IP Technology Distribution

How to harden an Epygi Quadro against SIP attacks

With IP telephony becoming increasingly popular, it attracts the attention of those who would like to make free calls at other people's expense. SIP devices are often continuously attacked, with the intent of finding the username/password of accounts on the device, thus allowing them to make free unauthorized calls from the device at the owner’s expense.

These above mentioned SIP attacks or “denial of service” attacks can be potentially dangerous to your IP PBX not just for the monetary damage it will cause the company. In some cases, the attack can add additional stress on the IP PBX and a product user may self diagnose the problem as a hardware failure, when in fact their IP PBX is under attack or being exploited.

As Epygi strives to provide excellent customer service to both our global resellers and distributors, we would like to inform our customers about what can be done to prevent SIP attacks on your Quadro.

There are some steps which could be taken at the time of installation of the Quadro. As the Quadro uses the WAN port to connect to the Internet, where a potential SIP attack can occur, securing the WAN port will be our first focus.

There are actually three possible cases when it comes to WAN usage:

************************************************************************

Case 1: The WAN interface is not used for SIP calls, but only for remote management or other non-call related activity.

Solution: In this case, the best solution is to set the Quadro Firewall level to High and disable the "SIP Access" in the firewall filtering rules.

************************************************************************

Case 2: The WAN interface is used for SIP calls but only to/from specific SIP destinations. Those specific SIP destinations can be an ITSP server, other Quadros in another location or remote IP phones, given that all of them have fixed static IP addresses.

Solution: In this case, you can again set the Firewall level to High and edit the "SIP Access" rule to allow access for only a specific IP group. You can add that group in the "IP Pool Configuration" page ("Manage IP Pool Groups" link in "Filtering Rules") and add the list of static IP addresses. Then you need to edit the "SIP Access" rule to choose that group instead of "Any IP". Don't forget to enable the rule after editing. An additional note: if you are accessing the Quadro web-configuration pages from the WAN side, make sure you have your IP address added to the "Management Access" table prior to increasing the Firewall level, otherwise your IP will be blocked immediately after setting the Firewall level to High!

************************************************************************

Case 3: This is the most complex case - if you need to make/receive SIP calls from/to devices having dynamic IP addresses. This could be other Quadros at remote locations (if for some reason you cannot give them static IP addresses) or remote phones used by traveling people to connect to remote extensions.

Solution: As I told, it could be tricky to 100% secure the system in such cases, but it is possible to do. You have to use VPN to secure the Quadro, and have the remote users connect to the Quadro using a VPN router (in the case of remote SIP devices) or using VPN connection on their laptops (in case of traveling people connecting as remote extensions). If you are using a laptop with Windows, installing the PPTP VPN could be the most convenient option.

Here are three options for setup at the Quadro side (all these options assume you are using High or Medium level of security on the Quadro firewall and that you just open SIP access to the devices which have known static IP addresses):

Option A (simple, cheap, but limited). Use the Quadro's own VPN to connect to remote clients (Quadro as a VPN server). This will work, but will strongly limit the number of IP phones which can connect from the remote side. Quadro is not a dedicated VPN device, so loading it with high VPN traffic (such as many simultaneous calls) is very undesirable, as it may affect other user functionality.

Option B. Set the Quadro behind a powerful VPN router/NAT device. The Quadro will have its firewall open for some selected IP addresses in the internet, and a selected IP range in the local network of that VPN router/NAT device. Remote devices should connect through VPN and upon connecting should get the IP from that allowed local range.

Option C. Connect a VPN router connected in parallel to the Quadro. The WAN of the router will be connected to the same network as the Quadro's WAN (or you can have both the Quadro and the VPN router assigned real IP addresses). The LAN of the VPN router is connected to the same network as the LAN of the Quadro. Remote agents with their laptops can connect to the VPN router, and that way they can propagate to the Quadro's LAN network. The Quadro will then recognize them just as a regular device in its LAN.

The last two options offered above are doable and pretty good solutions, they just need some additional expenses from the customer (I assume that is to be expected if customer has high security requirements, along with portability needs) and some network knowledge from the integrator.

************************************************************************

Those are the general ideas/instructions on how to solve the problem. The detailed instructions, diagrams, would be nice of course, but they are out of scope of this document.

And, last but not the least - if by some reason you cannot use any of the methods above, you still can use the "SIP IDS" feature of the Quadro. Epygi does not guarantee that SIP IDS will block any kind of attack (blocking all attacks is a pretty difficult separate task, similar to writing antivirus products) but it really helps in many cases. It can be enabled in the hidden "generalconfig.cgi" (for older 5.2 versions), or from the "System"->"System Security Management" page in the newer versions.

Source: Epygi Knowledge base

Share Now Share on Facebook Share on LinkedIn Share on Twitter Share on google+