User Manual
Contents
1. eese 15 41 IP Protocol GOPIDIISEOS qecdiacde ionem in E 15 4 2 SIP Attacks Detection POICIES ino acto te tree a Exo tu aue LE ka eps sesta Nae etd p y va P ka WENA n n 17 4 3 Firewall RUES siot RDDDrr De LUN eut re 19 d VANS MSETAUIOS Si yy ya Ki e Na SO NAE adap ane UI MM ee adr aM AD aw Os a SEG RUNDE 20 4 5 Blacklist RULES Stall cote ebd vix pelea d m dexter ene l ki ES KATE ed D V An ka Kin S n ka Keya VS 20 2 5Dynamic Blacklist RUGS sie y Eri D Meu peso Lupe Duas oo auo a MA uu l a bean erint Va Vii 2 21 LT GEOP FIE nosei TU UT DD 22 D Ola LES siy yyy n ye yat kek key e yA bav kaka Kak ba LE IU KERE ILU E D 23 DAs OCCUMILY Da T em 23 5 Device AOministralOl sis iye nl deese eue a ba cene tete aa keke ke dece voee ces 24 Bale AOIMINMISI ATOM gt gt eeeeeeeee_oeb eeeHHHIHIFEFKNINFNPEPEENNRR 24 SEM illo Vr sien aianieaavatem auuictitunmtaneste mcd iaebeaasnrcauonnmenite 25 61 WV ACCIOULS rec PS 26 6 5 TOUDIESMOOLING rc h h mmz m mm ogmrP deena 26 Do Firmware UD OFAC PE N lace elon DD en 27 coemiterio 28 7 Appendix A Using Console Access 1 eeeeeeeee eere NAWA AWA WAA 29 8 Appendix B Configuring STM IP Address via Console 30 STM Introduction 1 Introduction 1 1 Overview STM is an appliance based VolP threat prevention solution dedicated to protect the SIP based PBX Telecom G2. 65535 Max via len The Via header field indicates the transport used for the SIP transaction amp identifies the location where the SIP response is to be sent User Manual v2 2 www cem solutions net STM SIP Threat Manager Max via len specifies the maximum Via field size Default is set to 1024 The allowed range for this option is 1 65535 Max contact len Identifier used to contact that specific instance of the SIP client server for subsequent requests Max contact len specifies the maximum Contact field size Default is set to 256 The allowed range for this option is 1 65535 Max content len Max content len specifies the maximum content length of the message body Default is set to 1024 The allowed range for this option is 1 65535 4 2 SIP Attacks Detection Policies The SIP Attack Detection page allows to configure the SIP Deep packet Inspection rules categories The administrator can enable disable the inspection against particular category of rules action to be taken on detecting attacks matching the rules in the categories The possible actions that the STM can execute are log the alert block the packets containing the attack vector and blacklist the attacker ip for the given duration The blocking duration of how long the attacker up needs to be blocked is also configure per category level M n Shield OP Threat Management Mozilla Firefra ae EX Shield SIP Threat Management PES TT SIP Thre
3. Management Access Date Time 08 31 09 11 2013 G Signature Update Time Zone UTC i Logging NTP Server Add Bingooinbow Balete 4 in pool ntp org Canvwrinht 20412 2013 4110 COM s SIP Threat Mananement Weh Panel All Rinhte Recerved 3 3 Management Access The access the STM Device management SSH CLI WebUI Access can be restricted with the management access filters By default the access has been allowed to any global address and management vlan network configuration configure on the device The administrator can override these settings Cj x SIP Threat Management Mozilla Firefox GF Eile Edit View History Bookmarks Tools Help tiu SIP Threat Management SIP Threat 7 Management 09 November 13 08 31 13 am STM 1 0 00 Beta Release ao Welcome admin amp Dashboard Management Access General Settings Search gt Management Access 7 DefaultAllAccess ANY True Default rule that allows access to the device from anywhere A x EET DESI ES ots 7 MgmtVianAccess NETWORK 192 168 100 0 24 True Signature Update Access from Mgmt Vian network xX Logging Tools Add New Delete Selected User Manual v2 2 www cem solutions net STM Device Configuration The administrator needs to configure the IP Address or the IP Network or the Range of IP Addresses from with management access to the device should be allowed in the management access
4. Services N Diagnostics Ping Config Back up Traceroute Select configuration file Requires Reboot Troubleshooting Status Administration Firmware Upgrade Copyright 2012 2013 ALLO COM s SIP Threat Management Web Panel All Rights Reserved The Administration user interface page provides the option for running factory reset on the device restarting the device device reboot device shutdown amp Configuration backup restore Running factory reset on the device requires reboot thus the administrator will be redirected wait notification page on clicking the factory reset button and will be prompted login once the device comes up with the default configuration The STM appliances support taking the configuration backup and restore the configuration later User Manual v2 2 www cem solutions net STM Device Administration 6 2 Diagnostics The diagnostics page will allow the administrator to gather the troubleshooting logs which will help our Support team in debugging any issues faced with STM deployment setup To run the utility on the device the administrator needs to click the Run diagnostics button The device will run the diagnostics task in the backend and display the results once the task is complete The administrator can download the reports by clicking the Get Report button and send the report to our Support team Note You can submit through support ticket http suppor
5. device to your existing network User Manual v2 2 www cem solutions net STM Introduction Web SSL based Device Management Access which will allow managing the device anywhere from the Cloud Ability to restrict the device management access to specific IP Network Provide System Status Security events logging option to remote syslog server Provides the SIP throughput up to 10Mbps Support for Signature update subscription and automated signature update mechanism The device has been made to operate with default configuration with just powering on the device No administrator intervention is required to operate the device with default configuration USB based power supply Optional support for security events logging on the USB based storage Technical Specifications Functional Mode Transparent Firewall with SIP Deep Packet Engine SIP Intrusion Prevention 400 SIP Attack Signatures Support Throughput 10Mbps No of concurrent calls supports 50 concurrent calls Logging Local Security Event Console Remote Syslog Device Management Web GUI via Https amp SSH CLI Hardware MIPS based 32bit Processor Single core 300MHz Primary Storage 16 MB Flash Secondary Storage USB Storage devices support for logging Optional User Manual v2 2 www cem solutions net STM Introduction Notification LEDs On the Front Panel of the STM STATUS 1 2 3 4 Power ON OFF Button LED 4 Alert Status LE
6. D 3 DPI Status LED 2 Interface Status LED 1 System Status Power Indicator LED STM Rear View LAN Port Reset Button WAN Port USB Power Plug USB Storage Plug Console Port 1 2 STM Deployment Considerations The STM has been made to protect the SIP based PBX Gateway Servers against SIP based network threats and anomalies Thus it is recommended to deploy the STM along with the PBX Gateway deployment as given in the following scenarios based on what is applicable in the user s setup Deployment Scenario 1 Public Cloud f SIP PBX Gateway STM Appliance User Manual v2 2 www cem solutions net STM Introduction Deployment Scenario 2 In the case of IPPBX deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall 1 Hu gt Hi 7 H l iHi H j SIP PBX Gateway STM Appliance Public Cloud Corporate Firewall Deployment Scenario 3 In the case of multiple IPPBX VOIP Gateways are deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall ALLO STM LLLI pu Switch Hub Corporate Cloud Corporate Firewall C
7. Release Q Welcome admin 1 Dashboard e STM Signatures IG Up Time 1 0 00 20 59 Beta Release Memory Usage Total Memory 64MB L JM Ea 4 Top 10 Signatures Top 10 Categories 18 CPU Usage Top Src Top Dest C Ta Network Info Device IP 192 168 0 62 LAN MAC 00 17 F7 00 91 22 WAN MAC 00 17 F7 00 91 23 Gateway 192 168 0 254 Copyright 2012 2013 ALLO COM s SIP Threat Management Web Panel All Rights Reserved On logging into the STM WebUI the dashboard will be shown The user can visit dashboard page from the any configuration page in the STM WebUl by clicking the STM Product Icon that appears in the left corner of the Top panel The status panel that appears below the top panel shows the time settings on the device and SIM firmware version Page refresh icon and Setting icon On clicking the page refresh button the main content area in the current page will be refreshed On clicking settings icon the pop menu which contains menu options logout WebUI settings will be shown System Status Panel shows Device up time Memory Usage Flash Usage amp CPU Usage Sig Update Version Panel shows STM Signature version and Release State Network Status Panel shows IP LAN MAC WAN MAC and Gateway of the device Security Alert Summary Panel shows hyperlinks for viewing of Top 10 Signatures hit Top 10 Categories hit Top Attacker IP Addresses amp Top 10 target destination
8. Solutions CEM STM SIP Threat Manager User Manual User Manual STM Appliance aSTM Revision 2 2 Table of Contents j P0 gil ne e i e ie j ee tret 1 Tor O DI DH TNT P D UEM N N 1 Notification LEDs On the Front Panel of the STM eseeeeeeeennenm kek kk KK KK KA 3 SEMRA VIOWS oec ab e eR Ll Cua D ELM ul al MC D ce n EE 3 1 2 STM Deployment Considerations cccccccseeeceeceeseceeceeeeeeeseeeeeeeseeeeeeesaaeseessaeeeeees 3 2 Initial Setup amp CONTGUIAON i i i isu nalan axukaxk us nnlexurenakenarana kaka kadan akdeaka ka 5 2 2 eraut onigurauollssiesa dedu ce ERE e bin ee I M sk el M ke ake 5 aA ee SS lae UNS AMA DD P 6 2 4 WebUI Session timeout oe e dee eve epe Alak oe nab n HA RR ev yat W SNN 8 Z5 WEeD U SENGS cu cwan ETT e m 8 ABID INO O GN t M EN 9 3 Conrtig ring the DeVICG 4 y 4 k ad 55 kaya dan ka ka eeu e sepan se nuke nan eni le kadan danan nice ads 10 3 Qell l al SOSIN OS ks ia de kile wate na Kak ai nee ake iat ded sp n Vie D CLE UL e Ere r k 11 See pn sae sal neo NETT TTE 12 3 0 Management ACCESS asik sika miv set cunt ao Me ar n elas vices Louk owe 12522152 dun e nA 12 Jes DIGMALEIE Update tate as P 13 go OO OIG DD cause aitoawialowne louise 14 4 Configuring the SIP Security Policies
9. at SR Management STM 1 6 00 1 Wielcrmie admin sk SIP Attacks Detection 9 nnn 7 CUN TT ETTCICTTTENENN TTUNS C M Log none i Reconnaissance Aftacks Sip Devices Scanning Block 120 gr P Extensions Discoyeny Hiec k 10 F E Multipis Auttentication Fallures Bruteforce password cracking Atbempl Block 1BQ0 T E Ghost cals Atlemp Block BP Protocol Compliance Log nnne J E Sip Anomaly Attacks Bock usse E Sip DOs All cks Block 1800 J F Sip os Attacks Block TOO n E ip Cross sile scripting Albackes Block 1500 Pa BUTE Overflow ANALES Black TACHI J J pytat 2013 20 15 Seid SE Tiran Maeacement Web Panel AI Fights The table given below lists the SIP Deep packet Inspection rules categories supported in SIM and configuration parameters in each category User Configurable Category Description options User Manual v2 2 www cem solutions net STM SIP Threat Manager SIP Reconnaissance Attacks SIP Devices Scanning SIP Extensions Discovery Multiple Authentication Failures Bruteforce password Attempt Ghost calls Attempt SIP Dos Attacks SIP DDos Attacks SIP Anomaly attacks User Manual v2 2 www cem solutions net The intruder is trying to detect what version of Asterisk you are running With that info he will start exploiting the numerous vulnerabilities of that version The STM will not respond to his query The intruder will scan the PBX ports to see what devices are connected to
10. ateway IP Phones Mobile devices deployments The appliance runs the Real time Deep Packet Inspection on the SIP traffic to identify the VOIP attack vectors and prevents the threats impacting the SIP based devices The appliance has been made to seamlessly integrate with the existing network infrastructure and reduces the complexity of deployment The appliance feature set includes e Analyze SIP packets using the Real time Deep Packet inspection engine e SIP Protocol Anomaly detection with configurability of detection parameters e Detection and Prevention of the following categories of SIP based Attacks gt gt gt gt gt gt gt gt Reconnaissance attacks SIP Devices Fingerprinting User enumeration Password Cracking Attempt Dos DDos Attacks Cross Site Scripting based attacks Buffer overflow attacks SIP Anomaly based attacks 3rd Party vendor vulnerabilities Toll Fraud detection and prevention Protection against VOIP Spam amp War Dialing e Attack response includes the option for quietly dropping malicious SIP packets to help prevent continued attacks e Dynamic Blacklist Update service for VOIP SIP PBX Gateway Threats e Configurability of Blacklist Whitelist Firewall rules e Support for Geo Location based blocking e Provide the option to secure against PBX Application vulnerabilities e Operate at Layer 2 device thus transparent to existing IP infrastructure no changes required to add
11. d on archive will be shown in the Logs Archive Page User Manual v2 2 www cem solutions net STM Device Administration 7 Appendix A Using Console Access 1 Connect the serial console the serial port of STM device 2 Use the following serial console settings to access the Shield CLI i Speed 38400 ii Parity None ii Data 8 iv Stop bits 1 v Flow control No 3 The user should see the Shield command prompt on the terminal 4 Type help to view the list of troubleshooting commands available User Manual v2 2 www cem solutions net STM Device Administration 8 Appendix B Configuring STM IP Address via Console The user can choose to view set the ip address of the STM device as given below shield gt show ip Now you can access the device from the browser using the URL as given below https device ip User Manual v2 2 www cem solutions net STM Device Administration Thanks for Choosing STM Any Technical assistance required Kindly raise the support ticket at http support allo com User Manual v2 2 www cem solutions net
12. d the STM SIP Deep packet inspection engine at any instant The administrator can choose to set log viewer page refresh interval in this page The administrator can choose to configure the device to send email notifications summary about the security alerts generated by the device The option to download the security alerts shown in this page in CSV format is available in the page Shield SIP Threat Management Mozilla Firefox J en File Edit View History Bookmarks Tools Help T Shield SIP Threat Management 3939890 J SIP Threat Management 04 March 14 07 05 33 am STM 1 0 00 D Welcome admin X3 Security Alerts 9 Log Viewer Settings 300 Update Refresh Interval Refresh Download Logs E mail Server Settings Search STM Sigs SIP 03 04 05 52 16 952691 100020001 10002 Devices Identification 162 210 199 78 5169 203 196 148 210 5060 UDP Blacklist Attempt a Coanvrinht 201122045 Shield SIP Threat Mananement Weh Panel All Rinhte Reeerverd User Manual v2 2 www cem solutions net STM Device Administration 6 Device Administration 6 1 Administration x SIP Threat Management Mozilla Firefox az File Edit View History Bookmarks Tools Help tis SIP Threat Management SIP Threat Management 01 January 70 09 03 54 pm STM 1 0 00 Beta Release Q Welcome admin amp Dashboard Administration 9 Security Factory Reset Restart STM
13. er number of trials second ISIP Buffer overflow Buffer overflow attempts resulted from attacks improper validation of user inputs Eun SIP is vulnerable to cross site scripting caused by improper validation of user supplied input in a SIP request A remote attacker could exploit this vulnerability to SIP Gross site inject malicious script into a Web page N A Ra ak which would be executed in a victim s Web browser when the victim accessed a web page containing information taken from the SIP request 3rd Party vendor Attacks targeted towards PBX SIP Gateway N JA vulnerabilities appliances exploiting their vulnerabilities 4 3 Firewall Rules The firewall rules configuration will allow the administrator in configuring what traffic should be allowed to protected SIP PBX Gateway network from untrusted wan zone besides DPI enabled SIP traffic and RTP traffic The administrator needs to specify the source and destination networks and port numbers and protocol that will be used as the matching criteria in the filtering rule and action to be taken on matching the filtering rule The possible actions are to block the traffic and allow the traffic on matching the filtering rule The
14. filter rule The IP Type ANY indicates global network Any network ip address The search option in the management access filters table will help in selectively viewing the management access filter rules whose name address values that match with the search criteria 3 4 Signature Update To enable the automatic signature update select the checkbox enable update on the device and configure the signature update schedule The valid subscription key and correct signature update url should be configured for the signature update to happen To update the signatures on the device instantaneously Click Update Signatures now button Shield SIP Threat Management Mozilla Firefox e J en j 93 is Shield SIP Threat Management SIP Threat Management 04 March 14 06 48 02 am STM 1 0 00 Welcome admin Lo Dashboard j is Signature Update 6 General Settings Signature Update Settings b Time Settings Enable Update Management Access Signature Update Apply Cancel Update Signatures now Security Settings Security Alerts Copyright 2013 2015 Shield SIP Threat Management Web Panel All Rights Reserved User Manual v2 2 www cem solutions net STM Device Configuration 3 5 Logging The administrator can configure the STM appliance to send the security alerts generated on detecting the SIP based attacks to the remote syslog server The logging page will all
15. iew History Bookmarks Tools Help tis SIP Threat Management o eu 93 SIP Threat W Management 01 January 70 09 08 21 pm STM 1 0 00 Beta Release Q Welcome admin amp Blacklist Rules eee ETT x Security Name test network2 i Search OCIS IP Type NETWORK lt N ECZ SIP Security Settings Address DPI Signatures r Enable E G Firewall Rules Comments Whitelist Rules gt Blacklist Rules Dynamics Blacklist Rules Geo IP Filters Status Add New Delete Select Cnnvrinht 2012 2043 Al 1 N COM s SIP Threat Mananement Weh Panel All Rinhte Reeerverd 4 6 Dynamic Blacklist Rules The dynamic blacklist rules are the blocking rules added by the STM SIP deep packet inspection engine to block the traffic from attacker ip addresses for the blocking duration configured in the rules category on detecting the attack The dynamic blacklist rules will allow the administrator to see the dynamic blacklist rules currently configured on the device at any instant In case if the administrator wants to override and allow the traffic from particular blacklisted ip he can delete the rule from the dynamic blacklist rules page i SIP Threat Management Mozilla Firefox fore nts File Edit View History Bookmarks Tools Help tis SIP Threat Management E SIP Threat 7 Management 01 January 70 09 07 02 pm STM 1 0 00 Beta Release Q Welcome admin XX Dynamic Blacklist Rules Securi
16. it With that info he can exploit 3rd party vulnerabilities The STM will not respond to his query The intruder will ask the PBX to divulge the range of the extension numbers With that info he can try different passwords to take control of these extensions The STM will not respond to that query The intruder will try to log in with different user names and passwords multiple times Once he succeeds he will have control of that extension The STM can block log or blacklist the IP for a period of time if it exceeds the authorized number of trials second The intruder will generate calls to an extension and it will look like the calls come from that same extension His goal is to crash the PBX resulting in disrupted communication The STM can block log or blacklist the IP for a period of time if it exceeds the authorized number of trials second Flooding attempts using various SIP messages Distributed flooding attempts using various SIP messages The intruder will send abnormal SIP packets to the PBX His goal is to crash the PBX resulting in disrupted communication The STM can block log or blacklist the IP fora period of time if it exceeds the authorized N A N A Invalid SIP User Registration Attempts Duration Failed Authentication Attempts Duration No of Anonymous Invite Responses Duration No of SIP Request Messages Duration No of SIP Response Messages Duration N A STM SIP Threat Manag
17. ment SIP Threat Management 04 March 14 06 49 03 am STM 1 0 00 Q Welcome admin X3 Dashboard SIP Protocol Compliance 9 security Settings gt SIP Protocol Compliance Settings i SIP MEDIA Ports Configuration i B i SIP Protocol a SIP Methods EWE SIP Trans A i i port any v fi Compliance Max Sessions 4096 E e Max Dialogs per session 10 SIP Ports 5060 5061 SIP Attacks Detection gt m Max URI length 256 Bes stops p omm Firewa Confic ra irewall Configuration E Media Ports 1024 65535 G Max Call ID length 80 j Whitelist IP Addresses Max Request name length 20 G Blacklist IP Addresses Max From length 256 Dynamic Blacklist IP Max To length 256 Addresses Max Via length 1024 G Geo IP Filters Max Contact length 1024 i Security Alerts a Max Content length 2048 Save Cancel Copyright 2013 2015 Shield SIP Threat Management Web Panel All Rights Reserved User Manual v2 2 www cem solutions net STM SIP Threat Manager Max sessions A SIP session is the application level connection setup created between the SIP server and SIP client for exchanging the audio video messages with each other The max sessions parameter defines the maximum number session that SIP deep packet inspection engine can keep track of The default value has been set as 4096 Max Dialogs per session Max Dialogs per session specifies the maximum
18. nfigure the basic settings and view device status Management Access Login Credentials WebUI admin admin SSH CLI admin stmadmin Management Vlan IP 192 168 100 1 255 255 255 0 User Manual v2 2 www cem solutions net STM Initial Setup 2 3 Accessing the WebUI The user can connect to the device via management vlan to access WebUI during initial setup The management vlan configured on the device is accessible via the LAN WAN ports amp is made assigned with the default ip address 192 168 100 1 Use the procedure given below to access the WebUI 1 Connect the LAN port of the STM to a PC 2 Assign the IP Address 192 168 100 2 to the PC Set the Netmask as 255 255 255 0 Now you can access the device from the browser using the URL as given below https 192 168 100 1 Configure the STM Device IP Address from the Device Settings Page as per your local network range Verify the IP address set to STM from the dashboard page Once the user assigns the STM Device IP Address successfully he can access the device using that IP address further Now he can disconnect the PC and connect the LAN Port to the PBX PBX Network that needs to be protected User Manual v2 2 www cem solutions net STM Initial Setup On launching the STM WebUl the web application will prompt enter the administrator credentials to login ni MP Theat Managerment c Mozilla Fire m clem t i SIP Threst Manegement i
19. ng The user can apply the configuration changes to the device by clicking Apply Changes button On clicking the Apply Changes button the configuration changes will be applied to the system and updated configuration will be persisted permanently onto the device User Manual v2 2 www cem solutions net STM Device Configuration In case if the user want abandon the configuration changes made he can click the Ignore Changes button On clicking the Ignore Changes button the configuration changes stored in the temporary buffer location will be discarded Note On applying the configuration changes the Ignore Changes button will be disabled he she cannot choose to ignore configuration changes The Ignore Changes button will be disabled only when there are pending configuration changes that need to be applied yet to the device Note If the administrator tries to configure a configuration element to the inappropriate value then the tooltip icon that appears next to each configuration element will provide the details on the error On clicking the help icon that appears next to the configuration title the help section corresponding the current configuration page will be launched 3 1 General Settings The General settings page will allow configuring the host network settings of the STM appliance The device that has been made to work in bridging mode can either choose to work with static ip as
20. number of SIP messages transaction that can happen between the SIP server and client Methods This specifies on what methods to check for SIP messages Following are the SIP messages that SIP DPI Engine can identify 1 invite 2 cancel 3 ack 4 bye 5 register 6 options 7 refer 8 subscribe 9 update 10 join 11 info 12 message 13 notify 14 prack Max uri len The uri identifies the user or service to which SIP request is being addressed Max uri len specifies the maximum Request URI field size Default is set to 256 The allowed range for this option is 1 65535 Max call id len The Call ID header field in SIP message acts as a unique identifier that relates to sequence of messages exchanged between SIP client and server Max call id len specifies the maximum Call ID field size Default is set to 256 The allowed range for this option is 1 65535 Max requestName len Max requestName len specifies the maximum request name size that is part of the CSeq ID Default is set to 20 The allowed range for this option is 1 65535 Max from len The From header field indicates the identity of the initiator of the SIP request Max from len specifies the maximum From field size The allowed range for this option is 1 65535 Max to len The To header field specifies the desired recipient of the SIP request Max to len specifies the maximum To field size Default is set to 256 The allowed range for this option is 1
21. orporate LAN User Manual v2 2 www cem solutions net STM Initial Setup 2 Initial Setup amp Configuration Unpack the items from the box Check that you have all the items listed in the package content Connect the appliance to the power socket using the USB power cable Connect the LAN port of the STM to the PBX VOIP Gateway Connect the WAN port of the STM to the untrusted public network The device will take about a minute to come up amp will be fully functional with the default configuration poco i E9 Do ue The device operates as transparent bridging firewall with Deep Packet Inspection enabled on the SIP traffic By default the appliance has been made to acquire the IP Address via DHCP The device has been made to be fully functional with the default configuration However if the user needs to tune the device settings amp the DPI policies user can tune the configuration via the Device WebUl 2 2 Default Configuration The device operates as transparent bridging firewall with Deep Packet Inspection enabled on the SIP traffic By default the appliance has been made to acquire the IP Address via DHCP The device has been made to be fully functional with the default configuration However if the user needs to tune the device settings amp the DPI policies user can tune the configuration via the Device WebUl The device all provides the command line interface accessible via SSH which will allow to co
22. ow enable disable the remote logging of security alerts and to which syslog server the security alerts are to be forwarded SIP Threat Management Mozilla Firefox Ses Eile Edit View History Bookmarks Tools Help tis SIP Threat Management SIP Threat 7 Management 09 November 13 08 30 09 am STM 1 0 00 Beta Release Q Welcome admin X3 Dashboard Logging o gt Device General Settings Logging i Time Settings Remote Logging V Management Access Syslog server i Signature Update gt Logging EU Cancel Security Tools Cnnvrinht 2012 2013 Al 1 A COM s SID Threat Mananement Weh Panel All Binhts Recerved User Manual v2 2 www cem solutions net STM SIP Threat Manager 4 Configuring the SIP Security Policies 4 1 SIP Protocol Compliance The SIP Deep packet inspection engine running the STM appliance has been made to inspect the SIP traffic with the SIP Security Compliance rules in built into the SIP DPI engine The anomalies in the SIP Message headers can result to various erroneous conditions SIP parser failures amp malformed packets which will lead to SIP applications vulnerable to attacks The following parameters will be used by the SIP deep packet engine for identifying the different protocol anomaly conditions and take the action configured by the administrator Shield SIP Threat Management Mozilla Firefox e Je e 1m Shield SIP Threat Manage
23. rom which the access to communicate with the protected SIP network will be allowed by the STM firewall This page will also allows configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant 8 SIP Threat Management Mozilla Firefox e ne File Edit View History Bookmarks Tools Help t s SIP Threat Management K SIP Threat Ww Management 01 January 70 09 09 36 pm STM 1 0 00 Beta Release Q Whitelist Rules Device Security gt V Whitelist Rules Precedes over Blacklist Rules Save SIP Security Settings Welcome admin X3 Search fa kame ir oe CICINENENENCTTTI comments Options No data available DPI Signatures Firewall Rules gt Whitelist Rules Blacklist Rules Dynamics Blacklist Rules Geo IP Filters f nrarriniht 20412 2013 4110 COM SIP Threat Mananement Weh Panel All Rinhte Recerved 4 5 Blacklist Rules Static This page allows to configure the black listed ip addresses in the untrusted wan zone from which the access to communicate with the protected SIP network will be blocked by the STM firewall This page will also allows configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant User Manual v2 2 www cem solutions net STM SIP Threat Manager File Edit V
24. rules precedence will be in the order in which the rules configured on firewall rules table 9 SIP Threat Management Mozilla Firefox Lo Ire me File Edit View History Bookmarks Tools Help 1x SIP Threat Management x LLLBSBSEAQALQQS QL LLLLLLLLLLLOILLLG LAL GLLLGLQ024QGR ZmDOGQ Z ZOAGOQUGAGGGOGRGBILRRRRLGLGOGGGIGIRLGRGGGGRORRE GAQ K SIP Threat W Management 09 November 13 08 28 24 am STM 1 0 00 Beta Release Q Welcome admin X5 Firewall Rules Device DIES tees Ge BIINEENIUTINCTN SIP Security Settings m zm Src Type NETWORK i DPI Signatures E Dhcp Access True p 67 68 Allow W x i Src Address i 7 m Dns Access True 53 Allow Cl rewa ules Em Dst Type RANGE i ICMP Access True YP 0 Allow X Whitelist Rules Dst Address 11 0 0 1 11 0 0 5 i NTP Access True 123 Allow X Blacklist Rules Protocol SSH Access True 22 Allow i x yvnamics Blacklis Port 80 443 nre Blacklist TelnetAccess True 23 Allow XR tules E Act Block v WebAccess True sea la 80 443 8080 8088 Allow 6 x Geo IP Filters r Status Add New Delete Selected Canwrinht 20122013 ALI A COM s SID Threat Mananement Weh Panel All Dinhte Deseruend User Manual v2 2 www cem solutions net STM SIP Threat Manager 4 4 White list Rules This page allows to configure the white listed ip addresses in the untrusted wan zone f
25. s User Manual v2 2 www cem solutions net STM Device Configuration 3 Device Configuration Configuration pages of the STM WebUI have been made as self intuitive and easy to configure All the configuration pages have been made to work with the two phase commit model i e When the administrator changes the settings in the configuration pages and click the Save button the settings will be saved in a temporary buffer location on the device On saving the configuration changes the Apply Changes button that appears in the right top corner will be enabled amp the Ignore Changes button will appears next SIP Threat Management Mozilla Firefox o J File Edit View History Bookmarks Tools Help i s SIP Threat Management ices LLLB LOALOL LB HH HHHH ni SIP Threat Management _APPLY IGNORE CHANGES CHANGES Updates List 09 November 13 08 46 24 am Welcome admin X Host Configuration General Settini 1 Hostname updated as mystm Network Configuration ee usn Device Settings 1 Network Settings updated N ime Settings Host Name IP Configurati IP Addr Mask Gateway Dns Server Enable SSH SSH Port Allow ICMP Save Cancel CANCEL The number of configuration changes will appear on the immediate left to the Apply Changes button To view the details of the configuration changes the user can click the number icon which will open the configuration changes listi
26. signment or to acquire the device ip via dhcp The page also allows to enable disable the SSH Access to the device The Allow ICMP option will configure the device to respond to the ICMP ping messages sent to STM appliances or not By the SSH Access and ICMP Ping messages are allowed to the STM appliance x SIP Threat Management Mozilla Firefox File Edit View History Bookmarks Tools Help tois SIP Threat Management SIP Threat Management 09 November 13 08 31 49 am STM 1 0 00 Beta Release Q Welcome admin X3 General Settings General Settings Host Name sip secure IP Configuration DHCP IP Addr Mask N Gateway Dns Server Enable SSH v SSH Port 22 Allow ICMP v User Manual v2 2 www cem solutions net STM Device Configuration 3 2 Time Settings The administrator can choose to set the manual time settings on the device or configure the device to sync the time settings from a ntp server Appropriate time settings timezone should be set on the device for the correct timestamp to appear on the SIP security alerts generated by the device E E Tor e File Edit View History Bookmarks Tools Help E SIP Threat Management SIP Threat w Management 09 November 13 08 31 36 am Date Time Settings STM 1 0 00 Beta Release Q Welcome admin X3 General Settings Date Time Settings i Time Settings Configuration Type NTP v
27. ssion timeout period By default the WebUI session timeout is set to 900 seconds then the login session will automatically terminated and browser will be redirected to login page again 2 5 WebUI Settings VU SP Threat Management Moz lls Firefox Eie Edit View Higtory Bookmarks Tools Help Lom SIP Threat Management E e SIP Threat Management Web Setti eb Settings Session Timeout 300 Lever Name aacra Old Admin Password New dmm Posie AL Confirm Admin Password C3 Up Time 18 35 Memory Us P Q Flash usag EN ji r S CPU Usage B Hedwork into Device IP 192 168 0 12 LAM MAC DIH17 F7 00 1 E CANCEL WAN MAC DOCTT T 7 00 Gateway 192 158 0 254 Pies sd OWE REED PD SERT The Danone ies Bone J E alla nian nari To change the WebUI settings click the settings icon that appears top right corner below the Apply Changes button The WebUI settings dialog will be displayed on the browser and allow the administrator to configure WebUI session timeout amp WebUI login password To configure the WebUI login password the user needs to enter the previously set administrator password User Manual v2 2 www cem solutions net STM Initial Setup 2 4 Dashboard W SIP Threat Management Mozilla Firefox o amp j s lt is SIP Threat Management T SIP Threat Management 01 January 70 09 00 59 pm STM 1 0 00 Beta
28. t gt SIP Threat w Management 1 EN The WebUl login session has been made to time out and if the user does not enter the login credentials for 30 seconds and will redirect to the informational page The user can click the hyperlink named as login appearing on the information page to visit the login page again TB z SP Threat Management z Mozilla Finefox x 1 up Your login attempt has timed aut Please click ta login again If somebody is already logged in to STM WebUI session the subsequent attempts to login will notify the details previous login session as illustrated below and will prompt the user to override the previous session and continue OR to discard the attempt the login User Manual v2 2 www cem solutions net STM Initial Setup BE SP Threat Management Mealy Felis Bile Edit View Hipon Bockmark Took Help MB Threat Management https d 0 1680127 Jin multi zetempt p Cc SIP Threat Management An administrator ls already logged In from the host 192 168 0 32 If you continue ta log In the STM Confiquration Management LII that administrators session will be dropped Currently you are trying ta login as administrator from 192 168 0 31 Click Continue ta preempt that user and continue ta lag in Click Hot Now te cancel your login attempt Canina Nal Now 2 4 WebUI Session timeout After logging into the WebUI if there is no activity until the WebUI se
29. t allo com x SIP Threat Management Mozilla Firefox E Il m File Edit View History Bookmarks Tools Help t is SIP Threat Management S SIP Threat Ww Management 01 January 70 09 03 34 pm STM 1 0 00 Beta Release Q Welcome admin 3X3 Diagnostics Run Diagnostics Get Report iri IS gt Administration 6 3 Ping The administrator can troubleshoot the network connectivity issues with running ping from the STM device The administrator needs to enter the IP address that needs to be pinged from the STM appliance ping count and click the Ping button to run the task The ping results will be displayed in the text area once the ping task is complete User Manual v2 2 www cem solutions net STM Device Administration x SIP Threat Management Mozilla Firefox caw HEP File Edit View History Bookmarks Tools Help is SIP Threat Management m SIP Threat Management 01 January 70 09 03 20 pm STM 1 0 00 Beta Release Q Welcome admin Ping e Administration Diagnostics Ping Traceroute Troubleshooting Firmware Upgrade Cnnvrinht 201272013 A110 COM s SIP Threat Mananement Weh Panel All Dinhte Decerver 6 4 Traceroute The administrator can troubleshoot the network connectivity issues with running traceroute from the STM device The administrator needs to enter the IP address to which the route needs to be traced from
30. tall the firmware e Download the STM firmware update package from CEM website and keep it your local system e From the browser in your local system login to STM WebUI and launch the STM firmware upgrade page e Click the Browse in the firmware page and select the STM firmware update package file that you saved in your local system e After selecting the file click the Upgrade button e he device will verify the firmware uploaded and install After install the device will reboot and administrator will be redirected the login page User Manual v2 2 www cem solutions net STM Device Administration Shield SIP Threat Management Mozilla Firefox c J en fs File Edit View History Bookmarks Tools Help tis Shield SIP Threat Management aT gt SIP Threat W Management 04 March 14 07 09 31 am STM 1 0 00 Q Welcome admin X3 Upgrade Firmware 69 Device Security Settings Current Firmware Version STM 1 0 00 rity Securty Neres Choose the filepath of the new firmware Filename No file selected Need Reboot Administration Diagnostics Upgrade Ping Traceroute Troubleshooting Firmware Upgrade Cnnvrinht 2012 2015 Shield SIP Threat Mananement Weh Panel All Binhts Recerved 6 7 Logs Archive If the USB storage device attached to STM the device will attempt to archive older logs in the USB storage device The summary information on the logs store
31. the STM appliance hop count and click the Traceroute button to run the task The traceroute results will be displayed in the text area once the traceroute task is complete SIP Threat Management Mozilla Firefox eer File Edit View History Bookmarks Tools Help t iu SIP Threat Management e SIP Threat W Management 01 January 70 09 03 04 pm STM 1 0 00 Beta Release Q Welcome admin X3 BZ e olor ge Traceroute ICMP 7 Traceroute Reset Administration N Diagnostics Ping gt Traceroute Troubleshooting Firmware Upgrade Cnnvrinht 90199012 All A COM s SIP Threat Mananement MWeh Panel All Rinhte Reeerver 6 5 Troubleshooting This page will allow disable enable the DPI on the STM appliance for troubleshooting purposes User Manual v2 2 www cem solutions net STM Device Administration SIP Threat Management Mozilla Firefox eJ e File Edit View History Bookmarks Tools Help t is SIP Threat Management K SIP Threat vV Management 01 January 70 09 02 33 pm STM 1 0 00 Beta Release Q Troubleshooting Administration A Diagnostics 6 6 Firmware Upgrade The STM appliance supports the manual upgrade on the STM firmware running on the appliance The firmware upgrade page shows the currently running STM firmware version and allows the administrator to upload the firmware update package onto the device and install To ins
32. ty gt Search SIP Securty Settings r1 DPI Signatures E 1000 5 x Firewall Rules Whitelist Rules Blacklist Rules gt Dynamics Blacklist Rules Canvrinht 201272013 Al I A COMW s SID Threat Mananement Weh Panel All Rinhte Recerved User Manual v2 2 www cem solutions net STM SIP Threat Manager 4 7 Geo IP Filter The administrator can choose to block the traffic originating from the specific countries towards the protected SIP network by configuring the GeolP filter rules in STM File Edit View History Bookmarks Tools Help I Shield SIP Threat Management SIP Threat Ww Management 04 March 14 07 05 01 am STM 1 0 00 Q Welcome admin X3 Geo IP Filters 6 Device Security Settings gt Allow All Countries Block All Countries Update Geo IP SIP Protocol Compliance Search Country Name Allowed Options SIP Attacks Detection RUSSIAN FEDERATION v eg Firewall Configura tion SYRIAN ARAB REPUBLIC v P Whitelist IP Addresses SUDAN v 9 Blacklist IP Addresses NIGERIA v Dynamic Blacklist IP KOREA REPUBLIC OF u GUESSES CHINA v e UKRAINE v eg ALGERIA V f Coanvrinht 20122045 Shield SIP Threat Mananement Weh Panel All Binhts Recerved User Manual v2 2 www cem solutions net STM Status 5 Status 5 1 Security Alerts The status alerts page shows the list of alerts pertaining to the SIP attacks detecte
Download Pdf Manuals
Related Search