Elastix ELX-SF User Manual
Contents
1. elastix A FF WWII uh E ee 2 n wie Be KS p VAN m e E Elastix SIP Firewall User Manual VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Elastix SIP Firewall User Manual VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Copy Right Copyright 2014 Elastix All rights reserved No part of this publication may be copied distributed transmitted transcribed stored in a retrieval system or translated into any human or computer language without the prior written permission of http www elastix org This document has been prepared for use by professional and properly trained personnel and the customer assumes full responsibility when using it Proprietary Rights The information in this document is Confidential to Elastix and is legally privileged The information and this document are intended solely for the addressee Use of this document by anyone else for any other purpose is unauthorized If you are not the intended recipient any disclosure copying or distribution of this information is prohibited and unlawful Disclaimer Information in this document is subject to change without notice and should not be construed as a commitment on the part of http www elastix org And does not assume any responsibility or make any warranty against errors It may appear in this document and disclaims a2. 10 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 2 Initial Setup amp Configuration Unpack the items from the box Check that you have all the items listed in the package content Connect the WAN port of the SIP Firewall to the untrusted public network Connect the LAN port of the SIP Firewall to the PBX VOIP Gateway Connect the appliance to the power socket using the USB power cable The device will take about a minute to boot up amp will be fully functional with the default configuration Some of the PBX Gateway devices may have an exclusive LAN Mgmt Interface for device management purpose other than the Data Interface also referred as WANY public Interface In such cases LAN port of the SIP Firewall should be connected to the Data Interface WANY Public Interface SS SYS 21 Default Configuration The device operates as a transparent bridging firewall with Deep Packet Inspection enabled on the SIP traffic By default the appliance has been configured with static IP of 10 0 0 1 Net mask 255 255 255 0 The device has been made to be fully functional with the default configuration However if the user needs to tune the device settings amp the DPI policies user can tune the configuration via the Device WebUl The device all provides the command line interface accessible via SSH which will allow to configure the basic settings and view device status WebUI admin a
3. Logs Archive Summary go USB media found for logs archive Administration Diagnostics Ping Traceroute Troubleshooting Firmware Upgrade Logs Archive Figure 34 Logs Archive The Administration user interface page provides the option for running a factory reset on the device restarting the device device reboot device shutdown amp Configuration backup restore Running factory reset on the device requires reboot thus the administrator will be redirected wait notification page on clicking the factory reset button and will be prompted login once the device comes up with the default configuration The SIP Firewall appliances support taking the configuration backup and restore the configuration later 38 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 APPENDIX 7 Appendix A Using Console Access 1 Connect the serial console the serial port of SIP Firewall device 2 Use the following serial console settings to access the Elastix CLI I Speed 38400 li Parity None ii Data 8 iv Stop bits 1 V Flow control NO 3 he user should see the Elastix command prompt on the terminal 4 Type help to view the list of troubleshooting commands available 39 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 8 Appendix B Configuring SIP Firewall IP Address via Console The user can choose to view set the IP
4. Tel 44 0 1245 808195 Fax 44 0 1245 808299 Create Management Access Rule Name Default IP Type IP_HOST wv Address 192 158 0 24 Enable Comments Access from Management vlan D network Figure 12 Create Management Access Rule Dashboard Management Access 0 Search Security Settings DefaultAll amp ccess ANY Default rule that al EX MamtvlanAccess IP_NETWORK 192 168 100 0 24 Access from Maint ve X Add New Delete Selected Figure 13 Management access The administrator needs to configure the IP Address or the IP Network or the Range of IP Addresses from with management access to the device should be allowed in the management access filter rule The IP Type ANY indicates global networks Any network IP address The search option in the management access filters table will help in selectively viewing the management access filter rules whose name address values that match with the search criteria 19 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 3 4 Signature Update To enable the automatic signature update select the checkbox enable update on the device and configure the signature update schedule The valid subscription key and correct signature update URL should be configured for the signature update to happen To update the signatures on the device instantaneously Click Update Signatures now button Dashboard Signature Update
5. firmware version and allows the administrator to upload the firmware update package onto the device and install To install the firmware e Download the SIP Firewall firmware update package from Elastix website and keep it your local system e From the browser on your local system login to SIP Firewall WebUI and launch the SIP Firewall firmware upgrade page e Click the Browse in the firmware page and select the SIP Firewall firmware update package file that you saved on your local system e After selecting the file click the Upgrade button e The device will verify the firmware uploaded and install After install the device will reboot and administrator will be redirected the login page Dashboard Upgrade Firmware Security Settings Current Firmware Version SIPFY 1 0 00 Security Alerts Choose the filepath of the new firmware Filename STM Quick Installation Guide Version 2 docx Need Reboot Administration Diagnostics Upgrade Ping Traceroute Troubleshooting Firmware Upgrade Logs Archive Figure 33 Upgrade Firmware 37 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 6 7 Logs Archive l the USB storage device attached to SIP Firewall the device will attempt to archive older logs in the USB storage device The summary information on the logs stored on the archive will be shown on the Logs Archive Page Dashboard Logs Archive Q
6. uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 In case if the user wants to abandon the configuration changes made he can click the Ignore Changes button On clicking the Ignore Changes button the configuration changes stored in the temporary buffer location will be discarded To apply the configuration changes the Ignore Changes button will be displayed and they cannot choose to ignore configuration changes The Ignore Changes button will be disabled only when there are pending configuration changes that need to be applied yet to the device if the administrator tries to configure a configuration element to the inappropriate value the tooltip icon that appears next to each configuration element will provide the details on the error On clicking the help icon that appears next to the configuration title the help section corresponds the current configuration page will be launched 3 1 General Settings The General settings page will allow configuring the host network settings of the SIP Firewall appliance The device that has been made to work in bridging mode can either choose to work with static IP assignment or to acquire the device IP via DHCP The page also allows to enable disable the SSH Access to the device The Allow ICMP option will configure the device to respond to the ICMP ping messages sent to SIP Firewall appliances or not By the SSH Access and ICMP Ping messages are allowed
7. 7009 Sia SIP Bruteforce Pas 132 168 10 121 Copyright 2013 2015 Bastix SIP Firewall Web Panel Al Rights Reserved Figure 8 Dashboard On logging into the SIP Firewall WebUI the dashboard will be shown The user can visit the dashboard page from the any configuration page in the SIP Firewall WebUI by clicking the SIP Firewall Product Icon that appears in the left corner of the Top panel The status panel that appears below the top panel shows the time settings on the device and SIP Firewall firmware version Page refresh icon and Setting icon On clicking the page refresh button the main content area in the current page will be refreshed On clicking the settings icon the pop menu which contains menu options logout WebUI settings will be shown oystem Status Panel shows Device up time Memory Usage Flash Usage amp CPU Usage oig Update Version Panel shows the SIP Firewall Signature version and Release State Network Status Panel shows IP LAN MAC WAN MAC and Gateway of the device oecurity Alert Summary Panel shows hyperlinks for viewing of Top 10 Signatures hit Top 10 Categories hit Top Attacker IP Addresses amp Top 10 target destinations 15 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 3 Device Configuration Configuration pages of the SIP Firewall WebUI have been made as self intuitive and easy to configure All the configuration pages have been made to w
8. 808195 Fax 44 0 1245 808299 Max_requestName_len Max_requestName_len specifies the maximum request name size that is part of the CSeq ID The Default is set to 20 The allowed range for this option is 1 65535 Max_from_len The From header field indicates the identity of the initiator of the SIP request Max_from_len specifies the maximum from field size The allowed range for this option is 1 65535 Max to len The to header field specifies the desired recipient of the SIP request Max to len specifies the maximum to field size The Default is set to 256 The allowed range for this option is 1 65535 Max via len The Via header field indicates the transport used for the SIP transaction amp identifies the location where the SIP response is to be sent Max via len specifies the maximum Via field size The Default is set to 1024 The allowed range for this option is 1 65535 Max_contact_len The Identifier used to contact that specific instance of the SIP client server for subsequent requests Max_contact_len specifies the maximum Contact field size The Default is set to 256 The allowed range for this option is 1 65535 Max_content_len Max_content_len specifies the maximum content length of the message body The Default is set to 1024 The allowed range for this option is 1 65535 4 3 Firewall Rules The firewall rules configuration will allow the administrator in configuring what traffic should be allowed to protect S
9. IP PBX Gateway network from an untrusted wan zone besides DPI enabled SIP traffic and RIP traffic The administrator needs to specify the source and destination networks and port numbers and protocol that will be used as the matching criteria in the filtering rules and action to be taken on matching the filtering rule The possible actions are to block the traffic and allow the traffic on matching the filtering rule The rules precedence will be in the order in which the rules configured on firewall rules table 26 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Create Firewall Rule x Name Webaccess Enabled Src Type ANY v Src Address Dst Type ANY v Dst Address Protocol any W Port 24 Action Block E Figure 18 Create Firewall Rule 4 4 Firewall Settings Firewall Settings allows user to configure TCP Flood Rate TCP Flood Burst UDP Flood rate and UDP Flood Burst in Global firewall settings Dashboard Firewall Settings TCP Syn Flood Rate 1024 TCP Syn Flood Burst 128 SIP Protoco Compliance TCP Flood Rate 4096 Firewall Rules a 36 UDP Flood Rate 8132 Firewall settings UDP Flood Burst 198 whitelist IP ICMP Flood Rate 128 ICMP Flood Burst 64 Dynamic Save Cancel Blacklist IP Geo IP Filters Security Alerts Figure 19 Firewall Settings 2 VolPon www voipon co uk sales voipon co uk Tel 444 0 1245 808195 Fax 44 0 1245 808299 4 5 Wh
10. Q Signature Update Settings i Time Settings Enable Update General Settings Management Time Schedule 2 UU AM Daily v 4 Signature Update Apply Cancel Update Signatures now Security Settings Security Alerts Figure 14 Signature Update No When the user buys the SIP Firewall appliance the device will be shipped with the SIP signatures that will helo in protecting against the SIP based attacks known as of date However if the user wants to ensure their SIP deployments get the protection against the newest attack vectors it is recommended to enable the signature update on the device Please check with an Elastix s Sales representative about getting the details of purchasing the SIP Firewall signature subscription key 3 5 Logging The administrator can configure the SIP Firewall appliance to send the security alerts generated on detecting the SIP based attacks to the remote SYSLOG server The logging page will allow enable disable the remote logging of security alerts and to which SYSLOG server the security alerts are to be forwarded 20 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Dashboard Logging 23 General Settings Logging Time Settings Remote Logging Management Syslog server 192 168 0 109 Signature Update Save Cancel a Logging Security Settings Security Alerts Figure 15 Logging 21 VolPon www voi
11. SIP Firewall along with the PBX Gateway deployment as given in the following scenarios based on what is applicable in the user s setup Deployment Scenario 1 Public Cloud lii di SIP PBX Gateway SIP Firewall Appliance Figure 1 Scenario 1 yw i Some of the PBX Gateway devices may have an exclusive LAN Mgmt Interface for device management purpose other than the Data Interface also referred as WAN Public Interface In such cases LAN Port of the SIP Firewall should be connected to the Data Interface WAN Public Interface VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Deployment Scenario 2 In the case of IPPBX deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall w f SIP PBX Gateway SIP Firewall Appliance d Corporate LAN Public Cloud Corporate Firewall Figure 2 Scenario 2 Deployment Scenario 3 In the case of multiple IPPBX VOIP Gateways are deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall ELASTIX SIP Firewall Corporate Cloud Corporate Firewall Corporate LAN Figure 3 Scenario 3
12. SIP network by configuring the GeolP filter rules in SIP Firewall 30 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 iii Geo IP Filters Security Settings Allow All Countries Block All Countries Update Geo IP Search SIP Attacks c so aera RUSSIAN FEDERATION d Compliance E eu SYRIAN ARAB REPUBLIC Pa Irewa tules SUDAN f Firewall Settings NIGERIA f Whitelist IP KOREA REPUBLIC OF CHINA f UKRAINE Al GFRIA vl Dynamic Blacklist IP gt Geo IP Filters Security Alerts Figure 25 Geo IP Filters 31 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 5 Status 5 1 Security Alerts The status alerts page shows the list of alerts pertaining to the SIP attacks detected the SIP Firewall Deep packet inspection engine at any instant The administrator can choose to set log viewer page refresh interval in this page The administrator can choose to configure the device to send email notifications summary about the security alerts generated by the device The option to download the security alerts shown in this page in CSV format is available on the page Dashboard Security Alerts Log Viewer Settings Security Settings Security Alerts gt 300 Update Refresh Interval Refresh Download Logs E mail Server Settings 4 Security Alerts STM Sigs SIP 09001 15 54 27 70020001 7002 sip Devices Device
13. address of the SIP Firewall device Elastix gt show IP Now you can access the device from the browser using the URL https lt device ip gt Ay If you are not running the DHCP server in your deployment OR device fails to acquire the IP address set the IP address from the console CLI using the command line Elastix gt Set IP lt IP address gt lt mask gt lt gateway gt Verify the address using the show IP command Then use this IP address to access the WebUI SSH to configure the device for further configuration By Any Technical assistance required Kindly contact the support at support elastix com 40 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299
14. cklist EI 30 4 9 CIBO A TEE 30 4 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 BLAIS EEN 32 e es SO tel AISMS oirir ras teenie ahead seni taints Geka Aa A 32 SEN Kol E 33 5 T1 a lge EE 33 02 DIAQNOSUCS EE 34 O El NEP EIER 35 54 Lee Et 35 6 5 TROUDIESMOO UI ssi xen AA A AA AAA AAA ena 36 6 6 PIrMWare Upg ee 37 OMM aen 38 7 Appendix A Using Console Access cccccesseeeeeeseeceeseeesenseeseenseeseenseeseoaes 39 8 Appendix B Configuring SIP Firewall IP Address via Console 40 5 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 1 Introduction 1 1 Overview This User manual describes the steps involved in setting up the Elastix SIP Firewall Appliance Elastix SIP Firewall is an appliance based VoIP threat prevention solution dedicated to protect the SIP based PBX Telecom Gateway IP Phones Mobile device deployments The appliance runs the Real time Deep Packet Inspection on the SIP traffic to identify the VOIP attack vectors and prevents the threats impacting the SIP based devices The appliance has been made to seamlessly integrate with the existing network infrastructure and reduces the complexity of deployment The appliance feature set includes Analyze SIP packets using the Realtime Deep Packet inspection engine SIP Protocol Anomaly detection with configurability of detection para
15. d sequence file type URL Folder File name e g http www elastix org VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 1 2 Support Information Every effort has been made to ensure the accuracy of the document If you have comments questions or ideas regarding the document contact sales elastix com VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Table of Contents ADOULDIDIS E EE 2 Doc melt ei tie EE 2 SUDPOlUINIOKMAUON WEE 3 GEELEN nn 6 d EIERE 6 1 1 1 Notification LEDs On the Front Panel of the SIP Firewall 8 1 12 SIP Firewall Rear VIEWER estore e eed ad 9 1 1 3 SIP Firewall Deployment Considerations sss 9 2 Initial Setup amp Configuration 11eceee Lese eee nana ee an nennen nnns 11 2 1 Derault eet ele e E 11 22 ACCESSING Te WED TEE 11 2 4 W EDU SESSION lune EE 14 2 5 REH 14 2A DaASNDOAIC EE 15 3 Device ee te UTC ON EE 16 31 GENET Al es EE 17 32 FMS SO e 18 ie I SIE LS TIR ACCESS eege ebe AA aed 18 3 4 te ele e e 20 Gas AH OGG Cl ep TE E t 20 4 Configuring the SIP Security Policies cccccssssseeseeseeeseeseeseeeseeeeesneeenensensoaaes 22 A Ne olb Anaeks BI rene POS een 22 4 2 SIP Protocol Gompllaree EE 24 EUR EE EE 26 44 Firewall dl Le 27 AO VETE IST Eet 28 4 6 Blacklist Hules SLUG NEE 29 2 7 Dypnamic Bla
16. dmin SSH CLI admin stmadmin Management Vlan IP 192 168 100 1 255 255 255 0 Default Device IP 10 0 0 1 255 255 255 0 2 2 Accessing the WebUI The user can connect to the device via management Vlan to access WebUI during initial setup The management Vlan configured on the device is accessible via the LAN WAN ports amp is made assigned to the default IP address 192 168 100 1 11 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Use the procedure given below to access the WebUI 1 Connect the LAN port of the SIP Firewall to a PC 2 Assign the IP Address 192 168 100 2 to the PC Set the Net mask as 255 255 255 0 Now you can access the device from the browser using the URL https lt 192 168 100 1 gt Configure the SIP Firewall Device IP Address from the Device Settings Page as per your local network range Verify the IP address set to SIP Firewall from the dashboard page Once the user assigns the SIP Firewall Device IP Address successfully he can access the device using that IP address further Now he can disconnect the PC and connect the LAN Port to the PBX PBX Network that needs to be protected The WebUl has been made accessible only via HTTPS The recommended browser for accessing SIP Firewall WebUIl is Mozilla Firefox The Ul allows the administrator to configure the management Vlan IP addresses In case If the user has changed the management Vlan IP ad
17. dress he needs to assign the corresponding network address to his PC for the management access subsequently On launching the SIP Firewall WebUl the web application will prompt to enter the administrator credentials to login K Alternatively the user can access the device via the static IP 10 0 0 1 and configure the network settings during first time installation Connect a PC to the LAN port of the SIP Firewall and assign the IP address 10 0 0 100 255 255 255 0 to the PC Now you can access the device from the browser using the URL httos lt 10 0 0 1 gt If the device is not accessible after configuring the new network configuration Try rebooting the device and check the device dashboard accessing via Management Vlan 12 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 elastix KY 2 7 FIREWALL mm En Figure 4 Login Page The WebUI login session has been made to time out and if the user does not enter the login credentials for 30 seconds and will redirect to the informational page The user can click the hyperlink named as login appearing on the information page to visit the login page again elastix Ami FIREWALL Your login attempt has timed out Please click to login again Copyright 6 2013 2015 SIP Threat Management Web Panel All Rights Reserved Figure 5 Timeout message If somebody is already logged in to SIP Firewall WebUI session th
18. e 30 Ping Result 6 4 Trace route The administrator can troubleshoot the network connectivity issues with running a trace route from the SIP Firewall device The administrator needs to enter the IP address to which the route needs to be traced from the SIP Firewall appliance hop count and click the Trace route button to run the task The trace route results will be displayed in the text area once the trace route task is complete 35 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 Dashboard Traceroute Host 192 168 0 127 Security Settings Hop Count Security Alerts REI ICMP L Tools m Taceroute Reset Administration bie 240 Diagnostics 2 eee Ping Traceroute Troubleshooting Firmware Upgrade Logs Archive Figure 31 Trace route 6 5 Troubleshooting This page will allow disable enable the DPI on the SIP Firewall appliance for troubleshooting purposes Dashboard Troubleshooting amp 3 Enable OPI Administration Diagnostics Ping Traceroute Troubleshooting Firmware Upgrade Logs Archive Figure 32 Troubleshooting 36 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 6 6 Firmware Upgrade The SIP Firewall appliance supports the manual upgrade on the SIP Firewall firmware running on the appliance The firmware upgrade page shows the currently running SIP Firewall
19. e subsequent attempts to login will notify the details previous login session as illustrated below and will prompt the user to override the previous session and continue OR to discard the attempt the login 13 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 elastix ed FIREWALL An administrator is already logged in from the host 192 168 0 177 If you continue to log in the STM Configuration Management Ul that administrator s session will be dropped Currently you are trying to login as administrator from 192 168 0 148 Click Continue to preempt that user and continue to log in Click Not Now to cancel your login attempt Continue Not Now Figure 6 Select Login attempt 2 4 WebUI Session timeout After logging into the WebUI if there is no activity until the WebUI session timeout period By default the WebUI session timeout is set to 900 seconds then the login session will automatically terminated and browser will be redirected to login page again 2 5 WebUI Settings To change the WebUI settings click the settings icon that appears top right corner below the Apply Changes button The WebUI settings dialog will be displayed in the browser and allow the administrator to configure WebUI session timeout amp WebUI login password To configure the WebUI login password the user needs to enter the previously set administrator password Session Timeout 900 User Name admin Old Adrn
20. ect the SIP traffic with the SIP Security Compliance rules in built into the SIP DPI engine The anomalies in the SIP Message headers can result to various erroneous conditions SIP parser failures amp malformed packets which will lead to SIP applications vulnerable to attacks The following parameters will be used by the SIP deep packet engine for identifying the different protocol anomaly conditions and take the action configured by the administrator Configuring inappropriate values for these parameters can result to the disruptive impact in the VOIP deployment Administrators with more in depth understanding with the SIP protocol can choose to tune these parameters for their specific deployment needs Otherwise recommended to use the default settings for these parameters 24 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 SIP Protocol C ompli ance A Please make sure to refer to the user manual before making changes in this configuration page SIP Protocol Compliance Settings i SIP MEDIA Ports Configuration SIP Transport any v Max Sessions 4096 Meth odsfHeaders SIP Ports 5060 5061 Max Dialogs pe medan E SE Media Transport udp v options Medis Porte Max URI length 256 refer Media rom 1024 65535 subscribe Firewall Max Call ID length 80 update Settings Max Request name 20 length whitelist IP Addresses 256 Max From length Max To length 256 Ma
21. he factory reset button and will be prompted login once the device comes up with the default configuration The SIP Firewall appliances support taking the configuration backup and restore the configuration later Dashboard Administration Restart STM Services 4 Administration Diagnostics Shutdown Traceroute Config Back up Troubleshooting Select configuration file No file selected ncc Requires Reboot Firmware Upgrade Ping security Settings Factory Reset Security Alerts Logs Archive Figure 27 Administration N M The configuration backup will contain the lastly persisted configuration if there are any transient changes that are yet to be applied while taking the backup those configuration changes will not be included in the configuration backup archive 33 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 6 2 Diagnostics The diagnostics page will allow the administrator to gather the troubleshooting logs which will help Elastixs Support team in debugging any issues faced with SIP Firewall deployment setup To run the utility on the device the administrator needs to click the Run diagnostics button The device will run the diagnostics task in the backend and display the results once the task is complete The administrator can download the reports by clicking the Get Report button and send the report to the Elastix s Support tea
22. in Password New Admin Password Confirm Admin Password Figure 7 WebUI Settings 14 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 2 4 Dashboard K L 7 FIREWALL 17 September 14 12 48 35 pm SIPFW 1 0 00 Tue Sep 3 14 33 57_IST_2014 O Welcome admin amp Dashboard gt Dashboard Q K System Status Sig Update Version DPI Status 6 Up Time Elastix SIP Firewall Signatures 1 0 00 8 Enabled O Running S 245 amp Memory Usage Total Memory 64MB Gm de UU y i Security Alert Summary mm m Top 10 Signatures Top 10 Categories Flash Usage Flash Size 16MB Top Sre Top Dest LLL ME I CPUUSage KA Last 10 Alerts esu Ce Network Status O9 17 12 46 0970090001 7009 Sig SIP Bruteforce Pas 192 168 410 121 09 17 12 46 0970090001 7009 Sig SIP Bruteforce Pas 192 168 10 121 09 17 12 46 0970090001 7009 Sig SIP Bruteforce Pas 192 168 10 121 Be Network Info 0947 12 46 09 27 140 spp sip Maximum dialo 192 168 10 226 Device IP 192 168 10 237 0347 12 46 0370030001 7009 Sig SIP Bruteforce Pas 132 168 10 121 ARS S GEES iA 09 17 12 46 09 70090001 7008 Sig SIP Bruteforce Pas 192 168 10 124 in ips pront sick 09 17 12 46 0970090001 7009 Sig SIP Bruteforce Pas 192 168 10 121 WAN MAC UTEP COVIDA RN Da es or his A Lead n 409 AGO 4n 996 Gateway 192 188 10 254 0347 12 46 03 20 140 spp sip Invite replay 192 168 10 226 09 17 12 46 0970090001
23. ion with just powering on the device No administrator intervention is required to operate the device with default configuration USB based power supply Optional support for security events logging on the USB based storage Technical Specifications Functional Mode Transparent Firewall with SIP Deep Packet Engine Hardware MIPS based 32bit Processor Single core 300MHz Primary Storage 16 MB Flash ES DI storage USB devices support for logging Optional Two Fast Ethernet Interfaces VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 1 1 1 Notification LEDs On the Front Panel of the SIP Firewall LED 4 Alert Status Power ON OFF LED 3 DPI Status Button LED 2 Interface Status Power LED LED 1 System Status Indicator Figure 1 Front Panel LED Notifications The SIP Firewall package includes e 1 SIP Firewall Appliance e 1 USB Power Adapter e 1 Serial Console Cable e 2 Ethernet Cables VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 1 1 2 SIP Firewall Rear View CONSOLE POWER RESET ek LAN Port Reset Button WAN Port USB Power Plug Console Port USB Storage Plug Figure 2 SIP Firewall Rear View 1 1 3 SIP Firewall Deployment Considerations The SIP Firewall has been made to protect the SIP based PBX Gateway Servers against SIP based network threats and anomalies Thus it is recommended to deploy the
24. ite list Rules This page allows to configure the white listed IP addresses in the untrusted wan zone from which the access to communicate with the protected SIP network will be allowed by the SIP Firewall This page will also allow configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant Create Whitelist Rule Name Kalitest Ip Type IPHOST Address 192 168 10 79 Enable Comments Kali blocked Figure 20 Create White list Rule Whitelist IP Addresses Whitelist IP Rules Precedes over Blacklist IP Rules Search ions SIP Protocol C kalitest IP HOST 192 168 10 79 Kali blocked x Compliance Security Settings Detection Firewall Rules Firewall Settings Whitelist IP Addresses Blacklist IP Figure 21 White list IP Addresses 28 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 4 6 Blacklist Rules Static This page allows to configure the blacklisted IP addresses in the untrusted wan zone from which the access to communicate with the protected SIP network will be blocked by the SIP firewall This page will also allow configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant Create Blacklist Rule Xx Name Kalitest IP Type IP_HOST p Address 192 168 10 79 Enable Com
25. m Note You can send an email to support elastix com moms Diagnostics Run Diagnostics Get Report TTT D Security Alerts HHHHREHRRHHAHHSHHSEH REHASH REA APB REAR EER RARER TTT J gols gt Sip secure Administration TTT Diagnostics Time S Mon Sep 1 06 54 03 UTC 2014 v Ping Traceroute Troubleshooting Firmware Upgrade Logs Archive Figure 28 Diagnostics Click the above link to download the diagnostics Download Report ig Download Report Click above link to download the diagnostics OK Figure 29 Download Report VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 6 3 Ping The administrator can troubleshoot the network connectivity issues with running ping from the SIP Firewall device The administrator needs to enter the IP address that needs to be pinged from the SIP Firewall appliance ping count and click the Ping button to run the task The ping results will be displayed in the text area once the ping task is complete Dashboard Pj Ng Q Host 192 158 0 127 Count v Ping Reset PING 192 168 0 127 192 168 0 127 56 data bytes Administration 64 bytes from 192 168 0 127 icmp_seq 0 ttl 64 time l l ms 192 168 0 127 ping statistics l packets transmitted 1 packets received 0 packet loss gt Ping round trip min avg max 1 1 1 1 1 1 ms Diagnostics Traceroute Troubleshooting Firmware Upgrade Logs Archive Figur
26. ments Kali blocked SAVE CANCEL Figure 22 Create Blacklist Rule Blacklist IP Addresses Security Settings S Attac CS EE Kaltest IP HOST 192 168 10 79 Kali blocked SIP Protocol Compliance Firewall Rules Firewall Settings Whitelist IP Blacklist IP Addresses Dynamic Blac klis st IP Figure 23 Blacklist IP Addresses 29 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 4 7 Dynamic Blacklist Rules The dynamic blacklist rules are the blocking rules added by the SIP Firewall deep packet inspection engine to block the traffic from attacker IP addresses for the blocking duration configured in the rules category on detecting the attack The dynamic blacklist rules will allow the administrator to see the dynamic blacklist rules currently configured on the device at any instant In case if the administrator wants to override and allow the traffic from particular blacklisted IP he can delete the rule from the dynamic blacklist rules page Dashboard Dynamic Blacklist IP Addresses Search Detection 192 168 10 79 x SIP Protocol Compliance Security Settings Firewall Rules Firewall Settings Whitelist IP Blacklist IP Addresses Dynamic Blacklist IP Figure 24 Dynamic Blacklist IP Addresses 4 8 Geo IP Filter The administrator can choose to block the traffic originating from the specific countries towards the protected
27. meters z Detection and Prevention of the following categories of SIP based Attacks e Reconnaissance attacks SIP Devices Fingerprinting User enumeration Password Cracking Attempt e Dos DDos Attacks e Cross Site Scripting based attacks e Buffer overflow attacks e SIP Anomaly based attacks e 3 Party vendor vulnerabilities e Toll Fraud detection and prevention e Protection against VOIP Spam amp War Dialing s Attack response includes the option for quietly dropping malicious SIP packets to help prevent continued attacks Dynamic Blacklist Update service for VOIP SIP PBX Gateway Threats z Configurability of Blacklist White list Firewall rules Support for Geo Location based blocking Provide the option to secure against PBX Application vulnerabilities Operate at Layer 2 device thus transparent to existing IP infrastructure no changes required to add the device to your existing network a Web SSL based Device Management Access which will allow managing the device anywhere from the Cloud Ability to restrict the device management access to specific IP Network a Provide System Status Security events logging option to a remote Syslog server a Provides the SIP throughput up to 10Mbps Support for Signature update subscription and automated signature update mechanism VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 a The device has been made to operate with default configurat
28. ny implied warranty of merchantability or fitness for a particular purpose VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 1 1 About this manual This manual describes the Elastix product application and explains how to work and use it major features It serves as a means to describe the user interface and how to use it to accomplish common tasks This manual also describes the underlying assumptions and users make the underlying data model 1 1 Document Conventions In this manual certain words are represented in different fonts typefaces sizes and weights This highlighting is systematic different words are represented in the same style to indicate their inclusion in a specific category Additionally this document has different strategies to draw User attention to certain pieces of information In order of how critical the information is to your system these items are marked as a note tip important caution or warning c Note d Tip Best Practice IN SN A Important CH Caution A Warning e Bold indicates the name of the menu items options dialog boxes windows and functions e The color blue with underline is used to indicate cross references and hyperlinks e Numbered Paragraphs Numbered paragraphs are used to indicate tasks that need to be carried out Text in paragraphs without numbering represents ordinary information e The Courier font indicates a comman
29. ork with the two phase commit model ey d The two phase commit model is not applicable to time settings and signature update settings In these settings the changes will be applied directly by clicking the Apply in the content area of the configuration editor l e When the administrator changes the settings in the configuration pages and click the Save button the settings will be saved in a temporary buffer location on the device On saving the configuration changes the Apply Changes button that appears in the right top corner will be enabled amp the Ignore Changes button will appear next Updates List X Device Access Filter Configuration 1 Device Access rule edited 2 Device Access rule edited Global Firewall Settings 1 Global Firewall Settings updated Global Firewall Settings updated Logging 1 Logging settings updated Figure 9 Device Configuration The number of configuration changes will appear on the immediate left to the Apply Changes button To view the details of the configuration changes the user can click the number icon which will open the configuration changes listing The user can apply the configuration changes to the device by clicking Apply Changes button On clicking the Apply Changes button the configuration changes will be applied to the system and updated configuration will be persisted permanently onto the device 16 VolPon www voipon co uk sales voipon co
30. pon co uk sales voipon co uk Tel 444 0 1245 808195 Fax 44 0 1245 808299 4 Configuring the SIP Security Policies 4 1 SIP Attacks Detection Policies The SIP Attack Detection page allows to configure the SIP Deep packet Inspection rules categories The administrator can enable disable the inspection against a particular category of rules action to be taken on detecting attacks matching the rules in the categories The possible actions that the SIP Firewall can execute are logging the alert block the packets containing the attack vector and blacklist the attacker IP for the given duration The blocking duration of how long the attacker up needs to be blocked is also configured per category level Dashboard SIP Attacks Detection i i i A Reconnaissance Attacks Log none P SIP Attacks Detection Sip Devices Scanning Block 120 f SIP Protocol SIP Extensions Discovery Block 120 d Compliance Multiple Authentication Failures Bruteforce password cracking Attempt Block 1800 d Firewall Rules Ghost calls Attempt Block 1800 d Firewall e S gs i SIP Protocol Compliance Loy none d Sip Anomaly Attacks Block 1800 d Sip Dos Attacks Block 1800 d Sip DDos Attacks Block 1800 d Sip Cross site scripting Attacks Block 1800 d v Figure 16 SIP Attacks Detection The table given below lists the SIP Deep packet Inspection rules categories supported in SIP Firewall and configuration parameters in each category 22 VolPon www
31. riod of time if it exceeds the authorized number of trials second No of Anonymous Invite Responses Duration Ghost calls Attempt SIP Dos Attacks Flooding attempts using various SIP No of SIP Request messages Messages Duration SIP DDos Attacks Distributed flooding attempts using No of SIP Response various SIP messages Messages Duration SIP mm The intruder will send abnormal SIP y packets to the PBX His goal is to N A attacks crash the PBX resulting in disrupted 23 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 communication The SIP Firewall can block log or blacklist the IP for a period of time if it exceeds the authorized number of trials second SIP Buffer ove Buffer overflow attempts resulted from attacks improper validation of user inputs Ke SIP is vulnerable to cross site scripting caused by improper validation of user supplied input in a SIP request A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim s Web browser when the victim accessed a web page containing information taken from the SIP request Attacks targeted towards PBX SIP Gateway appliances exploiting their N A vulnerabilities SIP Cross site scripti N A 3rd Party vendor vulnerabilities 4 2 SIP Protocol Compliance The SIP Deep packet inspection engine running the SIP Firewall appliance has been made to insp
32. s 192168 10 79 5060 Scanning Identification Attempt Sin Anomal STM Sigs To 09001 12 26 26 70030046 7003 P y header format 192 168 10 80 5050 Attacks z string attempt STM Sigs 09 01 12 26 26 70030058 7003 Sip Anomaly Fromheader 449 469 10 80 5060 Attacks format string attempt Figure 26 Security Alerts 192 168 10 0 5060 224 01 75 5060 22404175 5060 Search UDP UDP UDP Blacklist Blacklist Blacklist h lt 5 Unless the user configures to forward the security alerts to remote SYSLOG server the security alerts are not persisted permanently on the device The logging buffer location will be flushed at the predefined interval not configurable will once the logging threshold criteria met However if the administrator wants to persist the alerts into a USB storage they can connect the USB storage to the USB data port of SIP Firewall appliance The rotated logs will be automatically archived in CSV format into USB storage by the SIP Firewall appliance 32 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 6 Tools 6 1 Administration The Administration user interface page provides the option for running a factory reset on the device restarting the device device reboot device shutdown amp Configuration backup restore Running factory reset on the device requires reboot thus the administrator will be redirected wait notification page on clicking t
33. to the SIP Firewall appliance General Settings Device Settings Host Name sip secure IP Configuration DHCP ise IP Addrftd ask Signature Update ESSE Logging Dns Server Enable SSH SSH Port 22 Allow ICMP hdgmt Vian Addrhtask 192 168 100 1 Ua ad irata d ea Sawe Cancel Figure 10 General Settings 17 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 3 2 Time Settings The administrator can choose to set the manual time settings on the device or configure the device to sync the time settings from an NTP server Appropriate time settings time zone should be set on the device to the correct timestamp to appear on the SIP security alerts generated by the device Dashboard Date Time Settings General Settings Date Time Settings Time Settings Configuration Type NTP v Management Date Time Time Zone AfricafAbidjan wv Signature Update NTP Server Add Logging 3 in pool ntp org alaha Security Settings 4 in pool ntp org Security Alerts Apply Cancel Figure 11 Date Time Settings 3 3 Management Access The access the SIP Firewall Device management SSH CLI WebUI Access can be restricted with the management access filters By default the access has been allowed to any global address and management VLAN network configurations on the device The administrator can override these settings 18 VolPon www voipon co uk sales voipon co uk
34. voipon co uk sales voipon co uk Tel 44 0 1245 808195 Fax 44 0 1245 808299 User Configurable Category Description options The intruder is trying to detect what SIP version of Asterisk you are running With that info he will start exploiting Reconnaissance e N A Anais the numerous vulnerabilities of that version The SIP Firewall will not respond to his query The intruder will scan the PBX ports to SIP Baja see what devices are connected to it See With that info he can exploit 3rd party N A vulnerabilities The SIP Firewall will not respond to his query The intruder will ask the PBX to divulge the range of the extension i SIP Extensions numbers With that info he can try EEN Registration Discovery different passwords to take control of Attempts Duration these extensions The SIP Firewall will not respond to that query The intruder will try to log In with different user names and passwords Multiple Authentication multiple aime SC he See ne Failed Authentication will have control of that extension The Failures Brute force SIP Firewall can block Jogror blacklist Attempts Duration password Attempt the IP for a period of time if it exceeds the authorized number of trials second The intruder will generate calls to an extension and it will look like the calls come from that same extension His goal is to crash the PBX resulting in disrupted communication The SIP Firewall can block log or blacklist the IP for a pe
35. x Via length 1024 1024 Max Contact length Figure 17 SIP Protocol Compliance Max_sessions A SIP session is the application level connection setup created between the SIP server and SIP client for exchanging the audio video messages with each other The max_sessions parameter defines the maximum number session that SIP deep packet inspection engine can keep track of The default value has been set at 4096 Max Dialogs per session Max Dialogs per session specifies the maximum number of SIP message transaction that can happen between the SIP server and client Methods This specifies on what methods to check for SIP messages The Following are the SIP messages that SIP DPI Engine can identify 1 invite 2 cancel 3 ack 4 bye 5 register 6 options 7 refer 8 subscribe 9 update 10 join 11 info 12 message 13 notify 14 prack Max uri len The Uri identifies the user or service to which SIP request is being addressed Max uri len specifies the maximum Request URI field size The Default is set to 256 The allowed range for this option is 1 65535 Max call id len The Call ID header field in SIP message acts as a unique identifier that relates to sequence of messages exchanged between SIP client and server Max call id len specifies the maximum Call ID field size The Default is set to 256 The allowed range for this option is 1 65535 25 VolPon www voipon co uk sales voipon co uk Tel 44 0 1245
Download Pdf Manuals
Related Search