Hi folks,

taking into account the increased number of complaints because of SIP attacks, I decided to write up some guidance on how to secure your Quadro, to avoid unnecessary problems. This text is copied from one of my posts in another thread, and corrected/improved a bit. This (or similar) article will be posted in the Knowledgebase too.

Here it is:

Protecting Quadro from SIP Attacks

With IP telephony becoming increasingly popular, it attracts the attension of those who would like to make free calls at other people's expense. SIP devices are often attacked, with the intent of finding the username/password of accounts on that device.

Such attacks can be potentially dangerous. If somebody is constantly trying to guess your passwords, there is some probability that he will succeed some day.. If hacker is successful, one fine day the IPPBX owner could find his telephone bill containing tremendous number of calls to pretty expensive international destinations... Not a pleasant surprise at all.

Except that, those attacks are adding unnecessary load to PBX, and that load can be really big. In case of very strong attack (especially distributed one), the device can slow down or even lock up. This can even make the owner of IP PBX believe that the hardware has failed and so cause support issues for integrator.

Everything mentioned above refers to any SIP device. I would now focus on what can be done specifically in Quadro, to avoid such undesirable incidents.

There are some steps, which could be taken at the time of installation of Quadro. As Quadro is supposed to use WAN port to connect to the Internet, where the supposed attackers are residing, I will focus on protecting the WAN in the first place.

There are actually three possible cases when it comes to WAN usage:

************************************************** **********************

Case 1: The WAN interface is not used for SIP calls, but only for remote management or other non-call related activity.

Solution: In this case, the best solution is to set the Quadro Firewall level to High and disable the "SIP Access" in the firewall filtering rules.

************************************************** **********************

Case 2: The WAN interface is used for SIP calls but only to/from specific SIP destinations. Those specific SIP destinations can be an ITSP server, other Quadros in another location or remote IP phones, given that all of them have fixed static IP addresses.

Solution: In this case, you can again set the Firewall level to High and edit the "SIP Access" rule to allow access for only a specific IP group. You can add that group in the "IP Pool Configuration" page ("Manage IP Pool Groups" link in "Filtering Rules") and add the list of static IP addresses. Then you need to edit the "SIP Access" rule to choose that group instead of "Any IP". Don't forget to enable the rule after editing.

************************************************** **********************

Case 3: This is the most complex case - if you need to make/receive SIP calls from/to devices having dynamic IP addresses. This could be other Quadros at remote locations (if for some reason you cannot give them static IP addresses) or remote phones used by traveling people to connect to remote extensions.

Solution: As I told, it could be tricky to 100% secure the system in such cases, but it is possible to do. You have to use VPN to secure the Quadro, and have the remote users connect to the Quadro using a VPN router (in the case of remote SIP devices) or using VPN connection on their laptops (in case of traveling people connecting as remote extensions). If you are using a laptop with Windows, installing the PPTP VPN could be the most convenient option.

Here are three options for setup at the Quadro side (all these options assume you are using High or Medium level of security on the Quadro firewall and that you just open SIP access to the devices which have known static IP addresses):

Option A (simple, cheap, but limited). Use the Quadro's own VPN to connect to remote clients (Quadro as a VPN server). This will work, but will strongly limit the number of IP phones which can connect from the remote side. Quadro is not a dedicated VPN device, so loading it with high VPN traffic (such as many simultaneous calls) is very undesirable, as it may affect other user functionality.

Option B. Set the Quadro behind a powerful VPN router/NAT device. The Quadro will have its firewall open for some selected IP addresses in the internet, and a selected IP range in the local network of that VPN router/NAT device. Remote devices should connect through VPN and upon connecting should get the IP from that allowed local range.

Option C. Connect a VPN router connected in parallel to the Quadro. The WAN of the router will be connected to the same network as the Quadro's WAN (or you can have both the Quadro and the VPN router assigned real IP addresses). The LAN of the VPN router is connected to the same network as the LAN of the Quadro. Remote agents with their laptops can connect to the VPN router, and that way they can propagate to the Quadro's LAN network. The Quadro will then recognize them just as a regular device in its LAN.

The last two options offered above are doable and pretty good solutions, they just need some additional expenses from the customer (I assume that is to be expected if customer has high security requirements, along with portability needs) and some network knowledge from the integrator.

************************************************** **********************

Those are the general ideas/instructions on how to solve the problem. The detailed instructions, diagrams, would be nice of course, but they are out of scope of this document.

And, last but not the least - if by some reason you cannot use any of the methods above, you still can use the "SIP IDS" feature of the Quadro. Epygi does not guarantee that SIP IDS will block any kind of attack (blocking all attacks is a pretty difficult separate task, similar to writing antivirus products) but it really helps in many cases. It can be enabled in the hidden "generalconfig.cgi" (for older 5.2 versions), or from the "System"->"System Security Management" page in the newer versions.

Best regards,
David