background image

 

P a g e

 |

 

16

 

 

UCM Security Manual 

Please configure the privilege for the outbound rule high enough to restrict the extensions allowed to call 
external numbers via this trunk.

 

 

Source Caller ID Filter

 

 
Instead of using privilege level, UCM administrator could specify the extensions/extension groups that are 
allowed to use the outbound rule. This can be done by selecting extension/extension groups or defining 
pattern for the source caller ID in “Custom Dynamic Route” field. The extension allowed to make outbound 
call will either need to be an extension in the selected list or match the defined pattern. 

 

 

Figure 10: Source Caller ID Filter 

 

Please specify the extension or the pattern here to the minimal set so that only the desired users can dial 
out from this outbound route. 

 
For detailed configuration instructions, please refer to MANAGING OUTBOUND ROUTE section in white 
paper

How to manage inbound/outbound route on UCM6510/6100

   

 

Password protection

 

For even more security, users could protect the outbound rule with a password that will be requested by 
the UCM from the callers in order to allow outbound calls. Users can set the password on each outbound 
on the specified field as shown on the figure below. 

Summary of Contents for UCM6202

Page 1: ...Grandstream Networks Inc UCM series IP PBX Security Manual ...

Page 2: ...tegy of IP Access Control 11 Example Local Subnet Only 11 SRTP 14 TRUNK SECURITY 15 Outbound Rule Permissions 15 Privilege Level 15 Source Caller ID Filter 16 Password protection 16 PIN Groups 17 IVR Dial Trunk 19 Allow Guest Calls 20 TLS 21 FIREWALL 23 Static Defense 23 Static Defense Example Blocking TCP Connection from a Specific Host 24 Static Defense Example Blocking SSH Connection to UCM 25 ...

Page 3: ...P a g e 2 UCM Security Manual Fail2ban 28 AMI 31 ...

Page 4: ... Figure 10 Source Caller ID Filter 16 Figure 11 Password Protection 17 Figure 12 Adding PIN Groups 17 Figure 13 Outbound route with PIN group 18 Figure 15 IVR Dial Trunk 19 Figure 16 PBX Settings SIP Settings TCP TLS 21 Figure 17 Firewall Rule Custom Configuration 24 Figure 18 Static Defense Blocking Host 192 168 40 142 Using TCP Connection 24 Figure 19 Host blocked by UCM 25 Figure 20 UCM SSH Acc...

Page 5: ... the privilege level configuring source caller ID filter to filter out outbound call requests from unwanted source TLS This is to secure the SIP signaling Firewall mechanism Three types of firewall mechanism can be configured to protect UCM against malicious attacks Static Defense Dynamic Defense UCM6510 and UCM6102 UCM6202 UCM6204 UCM6208 only and Fail2ban AMI Using AMI feature comes with securit...

Page 6: ... to access the UCM web UI It can be configured under web UI Settings HTTP Server The protocol type is also the protocol used for zero config when the endpoint device downloads the config file from the UCM Therefore it s recommended to use HTTPS instead of HTTP to secure the transactions and prevent unauthorized access Note also that by default we are using HTTP HTTPS ports that are different from ...

Page 7: ...cess is restricted by user login Username and password are required when logging in to web UI Figure 1 UCM6202 Web UI Login The factory default value of Username is admin while the default random password can be found on the sticker at the back of the unit ...

Page 8: ... go to web GUI Settings Change Password page The new password has to be at least 4 characters The maximum length of the password is 30 characters The minimum requirement for the login password is as below if Enable Strong Password on web GUI PBX Internal Options General is turned on Must contain numeric digit Must contain at least one lowercase alphabet uppercase alphabet or special character Stro...

Page 9: ...user doesn t make any operation on web GUI within the timeout period the user will be logged out automatically and the web UI will be redirected to the login page requiring password to access the web pages If the login timeout period is set to a short enough time the chances of an adversary gaining access to an unattended terminal are significantly reduced However the timeout period cannot be too ...

Page 10: ...ld create edit and delete new user accounts with lower privileges Admin Custom and Consumer Super Admin also has the authority to view operations done by all the users in web GUI Maintenance Operation Log where normal users with lower privilege level Admin don t have access If there are more than one PBX administrator required to manage the UCM in your enterprise it s highly recommended for the su...

Page 11: ...ure can be helpful by giving each person the level of access that they just need no more nor less The last user access level is the Consumer level this is the default assigned one for user portal access where each user can access the UCM portal using his her extension number and password in order to manage their own data and benefit from the value added feature This way normal users don t have acc...

Page 12: ...t IP address s is allowed to register to a certain extension by editing strategy option under extension configuration dialog Media tag Make sure to configure the strategy option to the smallest set to block registration attempts from anyone that doesn t need to register to the account The strategy options are Local Subnet Only allows register requests from local IPs only By default the local subne...

Page 13: ... Now if the SIP end device is in subnet other than 192 168 40 x e g 172 18 31 x subnet the UCM will not allow registration using this extension The following figure shows the SIP device IP address is 172 18 31 17 The UCM on IP 192 168 40 171 replies 404 Not Found for the registration request ...

Page 14: ... Once moving this device to 192 168 40 x subnet registration will be successful The following figure shows the IP address for the same SIP end device is 192 168 40 190 The UCM on IP address 192 168 40 171 replies 200 OK for the registration request Figure 7 Registration Successful from Allowed Subnet ...

Page 15: ...sion If SRTP is enabled RTP data flow will be encrypted Figure 8 Enabling SRTP As shown above users have two options while enabling SRTP under extension parameters Enabled and forced On this case the extension does support SRTP for secure audio and doesn t allow any calls without SRTP Enabled But Not Forced The extension does support SRTP but can allow negotiation to setup calls without SRTP in ca...

Page 16: ...sions Four methods are supported on UCM to control outbound rule permissions and users can apply one of them to the outbound rule 1 Privilege Level 2 Enable Filter on Source Caller ID 3 Password protection 4 PIN groups Please make sure to configure it to allow only the desired group of users to call from this route Figure 9 Outbound Rule Permissions Privilege Level On the UCM the supported 4 privi...

Page 17: ...bound call will either need to be an extension in the selected list or match the defined pattern Figure 10 Source Caller ID Filter Please specify the extension or the pattern here to the minimal set so that only the desired users can dial out from this outbound route For detailed configuration instructions please refer to MANAGING OUTBOUND ROUTE section in white paper How to manage inbound outboun...

Page 18: ...trator on this case can set the outbound rule protection mode to PIN groups where each user should enter his PIN code in order to be allowed to make outbound calls through trunks In order to set PIN group protection the admin should follow below steps 1 Navigate on the web UI under Extension Trunk Outbound Routes PIN Groups 2 Click Add to create a new PIN group and enter the user names and passwor...

Page 19: ...ly then on your outbound routes you can select the created group and each time one the PIN group members tries to make outbound call he she will be requested to enter their PIN code as a security protection Figure 13 Outbound route with PIN group ...

Page 20: ...s could possibly generate expected high charges especially if an IVR is configured as the destination of an inbound route of a PSTN trunk in which case anyone can call into the IVR and then dial out to long distance or international calls Figure 14 IVR Dial Trunk We recommend disabling Dial Trunk option unless the risk associated with it is clearly understood or the PBX administrator intentionally...

Page 21: ...ents Enabling Allow Guest Calls will stop the PBX from authenticating incoming calls from unknown or anonymous callers In that case hackers get the chance to send INVITE to UCM and the UCM will place the call without authentication This can result in high toll charges The administrator might also want to check CDR regularly to make sure there is no suspicious calls in the early stage of deployment...

Page 22: ...e servers and clients and then encrypt SIP messages between the authenticated parties TLS can be configured under UCM web GUI PBX Settings SIP Settings TCP TLS page Figure 15 PBX Settings SIP Settings TCP TLS 1 Set TLS Enable as Yes to enable TLS on UCM 2 Configure TLS Do Not Verify TLS Self Signed CA and TLS Cert properly to achieve basic TLS authentication and encryption ...

Page 23: ...ndard some clients do not have this requirement for server authentication If not matching authentication on the UCM client fails and the TLS connection cannot get established TLS Do Not Verify This is effective when UCM acts as a client If set to Yes the server s certificate sent to the client during TLS Handshake won t be verified Considering if two UCMs are peered since the default certificate b...

Page 24: ... options to configure static defense rule are as follows Rule Name Created by user to identify this rule Action Accept Reject or Drop depending on how the user would like the rule to perform Type In out indicates the traffic direction Interface Select network interface where the traffic will go through Service Users can select the pre defined service FTP SSH Telnet TFTP HTTP LDAP or Custom which a...

Page 25: ...ure 192 168 40 142 is the host IP address and 192 168 40 131 is the UCM s IP address Port 8089 on UCM is used for HTTP server web UI access This setting will block host on 192 168 40 131 to access UCM port 8089 using TCP connection Figure 16 Firewall Rule Custom Configuration Figure 17 Static Defense Blocking Host 192 168 40 142 Using TCP Connection After saving and applying the change host 192 16...

Page 26: ... SSH Connection to UCM The UCM can be accessed via SSH connection by default The SSH access provides device status information reboot reset and limited configuration capabilities It is recommended to disable it once the UCM is deployed for security purpose This can be done using static defense ...

Page 27: ...n steps 1 In UCM web UI System Settings Security Settings Static Defense page click on Create New Rule 2 In the prompt window configure the following parameters Rule Name Configure a name to identify this rule Action Reject Type IN Interface WAN for UCM6202 Service SSH ...

Page 28: ...P a g e 27 UCM Security Manual Figure 20 Block SSH Connection 3 Save and apply changes Now SSH connection to the UCM will not be allowed anymore from any host Figure 21 Putty Setup for SSH Connection ...

Page 29: ...n whitelist is supported so that certain hosts will not be blocked by Dynamic Defense For more configuration details please refer to UCM User Manual Fail2ban Fail2Ban is mainly designed to detect and prevent intrusion for authentication errors in SIP REGISTER INVITE and SUBSCRIBE method It can be configured from Web UI System Settings Security Settings Fail2ban Users can customize the maximum retr...

Page 30: ...period the host connection exceeds the maximum connection limit it will be banned for the Banned Duration By default it is set to 10 mins 600s Max Retry This speficies the amount of times a host can try to connect to the UCM during Max Retry Duration If the host connection exceeds this limit within Max Retry Duration it will be banned for the Banned Duration By default it is set to 5 times Fail2Ba...

Page 31: ...entication failures during Max Retry Duration before the host is banned and the default value is 5 In addition to defending against hostile SIP messages Fail2Ban can now be configured to defend against login attacks Excessive login attempts will ban IP addresses from accessing the UCM web UI users could enable the option as shown on the figure above Once enabled and When the number of failed login...

Page 32: ...MI on the UCM if it is placed on a public or untrusted network unless you have taken steps to protect the device from unauthorized access It is crucial to understand that AMI access can allow AMI user to originate calls and the data exchanged via AMI is often very sensitive and private for your UCM system Please be cautious when enabling AMI access on the UCM and restrict the permission granted to...

Reviews: