Solved: Re: ISDN 3241 GW Toll Fraud blocking with CPL script

Chuck Reid · ‎04-02-2012

Hello,

Has anyone dealt with these GW’s before with a VCS Control server?

Help doc refers to using a CPL script on the VCS to guard against people hair-pinning the 3241 and using a local call to dial INTL etc, toll fraud.

I am wondering how someone might use the 3241 to call in and then call out LD or INTL, how might that be possible on the VCS control?

Perhaps if they knew the prefix for the ISDN GW, especially if the prefix was a 9?

The VCS admin guide has info on the CPL script but it’s a bit over my head as to what we would need to do to block hair-pinning via a CPL script.

Thanks in advance for any help,

Chuck

Garvan Long · ‎04-02-2012

Hairpinning is where the initial call is terminated on the gateway such as the IVR and the caller enters the gateway prefix and the number they wish to dial. Placing a # at the end of the prefix will prevent this ( it terminates the dial plan) or disabling the IVR on the gateway if you have enabled DID and IVR is not required or you land all callson your MCU to participate in conferences.

I belive the CPL document is more around stopping unathorised IP callers accessing the gatways. If you have a VCS expressway there is a more straight forward solution to prevent unwanted external callers accessing the internal ISDN gateways using search rules and souce zone of calls. This method allows localy regsitered expresway users place calls via the gateway but not unregistered external devices.

This setup is detailed in the VCS Control and Expressway configuration guides Step 16

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf

View solution in original post

danny fabre · ‎04-02-2012

Hey Charles,

The idea is simple really, of you have deployed a VCSe/VCSc solution with an ISDN gateway someone could place a call to through the VCSe to the VCSc and then use your gateway. The cpl will simply block people from using the gateway if if they are not registered on the domain.

if you have a situation you need help of the TAC will gladly help you as they are well versed in theses issues.

Sent from Cisco Technical Support iPad App

Chuck Reid · ‎04-02-2012

I think the guide was also talking about hair pinning a call in and back out of the ISDN GW as well.

So, there are two possible methods of toll fraud?

1) Hair pinning the 3241

2) Calling in to the VCS E and routing the call to the 3241 via the VCS C

Would the same CPL script work for both conditions then?

Would this example script work?

CPL example: call screening based on domain

In this example, user fred will not accept calls from anyone at annoying.com, or from any unauthenticated

users. All other users will allow any calls.

Thanks,

Chuck

danny fabre · ‎04-02-2012

That's correct; note that the ISDN gw is not routing any calls so if someone came in using the gw he would be routed using the VCSc thus that cpl would also address his "intrusion".

Sent from Cisco Technical Support iPad App

Chuck Reid · ‎04-02-2012

There is one instance where calls might be routed out the ISDN GW, IP to ISDN calls, I expect this CPL might prevent me from routing calls from IP to ISDN? Client will need ability to route calls from IP to ISDN.

Chuck Reid

Voice Engineer CCNP-Voice,

Cisco (Tandberg) Video Solutions

CDW

9349 WaterStone Boulevard, Suite 150

Cincinnati, Ohio 45249

513-677-4148 (Phone)

Fax 513.677.4101 (Fax)

chuck.reid@cdw.com

www.cdw.com<>

danny fabre · ‎04-02-2012

In a normal setup the ISDN gw does not have any gatekeeper functionalities that is what I mean when I say routed. It will only be a gateway through witch traffic will be processed nothing more.

Intrusion using the ISDN gw

-So call comes in the ISDN gw for example; when prompted for an extension to dial they use the audio prefix setup on the gw 6 for example and call to Haiti 6 011 509 37 11 34 44

-that call is sent to the vcs and processed through the search rules.

-the vcs sees the prefix and sends the call to be processed in the isdn gw

-the gw strips the 6 and process the audio call.

intrusion using the VCSe

-Someone calls 601150937113444@domain.com

-The call gets passed to the VCSe because of the service records

-the VCSe passes the call to the VCSc because it can not be found in the VCSe

-the search rules in the VCSc pass the call to the ISDN gw after they have striped the domain.

-the external user has just made a call to the ISDN gw

In both of theses cases the VCSc would be the routing mechanism that can prevent this from taking place.

Sent from Cisco Technical Support iPad App

Chuck Reid · ‎04-02-2012

Ok, so this should work if I modify the domain name to match the clients domain.

Any idea how this script would look like if the clients domain was video.acme.com?

I assume the domain would be the sip domain? Or the IP domain?

“

Garvan Long · ‎04-02-2012

Hairpinning is where the initial call is terminated on the gateway such as the IVR and the caller enters the gateway prefix and the number they wish to dial. Placing a # at the end of the prefix will prevent this ( it terminates the dial plan) or disabling the IVR on the gateway if you have enabled DID and IVR is not required or you land all callson your MCU to participate in conferences.

I belive the CPL document is more around stopping unathorised IP callers accessing the gatways. If you have a VCS expressway there is a more straight forward solution to prevent unwanted external callers accessing the internal ISDN gateways using search rules and souce zone of calls. This method allows localy regsitered expresway users place calls via the gateway but not unregistered external devices.

This setup is detailed in the VCS Control and Expressway configuration guides Step 16

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf