM acts as a client If set to Yes the server s certificate sent to the client during TLS Handshake won t be verified Considering if two UCMs are peered since the default certificate b...

Page 24: ... options to configure static defense rule are as follows Rule Name Created by user to identify this rule Action Accept Reject or Drop depending on how the user would like the rule to perform Type In out indicates the traffic direction Interface Select network interface where the traffic will go through Service Users can select the pre defined service FTP SSH Telnet TFTP HTTP LDAP or Custom which a...

Page 25: ...ure 192 168 40 142 is the host IP address and 192 168 40 131 is the UCM s IP address Port 8089 on UCM is used for HTTP server web UI access This setting will block host on 192 168 40 131 to access UCM port 8089 using TCP connection Figure 16 Firewall Rule Custom Configuration Figure 17 Static Defense Blocking Host 192 168 40 142 Using TCP Connection After saving and applying the change host 192 16...

Page 26: ... SSH Connection to UCM The UCM can be accessed via SSH connection by default The SSH access provides device status information reboot reset and limited configuration capabilities It is recommended to disable it once the UCM is deployed for security purpose This can be done using static defense ...

Page 27: ...n steps 1 In UCM web UI System Settings Security Settings Static Defense page click on Create New Rule 2 In the prompt window configure the following parameters Rule Name Configure a name to identify this rule Action Reject Type IN Interface WAN for UCM6202 Service SSH ...

Page 28: ...P a g e 27 UCM Security Manual Figure 20 Block SSH Connection 3 Save and apply changes Now SSH connection to the UCM will not be allowed anymore from any host Figure 21 Putty Setup for SSH Connection ...

Page 29: ...n whitelist is supported so that certain hosts will not be blocked by Dynamic Defense For more configuration details please refer to UCM User Manual Fail2ban Fail2Ban is mainly designed to detect and prevent intrusion for authentication errors in SIP REGISTER INVITE and SUBSCRIBE method It can be configured from Web UI System Settings Security Settings Fail2ban Users can customize the maximum retr...

Page 30: ...period the host connection exceeds the maximum connection limit it will be banned for the Banned Duration By default it is set to 10 mins 600s Max Retry This speficies the amount of times a host can try to connect to the UCM during Max Retry Duration If the host connection exceeds this limit within Max Retry Duration it will be banned for the Banned Duration By default it is set to 5 times Fail2Ba...

Page 31: ...entication failures during Max Retry Duration before the host is banned and the default value is 5 In addition to defending against hostile SIP messages Fail2Ban can now be configured to defend against login attacks Excessive login attempts will ban IP addresses from accessing the UCM web UI users could enable the option as shown on the figure above Once enabled and When the number of failed login...

Page 32: ...MI on the UCM if it is placed on a public or untrusted network unless you have taken steps to protect the device from unauthorized access It is crucial to understand that AMI access can allow AMI user to originate calls and the data exchanged via AMI is often very sensitive and private for your UCM system Please be cautious when enabling AMI access on the UCM and restrict the permission granted to...

Reviews:

No comments

Related manuals for UCM6202

Samsung SGH-T619 User Manual preview
SGH-T619
Brand: Samsung Pages: 212
mPTech FUN 18x9 Quick Start Manual preview
FUN 18x9
Brand: mPTech Pages: 36
OPlus 5.7 MUSIC User Manual preview
5.7 MUSIC
Brand: OPlus Pages: 35
Uriver SP-115C User Manual preview
SP-115C
Brand: Uriver Pages: 109
Pantech PG-1810 Service Manual preview
PG-1810
Brand: Pantech Pages: 54
Docomo Style F-02A Instruction Manual preview
Style F-02A
Brand: Docomo Pages: 469
Yealink SIP-T21 User Manual preview
SIP-T21
Brand: Yealink Pages: 143
Blackberry Accessibility User Manual preview
Accessibility
Brand: Blackberry Pages: 17
Allview P5 Pro Software Update Procedure preview
P5 Pro
Brand: Allview Pages: 7
Grandstream Networks Grandstream GXP-2010 Quick Installation Manual preview
Grandstream GXP-2010
Brand: Grandstream Networks Pages: 1
TRENDnet ClearSky TVP-SP1BK (Japanese) Quick Installation Manual preview
ClearSky TVP-SP1BK
Brand: TRENDnet Pages: 13
Talkswitch TS-450i User Manual preview
TS-450i
Brand: Talkswitch Pages: 83
Movilnet X992 Manual preview
X992
Brand: Movilnet Pages: 26
Hyundai W25544L User Manual preview
W25544L
Brand: Hyundai Pages: 25
VERTIS 3511 YOU User Manual preview
3511 YOU
Brand: VERTIS Pages: 23
IPRO V7 User Manual preview
V7
Brand: IPRO Pages: 16
Zte Radiant User Manual preview
Radiant
Brand: Zte Pages: 114
Zte ZTE-C E520 User Manual preview
ZTE-C E520
Brand: Zte Pages: 142

Brands by name

Popular brands

Load more brands