Results 1 to 3 of 3

Thread: Unauthorized IP phone registration rejected

  1. #1

    Default Unauthorized IP phone registration rejected

    I have a client who is being probed every night and all weekend by someone systematically trying to attatch to thier Quadro 4X. The probes originate from various IP address's and are obviously of criminal intent. My customer does not have any remote sets (located on the Wan side), and nothing is configured for remote access. I have seen this same issue at other clients. Is being probed like this something to be concerned about? Can I set port blocking to not respond to these requests? The quadro firewall is set to high with only https management unblocked, and that is only to a specific IP address. Any suggestions?

  2. #2
    Quadro Architect
    Join Date
    Jun 2006
    Location
    Around myself
    Posts
    2,075

    Default

    Such attacks can be potentially dangerous. If somebody is constantly trying to guess your passwords, there is some probability that he will succeed some day.. And those attacks are adding unnecessary load to Quadro. If the attack is very strong, it can slow down the device.

    If you are not using the Quadro WAN interface to make SIP calls, then the best solution for you would be to disable the "SIP Access" rule in the "Filtering Rules" (I suppose you left it enabled, as you see those attacks). As soon as you disable that, the hacker has no chance to harm your PBX.

    But in reality the most people are using the WAN interface for call, so I'll try to get a bit deeper into this topic.

    Actually there are tree cases:

    ************************************************** **********************

    1. The WAN interface not used for SIP calls. In this case, as I told, the best solution is to set the Firewall level to High, and disble the "SIP Access" rule at all.

    ************************************************** **********************

    2. The WAN interface is used for SIP calls, but only to/from specific SIP destinations. Those specific SIP destinations can be ITSP, other Quadro's in another location or remote phones, given that all of them have fixed static IP addresses. In this case you can again set Firewall to High, and edit the "SIP Access" rule to allow the access only to the specific IP group. You can add that group in "IP Pool Configuration" page ("Manage IP Pool Groups" link in "Filtering Rules"), and then edit the "SIP Access" rule to choose that group instead of "Any IP". Don't forget to enable the rule after editing.

    ************************************************** **********************

    3. This is the most tricky case - if you need to make/receive SIP calls from/to device having dynamic IP addresses. This could be Quadro's at remote locations (if by some reason you cannot give them static IP), or remote phonees used by traveling people to connect to remote extensions.
    As I told, it could be tricky to 100% secure the system in such cases, but it is possible to do. You have to use VPN for this setup, and have the remote users connect to Quadro using VPN router (in case of remote SIP devices), or using VPT connection on their laptops (in case of traveling people connecting as remote extensions).

    Here you have 3 setup at Quadro side (all they assume you are using High or Medium level security on the Quadro firwall, and just open SIP access to the devices which have known static IP addresses):

    Option A (simple, cheap, but not optimal). Use Quadro's own VPN to connect remote clients. This will work, but will strongly limit the number of phones which can connect from remote side, and will load Quadro. Quadro is not a dedicated VPN device, so loading it with big VPN traffic (such as many simultaneous calls) is very undesirable, as it may affect other functionality.

    Option B. Set Quadro behind a powerful VPN router/nat device. Quadro will have its firewall open for some selected IPs in the internet, and to a selected IP range in the local network of that VPN router/nat device. Remote machines will connected through VPN, and will get the IP from that allowed range.

    Option C. Setup a VPN router connected in parallel to the Quadro. WAN of the router will be connected to the same network as Quadro's WAN (or you can have both Quadro and VPN router getting real IP). The LAN of the VPN router is connected to the same network as the LAN of the Quadro. Remote agents with their laptpps can connect to the VPN router, and that way they can propagate to the Quadro's LAN network. Quadro will then see them just as a regular device in its LAN.

    Both last options are doable and pretty good, they just need some additional spendings from the customer (I assume that is to be expected if customer has both high security requirements, along with portability needs), and some network knowledge from the integrator.

    ************************************************** **********************

    Sorry for such a long post (not fully dedicated to your specific questioon). I thought it could be useful for other people, as the problem of SIP attacks is quite a hot topic now. It is probably worth to write a knowledgebase article on this topic...

    BTW, if by some reason you cannot use any of the methods above, you still can use the "SIP IDS" feature of the Quadro. We cannot guarantee that it will block any kind of attack (blocking all attacks is a pretty difficult separate task, similar to writing antivirus products), but it really helps in many cases. It is present in all 5.2.x versions, and in the coming 5.2.22 version it is further improved to withstand stronger attacks.

    Best regards,
    David

  3. #3

    Smile Solved!

    Thankyou David! I implemented Case 1 at one customers site and Case 2 at another's. I am confident you have suggested the correct solution. Both Quadro's are much more responsive now that they are not dealing with continual login attempts.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. IP Phone registration lost
    By Siplify in forum Troubleshooting and Problems
    Replies: 0
    Last Post: 09-21-2010, 01:29 AM
  2. Snom phone losing registration
    By Commdude in forum Troubleshooting and Problems
    Replies: 3
    Last Post: 06-16-2010, 04:05 AM
  3. IP phone has lost registration. Reason: Timeout occ
    By itacave in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 02-05-2010, 02:29 PM
  4. Rejected by CAC?
    By dhebert in forum Troubleshooting and Problems
    Replies: 4
    Last Post: 04-08-2009, 12:04 PM
  5. Unauthorized calls
    By peterd in forum General Discussions
    Replies: 1
    Last Post: 02-02-2009, 06:02 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •