Elastix SIP Firewall User Manual

Elastix SIP Firewall

User Manual

1

Copy Right

Copyright © 2014 Elastix®. All rights reserved.
No part of this publication may be copied, distributed, transmitted, transcribed, stored in a retrieval system,
or translated into any human or computer language without the prior written permission of
http://www.elastix.org. This document has been prepared for use by professional and properly trained
personnel, and the customer assumes full responsibility when using it.

Proprietary Rights

The information in this document is Confidential to Elastix® and is legally privileged. The information and
this document are intended solely for the addressee. Use of this document by anyone else for any other
purpose is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of this
information is prohibited and unlawful.

Disclaimer

Information in this document is subject to change without notice and should not be construed as a
commitment on the part of http://www.elastix.org. And does not assume any responsibility or make any
warranty against errors. It may appear in this document and disclaims any implied warranty of
merchantability or fitness for a particular purpose.

!

!

!

2

1.1. About this manual

This manual describes the Elastix® product application and explains how to work and use
it major features. It serves as a means to describe the user interface and how to use it to
accomplish common tasks. This manual also describes the underlying assumptions and
users make the underlying data model.

1.1. Document Conventions

In this manual, certain words are represented in different fonts, typefaces, sizes, and
weights. This highlighting is systematic; different words are represented in the same style
to indicate their inclusion in a specific category. Additionally, this document has different
strategies to draw User attention to certain pieces of information. In order of how critical
the information is to your system, these items are marked as a note, tip, important,
caution, or warning.

Icon!

Purpose!

!

Note!

!

Tip/Best!Practice!

!

Important!

!

Caution!

!

Warning!

!

!

• Bold indicates the name of the menu items, options, dialog boxes, windows and

functions.

• The color blue with underline is used to indicate cross-references and hyperlinks.

• Numbered Paragraphs - Numbered paragraphs are used to indicate tasks that need

to be carried out. Text in paragraphs without numbering represents ordinary
information.

• The Courier font indicates a command sequence, file type, URL, Folder/File name
e.g. http://www.elastix.org

3

1.2. Support Information

Every effort has been made to ensure the accuracy of the document. If you have
comments, questions, or ideas regarding the document contact:

sales@elastix.com

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

4

Table of Contents

About this manual .................................................................................................. 2

Document Conventions ........................................................................................... 2

Support Information ............................................................................................... 3

1. Introduction ........................................................................................................... 6

1.1. Overview: ......................................................................................................... 6

1.1.1. Notification LEDs (On the Front Panel of the SIP Firewall) ........................ 8

1.1.2. SIP Firewall Rear View: .............................................................................. 9

1.1.3. SIP Firewall Deployment Considerations ................................................... 9

2. Initial Setup & Configuration .............................................................................. 11

2.1.Default Configuration ...................................................................................... 11

2.2. Accessing the WebUI ..................................................................................... 11

2.4 WebUI Session timeout .................................................................................. 14

2.5 WebUI Settings ............................................................................................... 14

2.4 Dashboard ...................................................................................................... 15

3. Device Configuration .......................................................................................... 16

3.1. General Settings ............................................................................................ 17

3.2. Time Settings ................................................................................................. 18

3.3. Management Access ..................................................................................... 18

3.4. Signature Update ........................................................................................... 20

3.5. Logging .......................................................................................................... 20

4. Configuring the SIP Security Policies ............................................................... 22

4.1. SIP Attacks Detection Policies ....................................................................... 22

4.2. SIP Protocol Compliance ............................................................................... 24

4.3. Firewall Rules ................................................................................................ 26

4.4. Firewall Settings ............................................................................................. 27

4.5. White list Rules .............................................................................................. 28

4.6. Blacklist Rules (Static) ................................................................................... 29

4.7. Dynamic Blacklist Rules ................................................................................. 30

4.8. Geo IP Filter ................................................................................................... 30

5

5. Status ................................................................................................................... 32

5.1. Security Alerts ................................................................................................ 32

6. Tools ..................................................................................................................... 33

6.1. Administration ................................................................................................ 33

6.2. Diagnostics .................................................................................................... 34

6.3. Ping ................................................................................................................ 35

6.4. Trace route ..................................................................................................... 35

6.5. Troubleshooting ............................................................................................. 36

6.6. Firmware Upgrade ......................................................................................... 37

6.7. Logs Archive .................................................................................................. 38

7. Appendix A – Using Console Access ............................................................... 39

8. Appendix B – Configuring SIP Firewall IP Address via Console .................... 40

6

1. Introduction

1.1 . Overview:

This User manual describes the steps involved in setting up the Elastix® SIP Firewall
Appliance. Elastix® SIP Firewall is an appliance based VoIP threat prevention solution
dedicated to protect the SIP based PBX/Telecom Gateway/IP Phones/Mobile device
deployments. The appliance runs the Real time Deep Packet Inspection on the SIP
traffic to identify the VOIP attack vectors and prevents the threats impacting the SIP
based devices. The appliance has been made to seamlessly integrate with the existing
network infrastructure and reduces the complexity of deployment.
The appliance feature set includes,

! Analyze SIP packets using the Realtime Deep Packet inspection engine.
! SIP Protocol Anomaly detection with configurability of detection parameters.
! Detection and Prevention of the following categories of SIP based Attacks.

• Reconnaissance attacks (SIP Devices Fingerprinting, User enumeration,

Password Cracking Attempt)

• Dos/DDos Attacks

• Cross Site Scripting based attacks.

• Buffer overflow attacks

• SIP Anomaly based attacks

• 3rd Party vendor vulnerabilities

• Toll Fraud detection and prevention

• Protection against VOIP Spam & War Dialing

! Attack response includes the option for quietly dropping malicious SIP packets to

help prevent continued attacks

! Dynamic Blacklist Update service for VOIP, SIP PBX/Gateway Threats
! Configurability of Blacklist/White list/Firewall rules.
! Support for Geo Location based blocking.
! Provide the option to secure against PBX Application vulnerabilities
! Operate at Layer 2 device thus transparent to existing IP infrastructure - no changes

required to add the device to your existing network

! Web/SSL based Device Management Access which will allow managing the device

anywhere from the Cloud.

! Ability to restrict the device management access to specific IP/Network.
! Provide System Status/Security events logging option to a remote Syslog server.
! Provides the SIP throughput up to ~10Mbps.
! Support for Signature update subscription and automated signature update

mechanism.

7

! The device has been made to operate with default configuration with just powering

on the device. No administrator intervention is required to operate the device with
default configuration.

! USB based power supply
! Optional support for security events logging on the USB based storage.

Technical Specifications

Functional Mode

Transparent Firewall with SIP Deep Packet
Engine.

SIP Intrusion/Prevention

~400+ SIP Attack Signatures Support

Throughput

~10Mbps

No of concurrent calls supports

Up to 50 concurrent calls

Logging

Local Security Event Console, Remote Syslog

Device Management

Web GUI via Https & SSH CLI

Hardware

MIPS based 32bit Processor Single core,
300MHz

Primary Storage

16 MB Flash

RAM

64MB

Secondary Storage

USB Storage devices support for logging (
Optional)

Interfaces

Two Fast Ethernet Interfaces.

8

1.1.1. Notification LEDs (On the Front Panel of the SIP Firewall)

LED 4-Alert Status

Power ON/OFF LED 3-DPI Status
Button
LED 2- Interface Status
Power LED LED 1- System Status
Indicator

Figure 1: Front Panel LED Notifications

The SIP Firewall package includes:

• 1 SIP Firewall Appliance

• 1 USB Power Adapter

• 1 Serial Console Cable

• 2 Ethernet Cables

9

1.1.2. SIP Firewall Rear View:

LAN Port Reset Button

WAN Port USB Power Plug

Console Port

USB Storage Plug

Figure 2: SIP Firewall Rear View

1.1.3. SIP Firewall Deployment Considerations

The SIP Firewall has been made to protect the SIP based PBX/Gateway Servers against
SIP based network threats and anomalies. Thus it is recommended to deploy the SIP
Firewall along with the PBX/Gateway deployment as given in the following scenarios
based on what is applicable in the user’s setup.

Deployment Scenario 1

Figure 1: Scenario 1

Some of the PBX/Gateway devices may have an exclusive LAN/Mgmt Interface for
device management purpose other than the Data Interface (also referred as WAN/Public
Interface). In such cases LAN Port of the SIP Firewall should be connected to the Data
Interface (WAN/Public Interface).

10

Deployment Scenario 2

In the case of IPPBX deployed in the LAN Setup, the following setup is recommended as
it would help to protect against the threats from both Internal Network as well as the
threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall.

Figure 2: Scenario 2

Deployment Scenario 3

In the case of multiple IPPBX/ VOIP Gateways are deployed in the LAN Setup, the
following setup is recommended as it would help to protect against the threats from both
Internal Network as well as the threats from the Public Cloud penetrated the Non SIP
aware Corporate Firewall.

Figure 3: Scenario 3

11

2. Initial Setup & Configuration

1. Unpack the items from the box

2. Check that you have all the items listed in the package content.

3. Connect the WAN port of the SIP Firewall to the untrusted/public network.

4. Connect the LAN port of the SIP Firewall to the PBX/VOIP Gateway.

5. Connect the appliance to the power socket using the USB power cable.

6. The device will take about a minute to boot up & will be fully functional with the
default configuration.

Some of the PBX/Gateway devices may have an exclusive LAN/Mgmt Interface for

device management purpose other than the Data Interface (also referred as WAN/ public
Interface). In such cases LAN port of the SIP Firewall should be connected to the Data
Interface (WAN/ Public Interface).

2.1 .Default Configuration

The device operates as a transparent bridging firewall with Deep Packet Inspection
enabled on the SIP traffic. By default, the appliance has been configured with static IP of

10.0.0.1 (Net mask 255.255.255.0)

The device has been made to be fully functional with the default configuration. However if
the user needs to tune the device settings & the DPI policies, user can tune the
configuration via the Device WebUI.

The device all provides the command line interface accessible via SSH, which will allow
to configure the basic settings and view device status.

Management Access

Login Credentials

WebUI

admin/admin

SSH CLI

admin/stmadmin

Management Vlan IP

192.168.100.1/255.255.255.0

Default Device IP

10.0.0.1/255.255.255.0

2.2. Accessing the WebUI

The user can connect to the device via management Vlan to access WebUI during initial
setup. The management Vlan configured on the device, is accessible via the LAN/WAN
ports & is made assigned to the default IP address ‘192.168.100.1’